Guide to the Secure Configuration of Red Hat Enterprise Linux 7
with profile DISA STIG for Red Hat Enterprise Linux 7This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux V1R1. In addition to being applicable to RHEL7, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based off RHEL7, such as RHEL Server, RHV-H, RHEL for HPC, RHEL Workstation, and Red Hat Storage deployments.
scap-security-guide
package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 7, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
This benchmark is a direct port of a SCAP Security Guide benchmark developed for Red Hat Enterprise Linux. It has been modified through an automated process to remove specific dependencies on Red Hat Enterprise Linux and to function with CentOS. The result is a generally useful SCAP Security Guide benchmark with the following caveats:
- CentOS is not an exact copy of Red Hat Enterprise Linux. There may be configuration differences that produce false positives and/or false negatives. If this occurs please file a bug report.
- CentOS has its own build system, compiler options, patchsets, and is a community supported, non-commercial operating system. CentOS does not inherit certifications or evaluations from Red Hat Enterprise Linux. As such, some configuration rules (such as those requiring FIPS 140-2 encryption) will continue to fail on CentOS.
Members of the CentOS community are invited to participate in OpenSCAP and SCAP Security Guide development. Bug reports and patches can be sent to GitHub: https://github.com/OpenSCAP/scap-security-guide. The mailing list is at https://fedorahosted.org/mailman/listinfo/scap-security-guide.
Evaluation Characteristics
Target machine | centos |
---|---|
Benchmark URL | rhel7-xccdf.xml |
Benchmark ID | xccdf_org.ssgproject.content_benchmark_RHEL-7 |
Profile ID | xccdf_org.ssgproject.content_profile_stig-rhel7-disa |
Started at | 2017-10-21T14:38:40 |
Finished at | 2017-10-21T14:39:59 |
Performed by | root |
CPE Platforms
- cpe:/o:centos:centos:7
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
Addresses
- IPv4 127.0.0.1
- IPv4 172.42.208.132
- IPv6 0:0:0:0:0:0:0:1
- IPv6 fe80:0:0:0:20c:29ff:fe99:8ed0
- MAC 00:00:00:00:00:00
- MAC 00:0C:29:99:8E:D0
Compliance and Scoring
Rule results
Severity of failed rules
Score
Scoring system | Score | Maximum | Percent |
---|---|---|---|
urn:xccdf:scoring:default | 68.158012 | 100.000000 |
Rule Overview
Result Details
Ensure /tmp Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||
Result | fail | ||
Time | 2017-10-21T14:38:42 | ||
Severity | low | ||
Identifiers and References | References: SC-32(1), 366, SRG-OS-000480-GPOS-00227, 1.1.1 | ||
Description |
The | ||
Rationale |
The | ||
OVAL details Items not found violating /tmp on own partition:Object oval:ssg-object_own_tmp_partition:obj:1 of type partition_object
|
Ensure /var Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var | ||
Result | fail | ||
Time | 2017-10-21T14:38:42 | ||
Severity | low | ||
Identifiers and References | References: SC-32(1), 1.1.5, 366, SRG-OS-000480-GPOS-00227 | ||
Description | The | ||
Rationale |
Ensuring that | ||
OVAL details Items not found violating /var on own partition:Object oval:ssg-object_mount_var_own_partition:obj:1 of type partition_object
|
Ensure /var/log Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log |
Result | notselected |
Time | 2017-10-21T14:38:42 |
Severity | low |
Identifiers and References | References: AU-9, SC-32, http://iase.disa.mil/stigs/cci/Pages/index.aspx, 1.1.7 |
Description |
System logs are stored in the |
Rationale |
Placing |
Ensure /var/log/audit Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | ||
Result | fail | ||
Time | 2017-10-21T14:38:42 | ||
Severity | low | ||
Identifiers and References | References: AU-4, AU-9, SC-32(1), 366, 1.1.8, SRG-OS-000480-GPOS-00227 | ||
Description |
Audit logs are stored in the | ||
Rationale |
Placing | ||
OVAL details Items not found violating check for /var/log/audit partition:Object oval:ssg-object_mount_var_log_audit_own_partition:obj:1 of type partition_object
|
Ensure /home Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_home | ||
Result | fail | ||
Time | 2017-10-21T14:38:42 | ||
Severity | low | ||
Identifiers and References | References: SC-32(1), 366, 1208, 1.1.9, SRG-OS-000480-GPOS-00227 | ||
Description |
If user home directories will be stored locally, create a separate partition
for | ||
Rationale |
Ensuring that | ||
OVAL details Items not found violating /home on own partition:Object oval:ssg-object_mount_home_own_partition:obj:1 of type partition_object
|
Encrypt Partitions
Rule ID | xccdf_org.ssgproject.content_rule_encrypt_partitions |
Result | notselected |
Time | 2017-10-21T14:38:42 |
Severity | high |
Identifiers and References | References: SC-13, SC-28(1), 1199, 2476, SRG-OS-000405-GPOS-00184, SRG-OS-000185-GPOS-00079, 3.13.16 |
Description |
Red Hat Enterprise Linux 7 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASEAny PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the
installer to pause and interactively ask for the passphrase during installation.
Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html |
Rationale | The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. |
Ensure Red Hat GPG Key Installed
Rule ID | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed |
Result | notselected |
Time | 2017-10-21T14:38:42 |
Severity | high |
Identifiers and References | References: CM-5(3), SI-7, MA-1(b), 1749, 366, Req-6.2, 1.2.2, 5.10.4.1, 3.4.8 |
Description | To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: $ sudo rhn_registerIf the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom , use the following command as the root user to import
it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY |
Rationale | Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. |
Ensure gpgcheck Enabled In Main Yum Configuration
Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | ||||||||||
Result | pass | ||||||||||
Time | 2017-10-21T14:38:42 | ||||||||||
Severity | high | ||||||||||
Identifiers and References | References: CM-5(3), SI-7, MA-1(b), 1749, SRG-OS-000366-GPOS-00153, Req-6.2, 1.2.3, 5.10.4.1, 3.4.8 | ||||||||||
Description | The gpgcheck=1 | ||||||||||
Rationale |
Changes to any software components can have significant effects on the overall security
of the operating system. This requirement ensures the software has not been tampered with
and that it has been provided by a trusted vendor.
| ||||||||||
OVAL details Items not found satisfying check value of gpgcheck in /etc/dnf/dnf.conf:Object oval:ssg-object_dnf_ensure_gpgcheck_globally_activated:obj:1 of type textfilecontent54_object
Items found satisfying check value of gpgcheck in /etc/yum.conf:
|
Ensure gpgcheck Enabled For All Yum Package Repositories
Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled |
Result | notselected |
Time | 2017-10-21T14:38:42 |
Severity | high |
Identifiers and References | References: CM-5(3), SI-7, MA-1(b), 1749, 366, Req-6.2, 5.10.4.1, 3.4.8 |
Description | To ensure signature checking is not disabled for
any repos, remove any lines from files in gpgcheck=0 |
Rationale | Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). |
Ensure Software Patches Installed
Rule ID | xccdf_org.ssgproject.content_rule_security_patches_up_to_date |
Result | notchecked |
Time | 2017-10-21T14:38:42 |
Severity | high |
Identifiers and References | References: SI-2, SI-2(c), MA-1(b), 366, Req-6.2, 1.7, SRG-OS-000480-GPOS-00227, 5.10.4.1 |
Description | If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: $ sudo yum updateIf the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm .
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates. |
Rationale | Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. |
Ensure YUM Removes Previous Package Versions
Rule ID | xccdf_org.ssgproject.content_rule_clean_components_post_updating | ||||
Result | pass | ||||
Time | 2017-10-21T14:38:42 | ||||
Severity | low | ||||
Identifiers and References | References: SI-2(6), 2617, SRG-OS-000437-GPOS-00194, 3.4.8 | ||||
Description |
| ||||
Rationale | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. | ||||
OVAL details Items found satisfying check value of clean_requirements_on_remove in /etc/yum.conf:
|
Ensure gpgcheck Enabled for Local Packages
Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | ||||
Result | pass | ||||
Time | 2017-10-21T14:38:42 | ||||
Severity | high | ||||
Identifiers and References | References: CM-5(3), 1749, SRG-OS-000366-GPOS-00153, 3.4.8 | ||||
Description |
| ||||
Rationale |
Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
| ||||
OVAL details Items found satisfying check value of localpkg_gpgcheck in /etc/yum.conf:
|
Install AIDE
Rule ID | xccdf_org.ssgproject.content_rule_package_aide_installed |
Result | notselected |
Time | 2017-10-21T14:38:42 |
Severity | medium |
Identifiers and References | References: CM-3(d), CM-3(e), CM-6(d), CM-6(3), SC-28, SI-7, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-11.5, 1.3.1, 5.10.1.3 |
Description | Install the AIDE package with the command: $ sudo yum install aide |
Rationale | The AIDE package must be installed if it is to be available for integrity checking. |
Build and Test AIDE Database
Rule ID | xccdf_org.ssgproject.content_rule_aide_build_database |
Result | notselected |
Time | 2017-10-21T14:38:42 |
Severity | medium |
Identifiers and References | References: CM-3(d), CM-3(e), CM-6(d), CM-6(3), SC-28, SI-7, Req-11.5, 5.10.1.3 |
Description | Run the following command to generate a new database: $ sudo /usr/sbin/aide --initBy default, the database will be written to the file /var/lib/aide/aide.db.new.gz .
Storing the database, the configuration file /etc/aide.conf , and the binary
/usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzTo initiate a manual check, run the following command: $ sudo /usr/sbin/aide --checkIf this check produces any unexpected output, investigate. |
Rationale | For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. |
Configure Periodic Execution of AIDE
Rule ID | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||||
Time | 2017-10-21T14:38:42 | ||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||
Identifiers and References | References: CM-3(d), CM-3(e), CM-3(5), CM-6(d), CM-6(3), SC-28, SI-7, 1744, Req-11.5, 1.3.1, SRG-OS-000363-GPOS-00150, 5.10.1.3 | ||||||||||||||||||||||||||
Description |
At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily.
To implement a daily execution of AIDE at 4:05am using cron, add the following line to 05 4 * * * root /usr/sbin/aide --checkTo implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab :
05 4 * * 0 root /usr/sbin/aide --checkAIDE can be executed periodically through other means; this is merely one example. | ||||||||||||||||||||||||||
Rationale |
By default, AIDE does not install itself for periodic execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.
| ||||||||||||||||||||||||||
OVAL details Items found violating run aide daily with cron:
Items not found violating run aide daily with cron:Object oval:ssg-object_test_aide_crond_checking:obj:1 of type textfilecontent54_object
Items not found violating run aide daily with cron:Object oval:ssg-object_aide_var_cron_checking:obj:1 of type textfilecontent54_object
Items not found violating run aide daily with cron.(daily|weekly|monthly):Object oval:ssg-object_aide_crontabs_checking:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||
Remediation Shell script: (show)
|
Configure Notification of Post-AIDE Scan Details
Rule ID | xccdf_org.ssgproject.content_rule_aide_scan_notification | ||||||||||||||||||||
Result | fail | ||||||||||||||||||||
Time | 2017-10-21T14:38:42 | ||||||||||||||||||||
Severity | medium | ||||||||||||||||||||
Identifiers and References | References: CM-3(5), 1744, SRG-OS-000363-GPOS-00150 | ||||||||||||||||||||
Description |
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
If AIDE has already been configured for periodic execution in | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhostOtherwise, add the following line to /etc/crontab :
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhostAIDE can be executed periodically through other means; this is merely one example. | ||||||||||||||||||||
Rationale |
Unauthorized changes to the baseline configuration could make the system vulnerable
to various attacks or allow unauthorized access to the operating system. Changes to
operating system configurations can have unintended side effects, some of which may
be relevant to security.
| ||||||||||||||||||||
OVAL details Items not found violating notify personnel when aide completes:Object oval:ssg-object_test_aide_scan_notification:obj:1 of type textfilecontent54_object
Items not found violating notify personnel when aide completes:Object oval:ssg-object_aide_var_cron_notification:obj:1 of type textfilecontent54_object
Items not found violating notify personnel when aide completes in cron.(daily|weekly|monthly):Object oval:ssg-object_aide_crontabs_notification:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||
Remediation Shell script: (show)
|
Configure AIDE to Verify Access Control Lists (ACLs)
Rule ID | xccdf_org.ssgproject.content_rule_aide_verify_acls | ||||||||
Result | fail | ||||||||
Time | 2017-10-21T14:38:42 | ||||||||
Severity | medium | ||||||||
Identifiers and References | References: SI-7.1, 366, SRG-OS-000480-GPOS-00227 | ||||||||
Description |
By default, the FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. | ||||||||
Rationale | ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. | ||||||||
OVAL details Items not found violating acl is set in /etc/aide.conf:Object oval:ssg-object_aide_verify_acls:obj:1 of type textfilecontent54_object
State oval:ssg-state_aide_verify_acls:ste:1 of type textfilecontent54_state
| |||||||||
Remediation Shell script: (show)
|
Configure AIDE to Verify Extended Attributes
Rule ID | xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes | ||||||||
Result | fail | ||||||||
Time | 2017-10-21T14:38:42 | ||||||||
Severity | medium | ||||||||
Identifiers and References | References: SI-7.1, 366, SRG-OS-000480-GPOS-00227 | ||||||||
Description |
By default, the FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. | ||||||||
Rationale | Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. | ||||||||
OVAL details Items not found violating xattrs is set in /etc/aide.conf:Object oval:ssg-object_aide_verify_ext_attributes:obj:1 of type textfilecontent54_object
State oval:ssg-state_aide_verify_ext_attributes:ste:1 of type textfilecontent54_state
| |||||||||
Remediation Shell script: (show)
|
Configure AIDE to Use FIPS 140-2 for Validating Hashes
Rule ID | xccdf_org.ssgproject.content_rule_aide_use_fips_hashes | ||||||||||||||
Result | fail | ||||||||||||||
Time | 2017-10-21T14:38:42 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | References: SI-7(1), 366, SRG-OS-000480-GPOS-00227, 3.13.11 | ||||||||||||||
Description |
By default, the NORMAL = FIPSR+sha512AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. | ||||||||||||||
Rationale | File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. | ||||||||||||||
OVAL details Items not found violating Verify non-FIPS hashes are not configured in /etc/aide.conf:Object oval:ssg-object_aide_non_fips_hashes:obj:1 of type textfilecontent54_object
Items not found violating Verify FIPS hashes are configured in /etc/aide.conf:Object oval:ssg-object_aide_use_fips_hashes:obj:1 of type textfilecontent54_object
State oval:ssg-state_aide_use_fips_hashes:ste:1 of type textfilecontent54_state
| |||||||||||||||
Remediation Shell script: (show)
|
Verify File Hashes with RPM
Rule ID | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2017-10-21T14:39:27 | ||||||||||||||||
Severity | high | ||||||||||||||||
Identifiers and References | References: CM-6(d), CM-6(3), SI-7(1), 663, Req-11.5, 1.2.6, SRG-OS-000480-GPOS-00227, 5.10.4.1, 3.3.8, 3.4.1 | ||||||||||||||||
Description | Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: $ rpm -Va | grep '^..5'A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file: $ rpm -qf FILENAMEThe package can be reinstalled from a yum repository using the command: $ sudo yum reinstall PACKAGENAMEAlternatively, the package can be reinstalled from trusted media using the command: $ sudo rpm -Uvh PACKAGENAME | ||||||||||||||||
Rationale | The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. | ||||||||||||||||
OVAL details Items not found satisfying verify file md5 hashes:Object oval:ssg-object_files_fail_md5_hash:obj:1 of type rpmverifyfile_object
|
Install the Host Intrusion Prevention System (HIPS) Module
Rule ID | xccdf_org.ssgproject.content_rule_install_mcafee_hbss_hips |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | medium |
Identifiers and References | References: SC-7, SI-4(1).1, 366, 1263, Req-11.4, STG-OS-000480-GPOS-00227 |
Description | Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module. |
Rationale | Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. |
Warnings | warning
Installing and enabling this module conflicts with SELinux.
Per DoD/DISA guidance, SELinux takes precedence over this module. warning
Due to McAfee HIPS being 3rd party software, automated
remediation is not available for this configuration check. |
Install the Asset Configuration Compliance Module (ACCM)
Rule ID | xccdf_org.ssgproject.content_rule_install_mcafee_hbss_accm |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | medium |
Identifiers and References | References: SC-7, SI-4(1).1, 366, 1263, Req-11.4, STG-OS-000480-GPOS-00227 |
Description | Install the Asset Configuration Compliance Module (ACCM). |
Rationale | Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. |
Warnings | warning
Due to HBSS ACCM being 3rd party software, automated
remediation is not available for this configuration check. |
Install the Policy Auditor (PA) Module
Rule ID | xccdf_org.ssgproject.content_rule_install_mcafee_hbss_pa |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | medium |
Identifiers and References | References: SC-7, SI-4(1).1, 366, 1263, Req-11.4, STG-OS-000480-GPOS-00227 |
Description | Install the Policy Auditor (PA) Module. |
Rationale | Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. |
Warnings | warning
Due to McAfee being 3rd party software, automated
remediation is not available for this configuration check. |
Install the McAfee Runtime Libraries and Linux Agent
Rule ID | xccdf_org.ssgproject.content_rule_install_mcafee_cma_rt |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | medium |
Identifiers and References | |
Description | Install the McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma). |
Rationale | The McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma) are dependencies for VirusScan Enterprise for Linux (VSEL) and Host-based Security System (HBSS) to run. |
Install McAfee Virus Scanning Software
Rule ID | xccdf_org.ssgproject.content_rule_install_mcafee_antivirus | ||
Result | fail | ||
Time | 2017-10-21T14:39:27 | ||
Severity | high | ||
Identifiers and References | References: SC-28, SI-3, SI-3(1)(ii), 366, 1239, 1668, SRG-OS-000480-GPOS-00227 | ||
Description | Install McAfee VirusScan Enterprise for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. | ||
Rationale | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. | ||
Warnings | warning
Due to McAfee HIPS being 3rd party software, automated
remediation is not available for this configuration check. | ||
OVAL details Items not found violating AntiVirus package is installed:Object oval:ssg-obj_linuxshield_install_antivirus:obj:1 of type rpminfo_object
|
Enable nails Service
Rule ID | xccdf_org.ssgproject.content_rule_service_nails_enabled |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | medium |
Identifiers and References | References: SC-28, SI-3, SI-3(1)(ii), 366, 1239, 1668, SRG-OS-000480-GPOS-00227 |
Description | The $ sudo systemctl enable nails.service |
Rationale | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. |
Virus Scanning Software Definitions Are Updated
Rule ID | xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated |
Result | notchecked |
Time | 2017-10-21T14:39:27 |
Severity | medium |
Identifiers and References | References: SC-28, SI-3, SI-3(1)(ii), 366, 1239, 1668, SRG-OS-000480-GPOS-00227 |
Description | Ensure virus definition files are no older than 7 days or their last release. |
Rationale | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. |
Install Intrusion Detection Software
Rule ID | xccdf_org.ssgproject.content_rule_install_hids |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | high |
Identifiers and References | |
Description | The base Red Hat platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised. |
Rationale | Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network. |
Warnings | warning
Note in DoD environments, supplemental intrusion
detection tools, such as the McAfee Host-based Security System, are available
to integrate with existing infrastructure. When these supplemental tools
interfere with proper functioning of SELinux, SELinux takes precedence. |
Install Virus Scanning Software
Rule ID | xccdf_org.ssgproject.content_rule_install_antivirus |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | high |
Identifiers and References | |
Description | Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. Ensure virus definition files are no older than 7 days, or their last release. Configure the virus scanning software to perform scans dynamically on all accessed files. If this is not possible, configure the system to scan all altered files on the system on a daily basis. If the system processes inbound SMTP mail, configure the virus scanner to scan all received mail. |
Rationale | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. |
Install the dracut-fips Package
Rule ID | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | medium |
Identifiers and References | References: AC-17(2), 68, 2450, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, 5.10.1.2, 3.13.11, 3.13.8 |
Description |
To enable FIPS, the system requires that the $ sudo yum install dracut-fips |
Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
Enable FIPS Mode in GRUB2
Rule ID | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | ||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||
Time | 2017-10-21T14:39:27 | ||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||
Identifiers and References | References: AC-17(2), 68, 2450, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, 5.10.1.2, 3.13.8, 3.13.11 | ||||||||||||||||||||||
Description |
To ensure FIPS mode is enabled, rebuild dracut -fAfter the dracut command has been run, add the argument fips=1 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub , in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"Finally, rebuild the grub.cfg file by using the
grub2-mkconfig -ocommand as follows:
| ||||||||||||||||||||||
Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. | ||||||||||||||||||||||
Warnings | warning
Running dracut -fwill overwrite the existing initramfs file. warning
The system needs to be rebooted for these changes to take effect. warning
The ability to enable FIPS does not denote FIPS compliancy or certification.
Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community
projects such as CentOS, Scientific Linux, etc. do not necessarily meet FIPS certification and compliancy.
Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible.
See http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm for a list of FIPS certified vendors. | ||||||||||||||||||||||
OVAL details Items found violating check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX:
Items not found violating check for GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub:Object oval:ssg-object_grub2_default_exists:obj:1 of type textfilecontent54_object
Items not found violating check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT:Object oval:ssg-object_grub2_enable_fips_mode_default:obj:1 of type textfilecontent54_object
State oval:ssg-state_grub2_enable_fips_mode:ste:1 of type textfilecontent54_state
Items found violating check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX:
| |||||||||||||||||||||||
Remediation Shell script: (show)
|
The Installed Operating System Is Vendor Supported and Certified
Rule ID | xccdf_org.ssgproject.content_rule_installed_OS_is_certified |
Result | fail |
Time | 2017-10-21T14:39:27 |
Severity | high |
Identifiers and References | References: SI-2(c), 366, SRG-OS-000480-GPOS-00227 |
Description | The installed operating system must be maintained and certified by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches as well as meeting and maintaining goverment certifications and standards. |
Rationale | An operating system is considered "supported" if the vendor continues to provide security patches for the product as well as maintain government certification requirements. With an unsupported release, it will not be possible to resolve security issue discovered in the system software as well as meet government certifications. |
Disable Prelinking
Rule ID | xccdf_org.ssgproject.content_rule_disable_prelink |
Result | notselected |
Time | 2017-10-21T14:38:42 |
Severity | low |
Identifiers and References | References: CM-6(d), CM-6(3), SC-28, SI-7, Req-11.5, 5.10.1.3, 3.13.11 |
Description |
The prelinking feature changes binaries in an attempt to decrease their startup
time. In order to disable it, change or add the following line inside the file
PRELINKING=noNext, run the following command to return binaries to a normal, non-prelinked state: $ sudo /usr/sbin/prelink -ua |
Rationale | Because the prelinking feature changes binaries, it can interfere with the operation of certain software and/or modes such as AIDE, FIPS, etc. |
Disable GDM Automatic Login
Rule ID | xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login | ||||||
Result | pass | ||||||
Time | 2017-10-21T14:39:27 | ||||||
Severity | high | ||||||
Identifiers and References | References: CM-6(b), 366, SRG-OS-000480-GPOS-00229, 3.1.1 | ||||||
Description | The GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the [daemon] AutomaticLoginEnable=false | ||||||
Rationale | Failure to restrict system access to authenticated users negatively impacts operating system security. | ||||||
OVAL details Items not found satisfying Disable GDM Automatic Login:Object oval:ssg-obj_disable_automatic_login:obj:1 of type textfilecontent54_object
|
Disable GDM Guest Login
Rule ID | xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login | ||||||
Result | pass | ||||||
Time | 2017-10-21T14:39:27 | ||||||
Severity | high | ||||||
Identifiers and References | References: CM-6(b), 366, SRG-OS-000480-GPOS-00229, 3.1.1 | ||||||
Description | The GNOME Display Manager (GDM) can allow users to login without credentials
which can be useful for public kiosk scenarios. Allowing users to login without credentials
or "guest" account access has inherent security risks and should be disabled. To do disable
timed logins or guest account access, set the [daemon] TimedLoginEnable=false | ||||||
Rationale | Failure to restrict system access to authenticated users negatively impacts operating system security. | ||||||
OVAL details Items not found satisfying Disable GDM Guest Login:Object oval:ssg-obj_disable_guest_login:obj:1 of type textfilecontent54_object
|
Disable the GNOME3 Login User List
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | medium |
Identifiers and References | References: AC-23 |
Description | In the default graphical environment, users logging
directly into the system are greeted with a login screen that displays
all known users. This functionality should be disabled by setting
[org/gnome/login-screen] disable-user-list=trueOnce the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/disable-user-listAfter the settings have been set, run dconf update .
|
Rationale | Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in. |
Disable the GNOME3 Login Restart and Shutdown Buttons
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | high |
Identifiers and References | References: AC-6, 366, SRG-OS-000480-GPOS-00227, 3.1.2 |
Description | In the default graphical environment, users logging
directly into the system are greeted with a login screen that allows
any user, known or unknown, the ability the ability to shutdown or restart
the system. This functionality should be disabled by setting
[org/gnome/login-screen] disable-restart-buttons=trueOnce the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/disable-restart-buttonsAfter the settings have been set, run dconf update .
|
Rationale | A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot. |
Enable the GNOME3 Login Smartcard Authentication
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | medium |
Identifiers and References | |
Description | In the default graphical environment, smart card authentication
can be enabled on the login screen by setting [org/gnome/login-screen] enable-smartcard-authentication=trueOnce the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/enable-smartcard-authenticationAfter the settings have been set, run dconf update .
|
Rationale | Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. |
Set the GNOME3 Login Number of Failures
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | medium |
Identifiers and References | References: 3.1.8 |
Description | In the default graphical environment, the GNOME3 login
screen and be configured to restart the authentication process after
a configured number of attempts. This can be configured by setting
[org/gnome/login-screen] allowed-failures=3Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/allowed-failuresAfter the settings have been set, run dconf update .
|
Rationale | Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. |
Set GNOME3 Screensaver Inactivity Timeout
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay | ||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||
Time | 2017-10-21T14:39:27 | ||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||
Identifiers and References | References: AC-11(a), 57, Req-8.1.8, SRG-OS-000029-GPOS-00010, 5.5.5, 3.1.10 | ||||||||||||||||||||||||||
Description |
The idle time-out value for inactivity in the GNOME3 desktop is configured via the [org/gnome/desktop/session] idle-delay='uint32 900'Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delayAfter the settings have been set, run dconf update .
| ||||||||||||||||||||||||||
Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. | ||||||||||||||||||||||||||
OVAL details Items not found satisfying screensaver idle delay is configured:Object oval:ssg-obj_screensaver_idle_delay:obj:1 of type textfilecontent54_object
Items not found satisfying user cannot change screensaver idle delay:Object oval:ssg-obj_prevent_user_change_idle_delay:obj:1 of type textfilecontent54_object
Items not found satisfying screensaver idle delay setting is correct:Object oval:ssg-obj_screensaver_idle_delay_setting:obj:1 of type textfilecontent54_object
State oval:ssg-state_screensaver_idle_delay_setting:ste:1 of type textfilecontent54_state
|
Enable GNOME3 Screensaver Idle Activation
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2017-10-21T14:39:27 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | References: AC-11(a), 57, SRG-OS-000029-GPOS-00010, Req-8.1.8, 5.5.5, 3.1.10 | ||||||||||||||||
Description |
To activate the screensaver in the GNOME3 desktop after a period of inactivity,
add or set [org/gnome/desktop/screensaver] idle_activation_enabled=trueOnce the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/idle-activation-enabledAfter the settings have been set, run dconf update .
| ||||||||||||||||
Rationale |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock.
| ||||||||||||||||
OVAL details Items not found satisfying idle delay is configured:Object oval:ssg-obj_screensaver_idle_activation_enabled:obj:1 of type textfilecontent54_object
Items not found satisfying user cannot change idle_activation_enabled:Object oval:ssg-obj_prevent_user_change_idle_activation_enabled:obj:1 of type textfilecontent54_object
|
Enable GNOME3 Screensaver Lock After Idle Period
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled | ||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||
Time | 2017-10-21T14:39:27 | ||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||
Identifiers and References | References: AC-11(b), 56, Req-8.1.8, SRG-OS-000028-GPOS-00009, OS-SRG-000030-GPOS-00011, 5.5.5, 3.1.10 | ||||||||||||||||||||||||||||||||
Description |
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set [org/gnome/desktop/screensaver] lock-enabled=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabledAfter the settings have been set, run dconf update .
| ||||||||||||||||||||||||||||||||
Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. | ||||||||||||||||||||||||||||||||
OVAL details Items not found satisfying screensaver lock is enabled:Object oval:ssg-obj_screensaver_lock_enabled:obj:1 of type textfilecontent54_object
Items not found satisfying screensaver lock cannot be changed by user:Object oval:ssg-obj_prevent_user_screensaver_lock:obj:1 of type textfilecontent54_object
Items not found satisfying screensaver lock is set correctly:Object oval:ssg-obj_screensaver_enabled_lock_delay:obj:1 of type textfilecontent54_object
Items not found satisfying screensaver lock delay cannot be changed by user:Object oval:ssg-obj_prevent_user_lock_delay_locked:obj:1 of type textfilecontent54_object
|
Set GNOME3 Screensaver Lock Delay After Activation Period
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2017-10-21T14:39:27 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | References: AC-11(a), 56, Req-8.1.8, OS-SRG-000029-GPOS-00010, 3.1.10 | ||||||||||||||||
Description |
To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set [org/gnome/desktop/screensaver] lock-delay=uint32 0Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delayAfter the settings have been set, run dconf update .
| ||||||||||||||||
Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. | ||||||||||||||||
OVAL details Items not found satisfying screensaver lock is set correctly:Object oval:ssg-obj_screensaver_lock_delay:obj:1 of type textfilecontent54_object
Items not found satisfying screensaver lock delay cannot be changed by user:Object oval:ssg-obj_prevent_user_lock_delay:obj:1 of type textfilecontent54_object
|
Implement Blank Screensaver
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | low |
Identifiers and References | |
Description |
To set the screensaver mode in the GNOME3 desktop to a blank screen,
add or set [org/gnome/desktop/screensaver] picture-uri=string ''Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/picture-uriAfter the settings have been set, run dconf update .
|
Rationale | Setting the screensaver mode to blank-only conceals the contents of the display from passersby. |
Disable Full User Name on Splash Shield
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | low |
Identifiers and References | |
Description |
By default when the screen is locked, the splash shield will show the user's
full name. This should be disabled to prevent casual observers from seeing
who has access to the system. This can be disabled by adding or setting
[org/gnome/desktop/screensaver] show-full-name-in-top-bar=falseOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/show-full-name-in-top-barAfter the settings have been set, run dconf update .
|
Rationale | Setting the splash screen to not reveal the logged in user's name conceals who has access to the system from passersby. |
Ensure Users Cannot Change GNOME3 Session Settings
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_session_user_locks | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2017-10-21T14:39:27 | ||||||||||||||||
Severity | low | ||||||||||||||||
Identifiers and References | References: AC-11(a), 57, SRG-OS-00029-GPOS-0010, 3.1.10 | ||||||||||||||||
Description |
If not already configured, ensure that users cannot change GNOME3 session idle and lock settings
by adding /org/gnome/desktop/screensaver/lock-delay /org/gnome/desktop/session/idle-delayAfter the settings have been set, run dconf update .
| ||||||||||||||||
Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. | ||||||||||||||||
OVAL details Items not found satisfying user cannot change screensaver idle delay:Object oval:ssg-obj_user_change_idle_delay_lock:obj:1 of type textfilecontent54_object
Items not found satisfying screensaver lock delay cannot be changed by user:Object oval:ssg-obj_user_change_lock_delay_lock:obj:1 of type textfilecontent54_object
|
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | high |
Identifiers and References | References: AC-6, 366, SRG-OS-000480-GPOS-00227, 3.1.2 |
Description |
By default, [org/gnome/settings-daemon/plugins/media-keys] logout=string ''Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/settings-daemon/plugins/media-keys/logoutAfter the settings have been set, run dconf update .
|
Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. |
Disable User Administration in GNOME3
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_admin |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | high |
Identifiers and References | References: 3.1.5 |
Description |
By default, [org/gnome/desktop/lockdown] user-administration-disabled=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/lockdown/user-administration-disabledAfter the settings have been set, run dconf update .
|
Rationale | Allowing all users to have some administratrive capabilities to the system through the Graphical User Interface (GUI) when they would not have them otherwise could allow unintended configuration changes as well as a nefarious user the capability to make system changes such as adding new accounts, etc. |
Disable Power Settings in GNOME3
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_power_settings |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | medium |
Identifiers and References | |
Description |
By default, [org/gnome/settings-daemon/plugins/power] active=falseOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/settings-daemon/plugins/powerAfter the settings have been set, run dconf update .
|
Rationale | Power settings should not be enabled on systems that are not mobile devices. Enabling power settings on non-mobile devices could have unintended processing consequences on standard systems. |
Disable Geolocation in GNOME3
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_geolocation |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | medium |
Identifiers and References | |
Description |
[org/gnome/system/location] enabled=falseTo configure the clock to disable location tracking, add or set geolocation to false in
/etc/dconf/db/local.d/00-security-settings . For example:
[org/gnome/clocks] geolocation=falseOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/system/location/enabled /org/gnome/clocks/geolocationAfter the settings have been set, run dconf update .
|
Rationale | Power settings should not be enabled on systems that are not mobile devices. Enabling power settings on non-mobile devices could have unintended processing consequences on standard systems. |
Disable WIFI Network Connection Creation in GNOME3
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_create |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | medium |
Identifiers and References | References: 3.1.16 |
Description |
[org/gnome/nm-applet] disable-wifi-create=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/nm-applet/disable-wifi-createAfter the settings have been set, run dconf update .
|
Rationale | Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. |
Disable WIFI Network Notification in GNOME3
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_notification |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | medium |
Identifiers and References | References: 3.1.16 |
Description |
By default, [org/gnome/nm-applet] suppress-wireless-networks-available=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/nm-applet/suppress-wireless-networks-availableAfter the settings have been set, run dconf update .
|
Rationale | Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. |
Require Credential Prompting for Remote Access in GNOME3
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | medium |
Identifiers and References | References: 3.1.12 |
Description |
By default, [org/gnome/Vino] authentication-methods=['vnc']Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/authentication-methodsAfter the settings have been set, run dconf update .
|
Rationale | Username and password prompting is required for remote access. Otherwise, non-authorized and nefarious users can access the system freely. |
Require Encryption for Remote Access in GNOME3
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | medium |
Identifiers and References | References: CM-2(1)(b), 366, SRG-OS-000480-GPOS-00227, 3.1.13 |
Description |
By default, [org/gnome/Vino] require-encryption=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/require-encryptionAfter the settings have been set, run dconf update .
|
Rationale | Open X displays allow an attacker to capture keystrokes and to execute commands remotely. |
Disable GNOME3 Automounting
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | low |
Identifiers and References | |
Description | The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount and autorun within GNOME3, add or set
[org/gnome/desktop/media-handling] automount=false automount-open=false autorun-never=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount /org/gnome/desktop/media-handling/auto-open /org/gnome/desktop/media-handling/autorun-neverAfter the settings have been set, run dconf update .
|
Rationale | Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. |
Disable All GNOME3 Thumbnailers
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_thumbnailers |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | The system's default desktop environment, GNOME3, uses
a number of different thumbnailer programs to generate thumbnails
for any new or modified content in an opened folder. To disable the
execution of these thumbnail applications, add or set [org/gnome/desktop/thumbnailers] disable-all=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/thumbnailers/disable-allAfter the settings have been set, run dconf update .
This effectively prevents an attacker from gaining access to a
system through a flaw in GNOME3's Nautilus thumbnail creators.
|
Rationale | An attacker with knowledge of a flaw in a GNOME3 thumbnailer application could craft a malicious file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem (via a web upload for example) and assuming a user browses the same location using Nautilus, the malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required. |
Configure GNOME3 DConf User Profile
Rule ID | xccdf_org.ssgproject.content_rule_enable_dconf_user_profile |
Result | notselected |
Time | 2017-10-21T14:39:27 |
Severity | high |
Identifiers and References | |
Description |
By default, DConf provides a standard user profile. This profile contains a list
of DConf configuration databases. The user profile and database always take the
highest priority. As such the DConf User profile should always exist and be
configured correctly.
user-db:user system-db:local system-db:site system-db:distro |
Rationale | Failure to have a functional DConf profile prevents GNOME3 configuration settings from being enforced for all users and allows various security risks. |
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
Rule ID | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2017-10-21T14:39:28 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | References: IA-11, 2038, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | ||||||||||||||
Description |
The sudo | ||||||||||||||
Rationale |
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
| ||||||||||||||
OVAL details Items not found satisfying NOPASSWD does not exist /etc/sudoers:Object oval:ssg-object_nopasswd_etc_sudoers:obj:1 of type textfilecontent54_object
Items not found satisfying NOPASSWD does not exist in /etc/sudoers.d:Object oval:ssg-object_nopasswd_etc_sudoers_d:obj:1 of type textfilecontent54_object
|
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
Rule ID | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2017-10-21T14:39:28 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | References: IA-11, 2038, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | ||||||||||||||
Description |
The sudo | ||||||||||||||
Rationale |
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
| ||||||||||||||
OVAL details Items not found satisfying !authenticate does not exist in /etc/sudoers:Object oval:ssg-object_no_authenticate_etc_sudoers:obj:1 of type textfilecontent54_object
Items not found satisfying !authenticate does not exist in /etc/sudoers.d:Object oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1 of type textfilecontent54_object
|
Add nodev Option to Non-Root Local Partitions
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description | The |
Rationale | The |
Add nodev Option to Removable Media Partitions
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description | The |
Rationale | The only legitimate location for device files is the |
Add noexec Option to Removable Media Partitions
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | References: AC-19(a), AC-19(d), AC-19(e), CM-7, MP-2, 87, 1.1.12 |
Description | The |
Rationale | Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. |
Add nosuid Option to Removable Media Partitions
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions | ||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||
Time | 2017-10-21T14:39:28 | ||||||||||||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||||||||||||
Identifiers and References | References: AC-6, AC-19(a), AC-19(d), AC-19(e), CM-7, MP-2, 1.1.13, 366, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||||||||||||||||||
Description | The | ||||||||||||||||||||||||||||||||||
Rationale | The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. | ||||||||||||||||||||||||||||||||||
OVAL details Items not found satisfying 'nosuid' mount option used for at least one CD / DVD drive alternative names in /etc/fstab:Object oval:ssg-object_nosuid_etc_fstab_cd_dvd_drive:obj:1 of type textfilecontent54_object
State oval:ssg-state_nosuid_etc_fstab_cd_dvd_drive:ste:1 of type textfilecontent54_state
Items not found satisfying 'nosuid' mount option used for at least one CD / DVD drive alternative names in runtime configuration:Object oval:ssg-object_nosuid_runtime_cd_dvd_drive:obj:1 of type partition_object
Items not found satisfying Check if removable partition is configured with 'nosuid' mount option in /etc/fstab:Object oval:ssg-object_nosuid_etc_fstab_not_cd_dvd_drive:obj:1 of type textfilecontent54_object
State oval:ssg-state_nosuid_etc_fstab_not_cd_dvd_drive:ste:1 of type textfilecontent54_state
Items not found satisfying 'nosuid' mount option used for removable partition in runtime configuration:Object oval:ssg-object_nosuid_runtime_not_cd_dvd_drive:obj:1 of type partition_object
|
Add nodev Option to /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description |
The |
Rationale | The only legitimate location for device files is the |
Add noexec Option to /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description | The |
Rationale | Allowing users to execute binaries from world-writable directories
such as |
Add nosuid Option to /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description | The |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Add nosuid Option to /home
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_nosuid | ||||
Result | fail | ||||
Time | 2017-10-21T14:39:28 | ||||
Severity | low | ||||
Identifiers and References | |||||
Description | The | ||||
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions. | ||||
OVAL details Items not found violating nosuid on /home:Object oval:ssg-object_home_nosuid_partition:obj:1 of type partition_object
State oval:ssg-state_home_nosuid:ste:1 of type partition_state
|
Add nodev Option to /dev/shm
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description | The |
Rationale | The only legitimate location for device files is the |
Add noexec Option to /dev/shm
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description | The |
Rationale | Allowing users to execute binaries from world-writable directories
such as |
Add nosuid Option to /dev/shm
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description | The |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Bind Mount /var/tmp To /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description | The /tmp /var/tmp none rw,nodev,noexec,nosuid,bind 0 0See the mount(8) man page for further explanation of bind mounting.
|
Rationale | Having multiple locations for temporary storage is not required. Unless absolutely
necessary to meet requirements, the storage location |
Disable Modprobe Loading of USB Storage Driver
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled | ||||||||||||||||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||||||||||||||||
Time | 2017-10-21T14:39:28 | ||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||
Identifiers and References | References: AC-19(a), AC-19(d), AC-19(e), IA-3, 366, 778, 1958, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-0016, SRG-OS-000480-GPOS-00227, 3.1.21 | ||||||||||||||||||||||||||||||||||||||
Description |
To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the install usb-storage /bin/trueThis will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually. | ||||||||||||||||||||||||||||||||||||||
Rationale | USB storage devices such as thumb drives can be used to introduce malicious software. | ||||||||||||||||||||||||||||||||||||||
OVAL details Items not found violating kernel module usb-storage disabled:Object oval:ssg-obj_kernmod_usb-storage_disabled:obj:1 of type textfilecontent54_object
Items not found violating kernel module usb-storage disabled in /etc/modprobe.conf:Object oval:ssg-obj_kernmod_usb-storage_modprobeconf:obj:1 of type textfilecontent54_object
Items not found violating kernel module usb-storage disabled in /etc/modules-load.d:Object oval:ssg-obj_kernmod_usb-storage_etcmodules-load:obj:1 of type textfilecontent54_object
Items not found violating kernel module usb-storage disabled in /run/modules-load.d:Object oval:ssg-obj_kernmod_usb-storage_runmodules-load:obj:1 of type textfilecontent54_object
Items not found violating kernel module usb-storage disabled in /usr/lib/modules-load.d:Object oval:ssg-obj_kernmod_usb-storage_libmodules-load:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
| |||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
|
Disable Kernel Support for USB via Bootloader Configuration
Rule ID | xccdf_org.ssgproject.content_rule_bootloader_nousb_argument |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description |
All USB support can be disabled by adding the kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousbWARNING: Disabling all kernel support for USB will cause problems for systems with USB-based keyboards, mice, or printers. This configuration is infeasible for systems which require USB devices, which is common. |
Rationale | Disabling the USB subsystem within the Linux kernel at system boot will protect against potentially malicious USB devices, although it is only practical in specialized systems. |
Disable Booting from USB Devices in Boot Firmware
Rule ID | xccdf_org.ssgproject.content_rule_bios_disable_usb_boot |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description | Configure the system boot firmware (historically called BIOS on PC systems) to disallow booting from USB drives. |
Rationale | Booting a system from a USB device would allow an attacker to circumvent any security measures provided by the operating system. Attackers could mount partitions and modify the configuration of the OS. |
Assign Password to Prevent Changes to Boot Firmware Configuration
Rule ID | xccdf_org.ssgproject.content_rule_bios_assign_password |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description | Assign a password to the system boot firmware (historically called BIOS on PC systems) to require a password for any configuration changes. |
Rationale | Assigning a password to the system boot firmware prevents anyone with physical access from configuring the system to boot from local media and circumvent the operating system's access controls. For systems in physically secure locations, such as a data center or Sensitive Compartmented Information Facility (SCIF), this risk must be weighed against the risk of administrative personnel being unable to conduct recovery operations in a timely fashion. |
Disable the Automounter
Rule ID | xccdf_org.ssgproject.content_rule_service_autofs_disabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2017-10-21T14:39:28 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | References: AC-19(a), AC-19(d), AC-19(e), IA-3, 366, 778, 1958, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 3.4.6 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description | The $ sudo systemctl disable autofs.service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Disabling the automounter permits the administrator to
statically control filesystem mounting through | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Items found satisfying systemd test:
|
Disable Mounting of cramfs
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description |
To configure the system to prevent the install cramfs /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
Disable Mounting of freevxfs
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description |
To configure the system to prevent the install freevxfs /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
Disable Mounting of jffs2
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description |
To configure the system to prevent the install jffs2 /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
Disable Mounting of hfs
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description |
To configure the system to prevent the install hfs /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
Disable Mounting of hfsplus
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description |
To configure the system to prevent the install hfsplus /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
Disable Mounting of squashfs
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description |
To configure the system to prevent the install squashfs /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
Disable Mounting of udf
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description |
To configure the system to prevent the install udf /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
Verify User Who Owns shadow File
Rule ID | xccdf_org.ssgproject.content_rule_userowner_shadow_file |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | medium |
Identifiers and References | References: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8.7.c, 5.5.2.2 |
Description |
To properly set the owner of $ sudo chown root /etc/shadow |
Rationale | The |
Verify Group Who Owns shadow File
Rule ID | xccdf_org.ssgproject.content_rule_groupowner_shadow_file |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | medium |
Identifiers and References | References: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8.7.c, 5.5.2.2 |
Description |
To properly set the group owner of $ sudo chgrp root /etc/shadow |
Rationale | The |
Verify User Who Owns group File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_group |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | medium |
Identifiers and References | |
Description |
To properly set the owner of $ sudo chown root /etc/group |
Rationale | The |
Verify Group Who Owns group File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | medium |
Identifiers and References | References: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8.7.c, 5.5.2.2 |
Description |
To properly set the group owner of $ sudo chgrp root /etc/group |
Rationale | The |
Verify User Who Owns gshadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | medium |
Identifiers and References | References: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description |
To properly set the owner of $ sudo chown root /etc/gshadow |
Rationale | The |
Verify Group Who Owns gshadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | medium |
Identifiers and References | References: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description |
To properly set the group owner of $ sudo chgrp root /etc/gshadow |
Rationale | The |
Verify User Who Owns passwd File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | medium |
Identifiers and References | References: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8.7.c, 5.5.2.2 |
Description |
To properly set the owner of $ sudo chown root /etc/passwd |
Rationale | The |
Verify Group Who Owns passwd File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | medium |
Identifiers and References | References: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8.7.c, 5.5.2.2 |
Description |
To properly set the group owner of $ sudo chgrp root /etc/passwd |
Rationale | The |
Verify that Shared Library Files Have Root Ownership
Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_library_dirs |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | medium |
Identifiers and References | References: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description | System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules . All files in these directories should be
owned by the root user. If the directory, or any file in these
directories, is found to be owned by a user other than root correct its
ownership with the following command:
$ sudo chown root FILE |
Rationale | Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. |
Verify that System Executables Have Root Ownership
Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | medium |
Identifiers and References | References: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description | System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbinAll files in these directories should be owned by the root user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
$ sudo chown root FILE |
Rationale | System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. |
Verify that All World-Writable Directories Have Sticky Bits Set
Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits |
Result | notselected |
Time | 2017-10-21T14:39:28 |
Severity | low |
Identifiers and References | |
Description | When the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
$ sudo chmod +t DIR |
Rationale |
Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.
|
Ensure All Files Are Owned by a User
Rule ID | xccdf_org.ssgproject.content_rule_no_files_unowned_by_user | ||||||||
Result | pass | ||||||||
Time | 2017-10-21T14:39:38 | ||||||||
Severity | medium | ||||||||
Identifiers and References | References: AC-3(4), AC-6, CM-6(b), 002165, SRG-OS-000480-GPOS-00227 | ||||||||
Description | If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. | ||||||||
Rationale | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. | ||||||||
OVAL details Items not found satisfying Check user ids on all files on the system:Object oval:ssg-file_permissions_unowned_object:obj:1 of type file_object
|
Ensure All World-Writable Directories Are Owned by a System Account
Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned | ||||||||||||
Result | pass | ||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||
Severity | low | ||||||||||||
Identifiers and References | References: AC-6, 366, SRG-OS-000480-GPOS-00227 | ||||||||||||
Description | All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. | ||||||||||||
Rationale | Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. | ||||||||||||
OVAL details Items not found satisfying check for local directories that are world writable and have uid greater than or equal to 1000:Object oval:ssg-all_local_directories:obj:1 of type file_object
State oval:ssg-state_gid_is_user_and_world_writable:ste:1 of type file_state
|
Set Daemon Umask
Rule ID | xccdf_org.ssgproject.content_rule_umask_for_daemons |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description | The file umask 022Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts. |
Rationale | The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions. |
Disable Core Dumps for All Users
Rule ID | xccdf_org.ssgproject.content_rule_disable_users_coredumps |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description | To disable core dumps for all users, add the following line to
* hard core 0 |
Rationale | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. |
Disable Core Dumps for SUID programs
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w fs.suid_dumpable=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
fs.suid_dumpable = 0 |
Rationale | The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. |
Enable ExecShield
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description | By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield
is enabled and can only be disabled if the hardware does not support ExecShield
or is disabled in |
Rationale | ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware. |
Enable Randomized Layout of Virtual Address Space
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w kernel.randomize_va_space=2If this is not the system's default value, add the following line to /etc/sysctl.conf :
kernel.randomize_va_space = 2 |
Rationale | Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. |
Install PAE Kernel on Supported 32-bit x86 Systems
Rule ID | xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32 |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description | Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package should be installed to enable XD or NX support: $ sudo yum install kernel-PAEThe installation process should also have configured the bootloader to load the new kernel at boot. Verify this at reboot and modify /etc/default/grub if necessary. |
Rationale | On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support. |
Warnings | warning
The kernel-PAE package should not be
installed on older systems that do not support the XD or NX bit, as
this may prevent them from booting. |
Enable NX or XD Support in the BIOS
Rule ID | xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description | Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems. |
Rationale | Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will. |
Restrict Access to Kernel Message Buffer
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w kernel.dmesg_restrict=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
kernel.dmesg_restrict = 1 |
Rationale | Unprivileged access to the kernel syslog can expose sensitive kernel address information. |
Disable the abrt_anon_write SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_abrt_anon_write |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P abrt_anon_write off |
Rationale |
|
Disable the abrt_handle_event SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_abrt_handle_event |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P abrt_handle_event off |
Rationale |
|
Disable the abrt_upload_watch_anon_write SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_abrt_upload_watch_anon_write |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P abrt_upload_watch_anon_write off |
Rationale |
|
Enable the antivirus_can_scan_system SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_antivirus_can_scan_system |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P antivirus_can_scan_system on |
Rationale |
|
Disable the antivirus_use_jit SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_antivirus_use_jit |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P antivirus_use_jit off |
Rationale |
|
Enable the auditadm_exec_content SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P auditadm_exec_content on |
Rationale |
|
Disable the authlogin_nsswitch_use_ldap SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_authlogin_nsswitch_use_ldap |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P authlogin_nsswitch_use_ldap off |
Rationale |
|
Disable the authlogin_radius SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_authlogin_radius |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P authlogin_radius off |
Rationale |
|
Disable the authlogin_yubikey SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_authlogin_yubikey |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P authlogin_yubikey off |
Rationale |
|
Disable the awstats_purge_apache_log_files SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_awstats_purge_apache_log_files |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P awstats_purge_apache_log_files off |
Rationale |
|
Disable the boinc_execmem SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_boinc_execmem |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P boinc_execmem off |
Rationale |
|
Disable the cdrecord_read_content SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_cdrecord_read_content |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P cdrecord_read_content off |
Rationale |
|
Disable the cluster_can_network_connect SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_cluster_can_network_connect |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P cluster_can_network_connect off |
Rationale |
|
Disable the cluster_manage_all_files SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_cluster_manage_all_files |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P cluster_manage_all_files off |
Rationale |
|
Disable the cluster_use_execmem SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_cluster_use_execmem |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P cluster_use_execmem off |
Rationale |
|
Disable the cobbler_anon_write SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_cobbler_anon_write |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P cobbler_anon_write off |
Rationale |
|
Disable the cobbler_can_network_connect SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_cobbler_can_network_connect |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P cobbler_can_network_connect off |
Rationale |
|
Disable the cobbler_use_cifs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_cobbler_use_cifs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P cobbler_use_cifs off |
Rationale |
|
Disable the cobbler_use_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_cobbler_use_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P cobbler_use_nfs off |
Rationale |
|
Disable the collectd_tcp_network_connect SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_collectd_tcp_network_connect |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P collectd_tcp_network_connect off |
Rationale |
|
Disable the condor_tcp_network_connect SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_condor_tcp_network_connect |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P condor_tcp_network_connect off |
Rationale |
|
Disable the conman_can_network SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_conman_can_network |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P conman_can_network off |
Rationale |
|
Disable the cron_can_relabel SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_cron_can_relabel |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P cron_can_relabel off |
Rationale |
|
Disable the cron_system_cronjob_use_shares SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_cron_system_cronjob_use_shares |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P cron_system_cronjob_use_shares off |
Rationale |
|
Enable the cron_userdomain_transition SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_cron_userdomain_transition |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P cron_userdomain_transition on |
Rationale |
|
Disable the cups_execmem SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_cups_execmem |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P cups_execmem off |
Rationale |
|
Disable the cvs_read_shadow SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_cvs_read_shadow |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P cvs_read_shadow off |
Rationale |
|
Disable the daemons_dump_core SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_daemons_dump_core |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P daemons_dump_core off |
Rationale |
|
Disable the daemons_enable_cluster_mode SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_daemons_enable_cluster_mode |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P daemons_enable_cluster_mode off |
Rationale |
|
Disable the daemons_use_tcp_wrapper SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_daemons_use_tcp_wrapper |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P daemons_use_tcp_wrapper off |
Rationale |
|
Disable the daemons_use_tty SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_daemons_use_tty |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P daemons_use_tty off |
Rationale |
|
Enable the dbadm_exec_content SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_dbadm_exec_content |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P dbadm_exec_content on |
Rationale |
|
Disable the dbadm_manage_user_files SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_dbadm_manage_user_files |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P dbadm_manage_user_files off |
Rationale |
|
Disable the dbadm_read_user_files SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_dbadm_read_user_files |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P dbadm_read_user_files off |
Rationale |
|
Disable the deny_execmem SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_deny_execmem |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P deny_execmem off |
Rationale |
|
Disable the deny_ptrace SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_deny_ptrace |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P deny_ptrace off |
Rationale |
|
Disable the dhcpc_exec_iptables SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_dhcpc_exec_iptables |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P dhcpc_exec_iptables off |
Rationale |
|
Disable the dhcpd_use_ldap SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_dhcpd_use_ldap |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P dhcpd_use_ldap off |
Rationale |
|
Disable the docker_connect_any SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_docker_connect_any |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P docker_connect_any off |
Rationale |
|
Enable the docker_transition_unconfined SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_docker_transition_unconfined |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P docker_transition_unconfined on |
Rationale |
|
Enable the domain_fd_use SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_domain_fd_use |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P domain_fd_use on |
Rationale |
|
Disable the domain_kernel_load_modules SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_domain_kernel_load_modules |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P domain_kernel_load_modules off |
Rationale |
|
Disable the entropyd_use_audio SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_entropyd_use_audio |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P entropyd_use_audio off |
Rationale |
|
Disable the exim_can_connect_db SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_exim_can_connect_db |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P exim_can_connect_db off |
Rationale |
|
Disable the exim_manage_user_files SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_exim_manage_user_files |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P exim_manage_user_files off |
Rationale |
|
Disable the exim_read_user_files SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_exim_read_user_files |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P exim_read_user_files off |
Rationale |
|
Disable the fcron_crond SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_fcron_crond |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P fcron_crond off |
Rationale |
|
Disable the fenced_can_network_connect SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_fenced_can_network_connect |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P fenced_can_network_connect off |
Rationale |
|
Disable the fenced_can_ssh SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_fenced_can_ssh |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P fenced_can_ssh off |
Rationale |
|
Enable the fips_mode SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_fips_mode |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P fips_mode on |
Rationale |
|
Disable the ftpd_anon_write SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_ftpd_anon_write |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P ftpd_anon_write off |
Rationale |
|
Disable the ftpd_connect_all_unreserved SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_ftpd_connect_all_unreserved |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P ftpd_connect_all_unreserved off |
Rationale |
|
Disable the ftpd_connect_db SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_ftpd_connect_db |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P ftpd_connect_db off |
Rationale |
|
Disable the ftpd_full_access SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_ftpd_full_access |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P ftpd_full_access off |
Rationale |
|
Disable the ftpd_use_cifs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_ftpd_use_cifs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P ftpd_use_cifs off |
Rationale |
|
Disable the ftpd_use_fusefs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_ftpd_use_fusefs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P ftpd_use_fusefs off |
Rationale |
|
Disable the ftpd_use_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_ftpd_use_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P ftpd_use_nfs off |
Rationale |
|
Disable the ftpd_use_passive_mode SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_ftpd_use_passive_mode |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P ftpd_use_passive_mode off |
Rationale |
|
Disable the ftp_home_dir SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_ftp_home_dir |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P ftp_home_dir off |
Rationale |
|
Disable the git_cgi_enable_homedirs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_git_cgi_enable_homedirs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P git_cgi_enable_homedirs off |
Rationale |
|
Disable the git_cgi_use_cifs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_git_cgi_use_cifs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P git_cgi_use_cifs off |
Rationale |
|
Disable the git_cgi_use_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_git_cgi_use_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P git_cgi_use_nfs off |
Rationale |
|
Disable the gitosis_can_sendmail SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_gitosis_can_sendmail |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P gitosis_can_sendmail off |
Rationale |
|
Disable the git_session_bind_all_unreserved_ports SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_git_session_bind_all_unreserved_ports |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P git_session_bind_all_unreserved_ports off |
Rationale |
|
Disable the git_session_users SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_git_session_users |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P git_session_users off |
Rationale |
|
Disable the git_system_enable_homedirs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_git_system_enable_homedirs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P git_system_enable_homedirs off |
Rationale |
|
Disable the git_system_use_cifs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_git_system_use_cifs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P git_system_use_cifs off |
Rationale |
|
Disable the git_system_use_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_git_system_use_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P git_system_use_nfs off |
Rationale |
|
Disable the glance_api_can_network SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_glance_api_can_network |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P glance_api_can_network off |
Rationale |
|
Disable the glance_use_execmem SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_glance_use_execmem |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P glance_use_execmem off |
Rationale |
|
Disable the glance_use_fusefs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_glance_use_fusefs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P glance_use_fusefs off |
Rationale |
|
Disable the global_ssp SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_global_ssp |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P global_ssp off |
Rationale |
|
Disable the gluster_anon_write SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_gluster_anon_write |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P gluster_anon_write off |
Rationale |
|
Disable the gluster_export_all_ro SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_gluster_export_all_ro |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P gluster_export_all_ro off |
Rationale |
|
Configure the gluster_export_all_rw SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_gluster_export_all_rw |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P gluster_export_all_rw off |
Rationale |
|
Disable the gpg_web_anon_write SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_gpg_web_anon_write |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P gpg_web_anon_write off |
Rationale |
|
Enable the gssd_read_tmp SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_gssd_read_tmp |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P gssd_read_tmp on |
Rationale |
|
Disable the guest_exec_content SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_guest_exec_content |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P guest_exec_content on |
Rationale |
|
Disable the haproxy_connect_any SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_haproxy_connect_any |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P haproxy_connect_any off |
Rationale |
|
Disable the httpd_anon_write SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_anon_write |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_anon_write off |
Rationale |
|
Configure the httpd_builtin_scripting SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_builtin_scripting |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_builtin_scripting off |
Rationale |
|
Disable the httpd_can_check_spam SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_can_check_spam |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_can_check_spam off |
Rationale |
|
Disable the httpd_can_connect_ftp SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_can_connect_ftp |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_can_connect_ftp off |
Rationale |
|
Disable the httpd_can_connect_ldap SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_can_connect_ldap |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_can_connect_ldap off |
Rationale |
|
Disable the httpd_can_connect_mythtv SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_can_connect_mythtv |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_can_connect_mythtv off |
Rationale |
|
Disable the httpd_can_connect_zabbix SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_can_connect_zabbix |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_can_connect_zabbix off |
Rationale |
|
Disable the httpd_can_network_connect_cobbler SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_can_network_connect_cobbler |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_can_network_connect_cobbler off |
Rationale |
|
Disable the httpd_can_network_connect_db SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_can_network_connect_db |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_can_network_connect_db off |
Rationale |
|
Disable the httpd_can_network_connect SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_can_network_connect |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_can_network_connect off |
Rationale |
|
Disable the httpd_can_network_memcache SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_can_network_memcache |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_can_network_memcache off |
Rationale |
|
Disable the httpd_can_network_relay SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_can_network_relay |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_can_network_relay off |
Rationale |
|
Disable the httpd_can_sendmail SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_can_sendmail |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_can_sendmail off |
Rationale |
|
Disable the httpd_dbus_avahi SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_dbus_avahi |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_dbus_avahi off |
Rationale |
|
Disable the httpd_dbus_sssd SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_dbus_sssd |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_dbus_sssd off |
Rationale |
|
Disable the httpd_dontaudit_search_dirs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_dontaudit_search_dirs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_dontaudit_search_dirs off |
Rationale |
|
Configure the httpd_enable_cgi SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_enable_cgi |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_enable_cgi off |
Rationale |
|
Disable the httpd_enable_ftp_server SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_enable_ftp_server |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_enable_ftp_server off |
Rationale |
|
Disable the httpd_enable_homedirs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_enable_homedirs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_enable_homedirs off |
Rationale |
|
Disable the httpd_execmem SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_execmem |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_execmem off |
Rationale |
|
Enable the httpd_graceful_shutdown SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_graceful_shutdown |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_graceful_shutdown on |
Rationale |
|
Disable the httpd_manage_ipa SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_manage_ipa |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_manage_ipa off |
Rationale |
|
Disable the httpd_mod_auth_ntlm_winbind SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_mod_auth_ntlm_winbind |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_mod_auth_ntlm_winbind off |
Rationale |
|
Disable the httpd_mod_auth_pam SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_mod_auth_pam |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_mod_auth_pam off |
Rationale |
|
Disable the httpd_read_user_content SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_read_user_content |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_read_user_content off |
Rationale |
|
Disable the httpd_run_ipa SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_run_ipa |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_run_ipa off |
Rationale |
|
Disable the httpd_run_preupgrade SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_run_preupgrade |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_run_preupgrade off |
Rationale |
|
Disable the httpd_run_stickshift SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_run_stickshift |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_run_stickshift off |
Rationale |
|
Disable the httpd_serve_cobbler_files SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_serve_cobbler_files |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_serve_cobbler_files off |
Rationale |
|
Disable the httpd_setrlimit SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_setrlimit |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_setrlimit off |
Rationale |
|
Disable the httpd_ssi_exec SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_ssi_exec |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_ssi_exec off |
Rationale |
|
Disable the httpd_sys_script_anon_write SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_sys_script_anon_write |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_sys_script_anon_write off |
Rationale |
|
Disable the httpd_tmp_exec SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_tmp_exec |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_tmp_exec off |
Rationale |
|
Disable the httpd_tty_comm SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_tty_comm |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_tty_comm off |
Rationale |
|
Disable the httpd_unified SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_unified |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_unified off |
Rationale |
|
Disable the httpd_use_cifs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_use_cifs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_use_cifs off |
Rationale |
|
Disable the httpd_use_fusefs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_use_fusefs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_use_fusefs off |
Rationale |
|
Disable the httpd_use_gpg SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_use_gpg |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_use_gpg off |
Rationale |
|
Disable the httpd_use_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_use_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_use_nfs off |
Rationale |
|
Disable the httpd_use_openstack SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_use_openstack |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_use_openstack off |
Rationale |
|
Disable the httpd_use_sasl SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_use_sasl |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_use_sasl off |
Rationale |
|
Disable the httpd_verify_dns SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_httpd_verify_dns |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P httpd_verify_dns off |
Rationale |
|
Disable the icecast_use_any_tcp_ports SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_icecast_use_any_tcp_ports |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P icecast_use_any_tcp_ports off |
Rationale |
|
Disable the irc_use_any_tcp_ports SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_irc_use_any_tcp_ports |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P irc_use_any_tcp_ports off |
Rationale |
|
Disable the irssi_use_full_network SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_irssi_use_full_network |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P irssi_use_full_network off |
Rationale |
|
Disable the kdumpgui_run_bootloader SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_kdumpgui_run_bootloader |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P kdumpgui_run_bootloader off |
Rationale |
|
Enable the kerberos_enabled SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_kerberos_enabled |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P kerberos_enabled on |
Rationale |
|
Disable the ksmtuned_use_cifs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_ksmtuned_use_cifs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P ksmtuned_use_cifs off |
Rationale |
|
Disable the ksmtuned_use_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_ksmtuned_use_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P ksmtuned_use_nfs off |
Rationale |
|
Enable the logadm_exec_content SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_logadm_exec_content |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P logadm_exec_content on |
Rationale |
|
Disable the logging_syslogd_can_sendmail SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_logging_syslogd_can_sendmail |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P logging_syslogd_can_sendmail off |
Rationale |
|
Disable the logging_syslogd_run_nagios_plugins SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_logging_syslogd_run_nagios_plugins |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P logging_syslogd_run_nagios_plugins off |
Rationale |
|
Enable the logging_syslogd_use_tty SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_logging_syslogd_use_tty |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P logging_syslogd_use_tty on |
Rationale |
|
Enable the login_console_enabled SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_login_console_enabled |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P login_console_enabled on |
Rationale |
|
Disable the logrotate_use_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_logrotate_use_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P logrotate_use_nfs off |
Rationale |
|
Disable the logwatch_can_network_connect_mail SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_logwatch_can_network_connect_mail |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P logwatch_can_network_connect_mail off |
Rationale |
|
Disable the lsmd_plugin_connect_any SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_lsmd_plugin_connect_any |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P lsmd_plugin_connect_any off |
Rationale |
|
Disable the mailman_use_fusefs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mailman_use_fusefs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mailman_use_fusefs off |
Rationale |
|
Disable the mcelog_client SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mcelog_client |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mcelog_client off |
Rationale |
|
Enable the mcelog_exec_scripts SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mcelog_exec_scripts |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mcelog_exec_scripts on |
Rationale |
|
Disable the mcelog_foreground SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mcelog_foreground |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mcelog_foreground off |
Rationale |
|
Disable the mcelog_server SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mcelog_server |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mcelog_server off |
Rationale |
|
Disable the minidlna_read_generic_user_content SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_minidlna_read_generic_user_content |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P minidlna_read_generic_user_content off |
Rationale |
|
Disable the mmap_low_allowed SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mmap_low_allowed |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mmap_low_allowed off |
Rationale |
|
Disable the mock_enable_homedirs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mock_enable_homedirs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mock_enable_homedirs off |
Rationale |
|
Enable the mount_anyfile SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mount_anyfile |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mount_anyfile on |
Rationale |
|
Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mozilla_plugin_bind_unreserved_ports |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mozilla_plugin_bind_unreserved_ports off |
Rationale |
|
Disable the mozilla_plugin_can_network_connect SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mozilla_plugin_can_network_connect |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mozilla_plugin_can_network_connect off |
Rationale |
|
Disable the mozilla_plugin_use_bluejeans SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mozilla_plugin_use_bluejeans |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mozilla_plugin_use_bluejeans off |
Rationale |
|
Disable the mozilla_plugin_use_gps SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mozilla_plugin_use_gps |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mozilla_plugin_use_gps off |
Rationale |
|
Disable the mozilla_plugin_use_spice SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mozilla_plugin_use_spice |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mozilla_plugin_use_spice off |
Rationale |
|
Disable the mozilla_read_content SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mozilla_read_content |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mozilla_read_content off |
Rationale |
|
Disable the mpd_enable_homedirs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mpd_enable_homedirs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mpd_enable_homedirs off |
Rationale |
|
Disable the mpd_use_cifs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mpd_use_cifs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mpd_use_cifs off |
Rationale |
|
Disable the mpd_use_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mpd_use_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mpd_use_nfs off |
Rationale |
|
Disable the mplayer_execstack SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mplayer_execstack |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mplayer_execstack off |
Rationale |
|
Disable the mysql_connect_any SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_mysql_connect_any |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P mysql_connect_any off |
Rationale |
|
Disable the nagios_run_pnp4nagios SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_nagios_run_pnp4nagios |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P nagios_run_pnp4nagios off |
Rationale |
|
Disable the nagios_run_sudo SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_nagios_run_sudo |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P nagios_run_sudo off |
Rationale |
|
Disable the named_tcp_bind_http_port SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_named_tcp_bind_http_port |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P named_tcp_bind_http_port off |
Rationale |
|
Disable the named_write_master_zones SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_named_write_master_zones |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P named_write_master_zones off |
Rationale |
|
Disable the neutron_can_network SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_neutron_can_network |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P neutron_can_network off |
Rationale |
|
Disable the nfsd_anon_write SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_nfsd_anon_write |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P nfsd_anon_write off |
Rationale |
|
Enable the nfs_export_all_ro SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_nfs_export_all_ro |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P nfs_export_all_ro on |
Rationale |
|
Enable the nfs_export_all_rw SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_nfs_export_all_rw |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P nfs_export_all_rw on |
Rationale |
|
Disable the nis_enabled SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_nis_enabled |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P nis_enabled off |
Rationale |
|
Enable the nscd_use_shm SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_nscd_use_shm |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P nscd_use_shm on |
Rationale |
|
Disable the openshift_use_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_openshift_use_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P openshift_use_nfs off |
Rationale |
|
Disable the openvpn_can_network_connect SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_openvpn_can_network_connect |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P openvpn_can_network_connect off |
Rationale |
|
Disable the openvpn_enable_homedirs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_openvpn_enable_homedirs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P openvpn_enable_homedirs off |
Rationale |
|
Disable the openvpn_run_unconfined SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_openvpn_run_unconfined |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P openvpn_run_unconfined off |
Rationale |
|
Disable the pcp_bind_all_unreserved_ports SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_pcp_bind_all_unreserved_ports |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P pcp_bind_all_unreserved_ports off |
Rationale |
|
Disable the pcp_read_generic_logs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_pcp_read_generic_logs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P pcp_read_generic_logs off |
Rationale |
|
Disable the piranha_lvs_can_network_connect SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_piranha_lvs_can_network_connect |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P piranha_lvs_can_network_connect off |
Rationale |
|
Disable the polipo_connect_all_unreserved SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_polipo_connect_all_unreserved |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P polipo_connect_all_unreserved off |
Rationale |
|
Disable the polipo_session_bind_all_unreserved_ports SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_polipo_session_bind_all_unreserved_ports |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P polipo_session_bind_all_unreserved_ports off |
Rationale |
|
Disable the polipo_session_users SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_polipo_session_users |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P polipo_session_users off |
Rationale |
|
Disable the polipo_use_cifs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_polipo_use_cifs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P polipo_use_cifs off |
Rationale |
|
Disable the polipo_use_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_polipo_use_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P polipo_use_nfs off |
Rationale |
|
Enable the postfix_local_write_mail_spool SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_postfix_local_write_mail_spool |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P postfix_local_write_mail_spool on |
Rationale |
|
Disable the postgresql_can_rsync SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_postgresql_can_rsync |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P postgresql_can_rsync off |
Rationale |
|
Disable the postgresql_selinux_transmit_client_label SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_postgresql_selinux_transmit_client_label |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P postgresql_selinux_transmit_client_label off |
Rationale |
|
Enable the postgresql_selinux_unconfined_dbadm SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_postgresql_selinux_unconfined_dbadm |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P postgresql_selinux_unconfined_dbadm on |
Rationale |
|
Enable the postgresql_selinux_users_ddl SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_postgresql_selinux_users_ddl |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P postgresql_selinux_users_ddl on |
Rationale |
|
Disable the pppd_can_insmod SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_pppd_can_insmod |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P pppd_can_insmod off |
Rationale |
|
Disable the pppd_for_user SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_pppd_for_user |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P pppd_for_user off |
Rationale |
|
Disable the privoxy_connect_any SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_privoxy_connect_any |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P privoxy_connect_any off |
Rationale |
|
Disable the prosody_bind_http_port SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_prosody_bind_http_port |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P prosody_bind_http_port off |
Rationale |
|
Disable the puppetagent_manage_all_files SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_puppetagent_manage_all_files |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P puppetagent_manage_all_files off |
Rationale |
|
Disable the puppetmaster_use_db SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_puppetmaster_use_db |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P puppetmaster_use_db off |
Rationale |
|
Disable the racoon_read_shadow SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_racoon_read_shadow |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P racoon_read_shadow off |
Rationale |
|
Disable the rsync_anon_write SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_rsync_anon_write |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P rsync_anon_write off |
Rationale |
|
Disable the rsync_client SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_rsync_client |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P rsync_client off |
Rationale |
|
Disable the rsync_export_all_ro SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_rsync_export_all_ro |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P rsync_export_all_ro off |
Rationale |
|
Disable the rsync_full_access SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_rsync_full_access |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P rsync_full_access off |
Rationale |
|
Disable the samba_create_home_dirs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_samba_create_home_dirs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P samba_create_home_dirs off |
Rationale |
|
Disable the samba_domain_controller SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_samba_domain_controller |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P samba_domain_controller off |
Rationale |
|
Disable the samba_enable_home_dirs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_samba_enable_home_dirs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P samba_enable_home_dirs off |
Rationale |
|
Disable the samba_export_all_ro SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_samba_export_all_ro |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P samba_export_all_ro off |
Rationale |
|
Disable the samba_export_all_rw SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_samba_export_all_rw |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P samba_export_all_rw off |
Rationale |
|
Disable the samba_load_libgfapi SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_samba_load_libgfapi |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P samba_load_libgfapi off |
Rationale |
|
Disable the samba_portmapper SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_samba_portmapper |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P samba_portmapper off |
Rationale |
|
Disable the samba_run_unconfined SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_samba_run_unconfined |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P samba_run_unconfined off |
Rationale |
|
Disable the samba_share_fusefs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_samba_share_fusefs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P samba_share_fusefs off |
Rationale |
|
Disable the samba_share_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_samba_share_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P samba_share_nfs off |
Rationale |
|
Disable the sanlock_use_fusefs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_sanlock_use_fusefs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P sanlock_use_fusefs off |
Rationale |
|
Disable the sanlock_use_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_sanlock_use_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P sanlock_use_nfs off |
Rationale |
|
Disable the sanlock_use_samba SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_sanlock_use_samba |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P sanlock_use_samba off |
Rationale |
|
Disable the saslauthd_read_shadow SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_saslauthd_read_shadow |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P saslauthd_read_shadow off |
Rationale |
|
Enable the secadm_exec_content SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_secadm_exec_content |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P secadm_exec_content on |
Rationale |
|
Disable the secure_mode_insmod SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P secure_mode_insmod off |
Rationale |
|
Disable the secure_mode SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_secure_mode |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P secure_mode off |
Rationale |
|
Disable the secure_mode_policyload SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_secure_mode_policyload |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P secure_mode_policyload off |
Rationale |
|
Configure the selinuxuser_direct_dri_enabled SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_selinuxuser_direct_dri_enabled |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P selinuxuser_direct_dri_enabled off |
Rationale |
|
Disable the selinuxuser_execheap SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P selinuxuser_execheap off |
Rationale |
|
Enable the selinuxuser_execmod SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execmod |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P selinuxuser_execmod on |
Rationale |
|
disable the selinuxuser_execstack SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P selinuxuser_execstack off |
Rationale |
|
Disable the selinuxuser_mysql_connect_enabled SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_selinuxuser_mysql_connect_enabled |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P selinuxuser_mysql_connect_enabled off |
Rationale |
|
Enable the selinuxuser_ping SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_selinuxuser_ping |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P selinuxuser_ping on |
Rationale |
|
Disable the selinuxuser_postgresql_connect_enabled SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_selinuxuser_postgresql_connect_enabled |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P selinuxuser_postgresql_connect_enabled off |
Rationale |
|
Disable the selinuxuser_rw_noexattrfile SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_selinuxuser_rw_noexattrfile |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P selinuxuser_rw_noexattrfile off |
Rationale |
|
Disable the selinuxuser_share_music SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_selinuxuser_share_music |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P selinuxuser_share_music off |
Rationale |
|
Disable the selinuxuser_tcp_server SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_selinuxuser_tcp_server |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P selinuxuser_tcp_server off |
Rationale |
|
Disable the selinuxuser_udp_server SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_selinuxuser_udp_server |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P selinuxuser_udp_server off |
Rationale |
|
Disable the selinuxuser_use_ssh_chroot SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_selinuxuser_use_ssh_chroot |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P selinuxuser_use_ssh_chroot off |
Rationale |
|
Disable the sftpd_anon_write SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_sftpd_anon_write |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P sftpd_anon_write off |
Rationale |
|
Disable the sftpd_enable_homedirs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_sftpd_enable_homedirs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P sftpd_enable_homedirs off |
Rationale |
|
Disable the sftpd_full_access SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_sftpd_full_access |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P sftpd_full_access off |
Rationale |
|
Disable the sftpd_write_ssh_home SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_sftpd_write_ssh_home |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P sftpd_write_ssh_home off |
Rationale |
|
Disable the sge_domain_can_network_connect SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_sge_domain_can_network_connect |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P sge_domain_can_network_connect off |
Rationale |
|
Disable the sge_use_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_sge_use_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P sge_use_nfs off |
Rationale |
|
Disable the smartmon_3ware SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_smartmon_3ware |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P smartmon_3ware off |
Rationale |
|
Disable the smbd_anon_write SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_smbd_anon_write |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P smbd_anon_write off |
Rationale |
|
Disable the spamassassin_can_network SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_spamassassin_can_network |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P spamassassin_can_network off |
Rationale |
|
Enable the spamd_enable_home_dirs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_spamd_enable_home_dirs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P spamd_enable_home_dirs on |
Rationale |
|
Disable the squid_connect_any SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_squid_connect_any |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P squid_connect_any off |
Rationale |
|
Disable the squid_use_tproxy SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_squid_use_tproxy |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P squid_use_tproxy off |
Rationale |
|
Disable the ssh_chroot_rw_homedirs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_ssh_chroot_rw_homedirs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P ssh_chroot_rw_homedirs off |
Rationale |
|
Disable the ssh_keysign SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_ssh_keysign |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P ssh_keysign off |
Rationale |
|
Disable the ssh_sysadm_login SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P ssh_sysadm_login off |
Rationale |
|
Enable the staff_exec_content SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_staff_exec_content |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P staff_exec_content on |
Rationale |
|
Disable the staff_use_svirt SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_staff_use_svirt |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P staff_use_svirt off |
Rationale |
|
Disable the swift_can_network SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_swift_can_network |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P swift_can_network off |
Rationale |
|
Enable the sysadm_exec_content SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_sysadm_exec_content |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P sysadm_exec_content on |
Rationale |
|
Disable the telepathy_connect_all_ports SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_telepathy_connect_all_ports |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P telepathy_connect_all_ports off |
Rationale |
|
Disable the telepathy_tcp_connect_generic_network_ports SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_telepathy_tcp_connect_generic_network_ports |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P telepathy_tcp_connect_generic_network_ports off |
Rationale |
|
Disable the tftp_anon_write SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_tftp_anon_write |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P tftp_anon_write off |
Rationale |
|
Disable the tftp_home_dir SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_tftp_home_dir |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P tftp_home_dir off |
Rationale |
|
Disable the tmpreaper_use_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_tmpreaper_use_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P tmpreaper_use_nfs off |
Rationale |
|
Disable the tmpreaper_use_samba SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_tmpreaper_use_samba |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P tmpreaper_use_samba off |
Rationale |
|
Disable the tor_bind_all_unreserved_ports SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_tor_bind_all_unreserved_ports |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P tor_bind_all_unreserved_ports off |
Rationale |
|
Disable the tor_can_network_relay SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_tor_can_network_relay |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P tor_can_network_relay off |
Rationale |
|
Enable the unconfined_chrome_sandbox_transition SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_unconfined_chrome_sandbox_transition |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P unconfined_chrome_sandbox_transition on |
Rationale |
|
Enable the unconfined_login SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_unconfined_login |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P unconfined_login on |
Rationale |
|
Enable the unconfined_mozilla_plugin_transition SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_unconfined_mozilla_plugin_transition |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P unconfined_mozilla_plugin_transition on |
Rationale |
|
Disable the unprivuser_use_svirt SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_unprivuser_use_svirt |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P unprivuser_use_svirt off |
Rationale |
|
Disable the use_ecryptfs_home_dirs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_use_ecryptfs_home_dirs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P use_ecryptfs_home_dirs off |
Rationale |
|
Disable the use_fusefs_home_dirs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_use_fusefs_home_dirs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P use_fusefs_home_dirs off |
Rationale |
|
Disable the use_lpd_server SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_use_lpd_server |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P use_lpd_server off |
Rationale |
|
Disable the use_nfs_home_dirs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_use_nfs_home_dirs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P use_nfs_home_dirs off |
Rationale |
|
Enable the user_exec_content SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_user_exec_content |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P user_exec_content on |
Rationale |
|
Disable the use_samba_home_dirs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_use_samba_home_dirs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P use_samba_home_dirs off |
Rationale |
|
Disable the varnishd_connect_any SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_varnishd_connect_any |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P varnishd_connect_any off |
Rationale |
|
Disable the virt_read_qemu_ga_data SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_read_qemu_ga_data |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_read_qemu_ga_data off |
Rationale |
|
Disable the virt_rw_qemu_ga_data SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_rw_qemu_ga_data |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_rw_qemu_ga_data off |
Rationale |
|
Disable the virt_sandbox_use_all_caps SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_sandbox_use_all_caps |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_sandbox_use_all_caps off |
Rationale |
|
Enable the virt_sandbox_use_audit SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_sandbox_use_audit |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_sandbox_use_audit on |
Rationale |
|
Disable the virt_sandbox_use_mknod SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_sandbox_use_mknod |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_sandbox_use_mknod off |
Rationale |
|
Disable the virt_sandbox_use_netlink SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_sandbox_use_netlink |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_sandbox_use_netlink off |
Rationale |
|
Disable the virt_sandbox_use_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_sandbox_use_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_sandbox_use_nfs off |
Rationale |
|
Disable the virt_sandbox_use_samba SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_sandbox_use_samba |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_sandbox_use_samba off |
Rationale |
|
Disable the virt_sandbox_use_sys_admin SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_sandbox_use_sys_admin |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_sandbox_use_sys_admin off |
Rationale |
|
Disable the virt_transition_userdomain SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_transition_userdomain |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_transition_userdomain off |
Rationale |
|
Disable the virt_use_comm SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_use_comm |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_use_comm off |
Rationale |
|
Disable the virt_use_execmem SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_use_execmem |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_use_execmem off |
Rationale |
|
Disable the virt_use_fusefs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_use_fusefs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_use_fusefs off |
Rationale |
|
Disable the virt_use_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_use_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_use_nfs off |
Rationale |
|
Disable the virt_use_rawip SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_use_rawip |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_use_rawip off |
Rationale |
|
Disable the virt_use_samba SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_use_samba |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_use_samba off |
Rationale |
|
Disable the virt_use_sanlock SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_use_sanlock |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_use_sanlock off |
Rationale |
|
Disable the virt_use_usb SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_use_usb |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_use_usb off |
Rationale |
|
Disable the virt_use_xserver SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_virt_use_xserver |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P virt_use_xserver off |
Rationale |
|
Disable the webadm_manage_user_files SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_webadm_manage_user_files |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P webadm_manage_user_files off |
Rationale |
|
Disable the webadm_read_user_files SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_webadm_read_user_files |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P webadm_read_user_files off |
Rationale |
|
Disable the wine_mmap_zero_ignore SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_wine_mmap_zero_ignore |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P wine_mmap_zero_ignore off |
Rationale |
|
Disable the xdm_bind_vnc_tcp_port SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_xdm_bind_vnc_tcp_port |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P xdm_bind_vnc_tcp_port off |
Rationale |
|
Disable the xdm_exec_bootloader SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_xdm_exec_bootloader |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P xdm_exec_bootloader off |
Rationale |
|
Disable the xdm_sysadm_login SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_xdm_sysadm_login |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P xdm_sysadm_login off |
Rationale |
|
Disable the xdm_write_home SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_xdm_write_home |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P xdm_write_home off |
Rationale |
|
Enable the xend_run_blktap SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_xend_run_blktap |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P xend_run_blktap on |
Rationale |
|
Enable the xend_run_qemu SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_xend_run_qemu |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P xend_run_qemu on |
Rationale |
|
Disable the xen_use_nfs SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_xen_use_nfs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P xen_use_nfs off |
Rationale |
|
Disable the xguest_connect_network SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_xguest_connect_network |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P xguest_connect_network off |
Rationale |
|
Disable the xguest_exec_content SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_xguest_exec_content |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P xguest_exec_content off |
Rationale |
|
Disable the xguest_mount_media SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_xguest_mount_media |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P xguest_mount_media off |
Rationale |
|
Disable the xguest_use_bluetooth SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_xguest_use_bluetooth |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P xguest_use_bluetooth off |
Rationale |
|
Disable the xserver_clients_write_xshm SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_xserver_clients_write_xshm |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P xserver_clients_write_xshm off |
Rationale |
|
Disable the xserver_execmem SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_xserver_execmem |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P xserver_execmem off |
Rationale |
|
Disable the xserver_object_manager SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_xserver_object_manager |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P xserver_object_manager off |
Rationale |
|
Disable the zabbix_can_network SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_zabbix_can_network |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P zabbix_can_network off |
Rationale |
|
Disable the zarafa_setrlimit SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_zarafa_setrlimit |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P zarafa_setrlimit off |
Rationale |
|
Disable the zebra_write_config SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_zebra_write_config |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P zebra_write_config off |
Rationale |
|
Disable the zoneminder_anon_write SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_zoneminder_anon_write |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P zoneminder_anon_write off |
Rationale |
|
Disable the zoneminder_run_sudo SELinux Boolean
Rule ID | xccdf_org.ssgproject.content_rule_sebool_zoneminder_run_sudo |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
By default, the SELinux boolean $ sudo setsebool -P zoneminder_run_sudo off |
Rationale |
|
Ensure SELinux Not Disabled in /etc/default/grub
Rule ID | xccdf_org.ssgproject.content_rule_enable_selinux_bootloader |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | References: AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), 22, 32, 1.4.1, 3.1.2, 3.7.2 |
Description | SELinux can be disabled at boot time by an argument in
|
Rationale | Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. |
Ensure SELinux State is Enforcing
Rule ID | xccdf_org.ssgproject.content_rule_selinux_state | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | high | ||||
Identifiers and References | References: AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), 2165, 2696, 1.4.2, SRG-OS-000445-GPOS-00199, 3.1.2, 3.7.2 | ||||
Description | The SELinux state should be set to SELINUX=enforcing | ||||
Rationale | Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. | ||||
OVAL details Items found satisfying /selinux/enforce is 1:
|
Configure SELinux Policy
Rule ID | xccdf_org.ssgproject.content_rule_selinux_policytype | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | high | ||||
Identifiers and References | References: AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), 2696, 1.4.3, SRG-OS-000445-GPOS-00199, 3.1.2, 3.7.2 | ||||
Description | The SELinux SELINUXTYPE=targetedOther policies, such as mls , provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
| ||||
Rationale |
Setting the SELinux policy to | ||||
OVAL details Items found satisfying Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file:
|
Uninstall setroubleshoot Package
Rule ID | xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | References: 1.4.4 |
Description | The SETroubleshoot service notifies desktop users of SELinux
denials. The service provides information around configuration errors,
unauthorized intrusions, and other potential errors.
The $ sudo yum erase setroubleshoot |
Rationale | The SETroubleshoot service is an unnecessary daemon to have running on a server |
Uninstall mcstrans Package
Rule ID | xccdf_org.ssgproject.content_rule_package_mcstrans_removed |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description | The $ sudo yum erase mcstrans |
Rationale | Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system. NOTE: This rule was added in support of the CIS RHEL6 v1.2.0 benchmark. Please note that Red Hat does not feel this rule is security relevant. |
Ensure No Daemons are Unconfined by SELinux
Rule ID | xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the $ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'It should produce no output in a well-configured system. |
Rationale |
Daemons which run with the |
Ensure No Device Files are Unlabeled by SELinux
Rule ID | xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | References: AC-6, AU-9, CM-3(f), CM-7, 22, 32, 368, 318, 1812, 1813, 1814, SRG-OS-000480-GPOS-00227, 3.1.2, 3.1.5, 3.7.2 | ||||||||||||||||||||||||
Description | Device files, which are used for communication with important
system resources, should be labeled with proper SELinux types. If any device
files do not carry the SELinux type $ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"It should produce no output in a well-configured system. | ||||||||||||||||||||||||
Rationale |
If a device file carries the SELinux type | ||||||||||||||||||||||||
OVAL details Items found violating device_t in /dev:
|
Ensure SELinux support is enabled in Docker
Rule ID | xccdf_org.ssgproject.content_rule_docker_selinux_enabled |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | high |
Identifiers and References | |
Description |
To enable the SELinux for the Docker service, the Docker service must be
configured to run the Docker daemon with OPTIONS='--selinux-enabled' |
Rationale | If SELinux is not explicitely enabled in the Docker daemon configuration, Docker does not use SELinux which means Docker runs unconfined, and SELinux will not provide security separation for Docker container processes. However enabling SELinux for the Docker service prevents an attacker or rogue container from attacking other container processes and content as well as prevents taking over the host operating system. |
Direct root Logins Not Allowed
Rule ID | xccdf_org.ssgproject.content_rule_no_direct_root_logins |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description | To further limit access to the $ sudo echo > /etc/securetty |
Rationale | Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems. |
Restrict Virtual Console Root Logins
Rule ID | xccdf_org.ssgproject.content_rule_securetty_root_login_console_only |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in vc/1 vc/2 vc/3 vc/4 |
Rationale | Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. |
Restrict Serial Port Root Logins
Rule ID | xccdf_org.ssgproject.content_rule_restrict_serial_port_logins |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description | To restrict root logins on serial ports,
ensure lines of this form do not appear in ttyS0 ttyS1 |
Rationale | Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. |
Restrict Web Browser Use for Administrative Accounts
Rule ID | xccdf_org.ssgproject.content_rule_no_root_webbrowsing |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description | Enforce policy requiring administrative accounts use web browsers only for local service administration. |
Rationale | If a browser vulnerability is exploited while running with administrative privileges, the entire system could be compromised. Specific exceptions for local service administration should be documented in site-defined policy. |
Ensure that System Accounts Do Not Run a Shell Upon Login
Rule ID | xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | References: AC-2, http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description |
Some accounts are not associated with a human user of the system, and exist to
perform some administrative function. Should an attacker be able to log into
these accounts, they should not be granted access to a shell.
$ sudo usermod -s /sbin/nologin SYSACCT |
Rationale | Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. |
Warnings | warning
Do not perform the steps in this section on the root account. Doing so might
cause the system to become inaccessible.
|
Verify Only Root Has UID 0
Rule ID | xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero | ||||||
Result | pass | ||||||
Time | 2017-10-21T14:39:49 | ||||||
Severity | high | ||||||
Identifiers and References | References: AC-6, IA-2(1), IA-4, 366, SRG-OS-000480-GPOS-00227, 3.1.1, 3.1.5 | ||||||
Description |
If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or
have their UID changed.
| ||||||
Rationale | An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. | ||||||
OVAL details Items not found satisfying test that there are no accounts with UID 0 except root in the /etc/passwd file:Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object
|
Root Path Must Be Vendor Default
Rule ID | xccdf_org.ssgproject.content_rule_root_path_default |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | References: SA-8 |
Description | Assuming root shell is bash, edit the following files: ~/.profile ~/.bashrcChange any PATH variables to the vendor default for root and remove any
empty PATH entries or references to relative paths.
|
Rationale | The root account's executable search path must be the vendor default, and must contain only absolute paths. |
Prevent Log In to Accounts With Empty Password
Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords | ||||||
Result | pass | ||||||
Time | 2017-10-21T14:39:49 | ||||||
Severity | high | ||||||
Identifiers and References | References: AC-6, IA-5(b), IA-5(c), IA-5(1)(a), 366, SRG-OS-000480-GPOS-00227, Req-8.2.3, 5.5.2, 3.1.1, 3.1.5 | ||||||
Description | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the | ||||||
Rationale | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. | ||||||
OVAL details Items not found satisfying make sure nullok is not used in /etc/pam.d/system-auth:Object oval:ssg-object_no_empty_passwords:obj:1 of type textfilecontent54_object
|
Verify All Account Password Hashes are Shadowed
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | References: IA-5(h), http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8.2.1, 5.5.2, 3.5.10 |
Description |
If any password hashes are stored in |
Rationale |
The hashes for all user account passwords should be stored in
the file |
All GIDs referenced in /etc/passwd must be defined in /etc/group
Rule ID | xccdf_org.ssgproject.content_rule_gid_passwd_group_same | ||||||||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||||||||||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | References: IA-2, 764, SRG-OS-000104-GPOS-00051, Req-8.5.a, 5.5.2 | ||||||||||||||||||||||||||||||||||||||||||
Description | Add a group to the system for each GID referenced without a corresponding group. | ||||||||||||||||||||||||||||||||||||||||||
Rationale | If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group. | ||||||||||||||||||||||||||||||||||||||||||
OVAL details Items found satisfying Verify all GIDs referenced in /etc/passwd are defined in /etc/group:
|
Verify No netrc Files Exist
Rule ID | xccdf_org.ssgproject.content_rule_no_netrc_files |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description | The |
Rationale |
Unencrypted passwords for remote FTP servers may be stored in |
Set Password Minimum Length in login.defs
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | References: IA-5(f), IA-5(1)(a), http://iase.disa.mil/stigs/cci/Pages/index.aspx, 5.6.2.1, 3.5.7 |
Description | To specify password length requirements for new accounts,
edit the file PASS_MIN_LEN 14 The DoD requirement is 15 .
The FISMA requirement is 12 .
If a program consults /etc/login.defs and also another PAM module
(such as pam_pwquality ) during a password change operation,
then the most restrictive must be satisfied. See PAM section
for more information about enforcing password quality requirements.
|
Rationale | Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. |
Set Password Minimum Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | medium | ||||
Identifiers and References | References: IA-5(f), IA-5(1)(d), 198, SRG-OS-000075-GPOS-00043, 3.5.8 | ||||
Description | To specify password minimum age for new accounts,
edit the file PASS_MIN_DAYS DAYSA value of 1 day is considered sufficient for many environments. The DoD requirement is 1. | ||||
Rationale |
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat
the password reuse or history enforcement requirement. If users are allowed to immediately
and continually change their password, then the password could be repeatedly changed in a
short period of time to defeat the organization's policy regarding password reuse.
| ||||
OVAL details Items found satisfying The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs:
|
Set Password Maximum Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | medium | ||||
Identifiers and References | References: IA-5(f), IA-5(g), IA-5(1)(d), 199, SRG-OS-000076-GPOS-00044, Req-8.2.4, 7.1.1, 5.6.2.1, 3.5.6 | ||||
Description | To specify password maximum age for new accounts,
edit the file PASS_MAX_DAYS DAYSA value of 180 days is sufficient for many environments. The DoD requirement is 60. | ||||
Rationale |
Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
| ||||
OVAL details Items found satisfying The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs:
|
Set Password Warning Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description | To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file PASS_WARN_AGE DAYSThe DoD requirement is 7. |
Rationale | Setting the password warning age enables users to make the change at a practical time. |
Set Account Expiration Following Inactivity
Rule ID | xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | medium | ||||
Identifiers and References | References: AC-2(2), AC-2(3), IA-4(e), 795, SRG-OS-000118-GPOS-00060, Req-8.1.4, 3.5.6 | ||||
Description | To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in INACTIVE=0A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity
timeout must be done with careful consideration of the length of a "normal"
period of inactivity for users in the particular environment. Setting
the timeout too low incurs support costs and also has the potential to impact
availability of the system to legitimate users.
| ||||
Rationale | Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. | ||||
OVAL details Items found satisfying the value INACTIVE parameter should be set appropriately in /etc/default/useradd:
|
Ensure All Accounts on the System Have Unique Names
Rule ID | xccdf_org.ssgproject.content_rule_account_unique_name |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description | Change usernames, or delete accounts, so each has a unique name. |
Rationale | Unique usernames allow for accountability on the system. |
Assign Expiration Date to Temporary Accounts
Rule ID | xccdf_org.ssgproject.content_rule_account_temp_expire_date |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description |
Temporary accounts are established as part of normal account activation procedures
when there is a need for short-term accounts. In the event temporary
or emergency accounts are required, configure the system to terminate
them after a documented time period. For every temporary and
emergency account, run the following command to set an expiration date on it,
substituting $ sudo chage -E YYYY-MM-DD USER YYYY-MM-DD indicates the documented expiration date for the account.
For U.S. Government systems, the operating system must be configured to automatically terminate
these types of accounts after a period of 72 hours.
|
Rationale |
If temporary user accounts remain active when no longer needed or for
an excessive period, these accounts may be used to gain unauthorized access.
To mitigate this risk, automated termination of all temporary accounts
must be set upon account creation.
|
Set Password Retry Prompts Permitted Per-Session
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_retry | ||||||||||||||||
Result | fail | ||||||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||||||
Severity | low | ||||||||||||||||
Identifiers and References | References: CM-6(b), IA-5(c), 366, 6.3.2, SRG-OS-000480-GPOS-00225, 5.5.3 | ||||||||||||||||
Description | To configure the number of retry prompts that are permitted per-session:
| ||||||||||||||||
Rationale | Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. | ||||||||||||||||
OVAL details Items not found violating check the configuration of /etc/pam.d/system-auth:Object oval:ssg-obj_password_pam_cracklib_retry:obj:1 of type textfilecontent54_object
State oval:ssg-state_password_pam_retry:ste:1 of type textfilecontent54_state
Items found violating check the configuration of /etc/pam.d/system-auth:
Items found violating check the configuration of /etc/pam.d/system-auth:
| |||||||||||||||||
Remediation Shell script: (show)
|
Set Password Maximum Consecutive Repeating Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | medium | ||||
Identifiers and References | References: IA-5, IA-5(c), 195, SRG-OS-000072-GPOS-00040 | ||||
Description | The pam_pwquality module's | ||||
Rationale |
Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
guessing and brute-force attacks.
| ||||
OVAL details Items found satisfying check the configuration of /etc/security/pwquality.conf:
|
Set Password to Maximum of Consecutive Repeating Characters from Same Character Class
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | medium | ||||
Identifiers and References | References: IA-5, IA-5(c), 195, SRG-OS-000072-GPOS-00040 | ||||
Description | The pam_pwquality module's | ||||
Rationale |
Use of a complex password helps to increase the time and resources required to comrpomise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting
attempts at guessing and brute-force attacks.
| ||||
OVAL details Items found satisfying check the configuration of /etc/security/pwquality.conf:
|
Set Password Strength Minimum Digit Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | medium | ||||
Identifiers and References | References: IA-5(1)(a), IA-5(b), IA-5(c), 194, 194, SRG-OS-000071-GPOS-00039, Req-8.2.3, 6.3.2 | ||||
Description | The pam_pwquality module's | ||||
Rationale |
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
| ||||
OVAL details Items found satisfying check the configuration of /etc/security/pwquality.conf:
|
Set Password Minimum Length
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | medium | ||||
Identifiers and References | References: IA-5(1)(a), 205, SRG-OS-000078-GPOS-00046, Req-8.2.3, 6.3.2 | ||||
Description | The pam_pwquality module's | ||||
Rationale |
The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
| ||||
OVAL details Items found satisfying check the configuration of /etc/security/pwquality.conf:
|
Set Password Strength Minimum Uppercase Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | medium | ||||
Identifiers and References | References: IA-5(b), IA-5(c), IA-5(1)(a), 192, SRG-OS-000069-GPOS-00037, Req-8.2.3, 6.3.2 | ||||
Description | The pam_pwquality module's | ||||
Rationale |
Use of a complex password helps to increase the time and resources reuiqred to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
| ||||
OVAL details Items found satisfying check the configuration of /etc/security/pwquality.conf:
|
Set Password Strength Minimum Special Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | medium | ||||
Identifiers and References | References: IA-5(b), IA-5(c), IA-5(1)(a), 1619, SRG-OS-000266-GPOS-00101 | ||||
Description | The pam_pwquality module's | ||||
Rationale |
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
| ||||
OVAL details Items found satisfying check the configuration of /etc/security/pwquality.conf:
|
Set Password Strength Minimum Lowercase Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | medium | ||||
Identifiers and References | References: IA-5(b), IA-5(c), IA-5(1)(a), 193, SRG-OS-000070-GPOS-00038, Req-8.2.3 | ||||
Description | The pam_pwquality module's | ||||
Rationale |
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
| ||||
OVAL details Items found satisfying check the configuration of /etc/security/pwquality.conf:
|
Set Password Strength Minimum Different Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_difok | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | medium | ||||
Identifiers and References | References: IA-5(b), IA-5(c), IA-5(1)(b), 195, SRG-OS-000072-GPOS-00040 | ||||
Description | The pam_pwquality module's | ||||
Rationale |
Use of a complex password helps to increase the time and resources
required to compromise the password. Password complexity, or strength,
is a measure of the effectiveness of a password in resisting attempts
at guessing and brute–force attacks.
| ||||
OVAL details Items found satisfying check the configuration of /etc/security/pwquality.conf:
|
Set Password Strength Minimum Different Categories
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | medium | ||||
Identifiers and References | References: IA-5, 195, SRG-OS-000072-GPOS-00040 | ||||
Description | The pam_pwquality module's * Upper-case characters * Lower-case characters * Digits * Special characters (for example, punctuation)Modify the minclass setting in /etc/security/pwquality.conf entry to require 4
differing categories of characters when changing passwords.
| ||||
Rationale |
Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
| ||||
OVAL details Items found satisfying check the configuration of /etc/security/pwquality.conf:
|
Set Deny For Failed Password Attempts
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny | ||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | References: AC-7(b), 2238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, Req-8.1.6, 6.3.3, 5.5.3, 3.1.8 | ||||||||||||||||||||||||
Description |
To configure the system to lock out accounts after a number of incorrect login
attempts using
| ||||||||||||||||||||||||
Rationale | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. | ||||||||||||||||||||||||
OVAL details Items found satisfying Check pam_faillock.so preauth silent present in /etc/pam.d/system-auth:
Items found satisfying Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail):
Items found satisfying Check if pam_faillock_so is called in account phase of /etc/pam.d/system-auth:
Items found satisfying Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth:
Items found satisfying Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail):
Items found satisfying Check if pam_faillock_so is called in account phase of /etc/pam.d/password-auth:
|
Set Lockout Time For Failed Password Attempts
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | References: AC-7(b), 002238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, Req-8.1.7, 6.3.3, 5.5.3, 3.1.8 | ||||||||||||||||
Description |
To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using
| ||||||||||||||||
Rationale | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations. | ||||||||||||||||
OVAL details Items found satisfying check preauth maximum failed login attempts allowed in /etc/pam.d/system-auth:
Items found satisfying check authfail maximum failed login attempts allowed in /etc/pam.d/system-auth:
Items found satisfying check authfail maximum failed login attempts allowed in /etc/pam.d/password-auth:
Items found satisfying check preauth maximum failed login attempts allowed in /etc/pam.d/password-auth:
|
Configure the root Account for Failed Password Attempts
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | References: AC-7(b), 2238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 | ||||||||||||||||||||||||
Description |
To configure the system to lock out the
| ||||||||||||||||||||||||
Rationale | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. | ||||||||||||||||||||||||
OVAL details Items found violating Check pam_faillock.so preauth silent present in /etc/pam.d/system-auth:
Items not found violating Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail):Object oval:ssg-object_pam_faillock_authfail_deny_root_system-auth:obj:1 of type textfilecontent54_object
Items found violating Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth:
Items not found violating Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail):Object oval:ssg-object_pam_faillock_authfail_deny_root_password-auth:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Set Interval For Counting Failed Password Attempts
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | References: AC-7(b), 2238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 | ||||||||||||||||
Description |
Utilizing
| ||||||||||||||||
Rationale | By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. | ||||||||||||||||
OVAL details Items found satisfying check maximum preauth fail_interval allowed in /etc/pam.d/system-auth:
Items found satisfying check maximum authfail fail_interval allowed in /etc/pam.d/system-auth:
Items found satisfying check maximum authfail fail_interval allowed in /etc/pam.d/password-auth:
Items found satisfying check maximum preauth fail_interval allowed in /etc/pam.d/password-auth:
|
Limit Password Reuse
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember | ||||||||||||
Result | pass | ||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: IA-5(f), IA-5(1)(e), 200, SRG-OS-000077-GPOS-00045, Req-8.2.5, 6.3.4, 5.6.2.1.1, 3.5.8 | ||||||||||||
Description | Do not allow users to reuse recent passwords. This can be
accomplished by using the
| ||||||||||||
Rationale | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. | ||||||||||||
OVAL details Items found satisfying Test if remember attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth:
Items not found satisfying Test if remember attribute of pam_pwhistory.so is set correctly in /etc/pam.d/system-auth:Object oval:ssg-object_accounts_password_pam_pwhistory_remember:obj:1 of type textfilecontent54_object
State oval:ssg-state_accounts_password_pam_unix_remember:ste:1 of type textfilecontent54_state
|
Set PAM's Password Hashing Algorithm
Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | medium | ||||
Identifiers and References | References: IA-5(b), IA-5(c), IA-5(1)(c), IA-7, 196, SRG-OS-000073-GPOS-00041, Req-8.2.1, 6.3.1, 5.6.2.2, 3.13.11 | ||||
Description |
The PAM system service can be configured to only store encrypted representations of passwords.
In password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. | ||||
Rationale |
Passwords need to be protected at all times, and encryption is the standard method for protecting
passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily
compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they
are kepy in plain text.
| ||||
OVAL details Items found satisfying check /etc/pam.d/system-auth for correct settings:
|
Set Password Hashing Algorithm in /etc/login.defs
Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | medium | ||||
Identifiers and References | References: IA-5(b), IA-5(c), IA-5(1)(c), IA-7, 196, SRG-OS-000073-GPOS-00041, Req-8.2.1, 6.3.1, 5.6.2.2, 3.13.11 | ||||
Description |
In ENCRYPT_METHOD SHA512 | ||||
Rationale |
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.
If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords
that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
| ||||
OVAL details Items found satisfying The value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs:
|
Set Password Hashing Algorithm in /etc/libuser.conf
Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | medium | ||||
Identifiers and References | References: IA-5(b), IA-5(c), IA-5(1)(c), IA-7, 196, SRG-OS-000073-GPOS-00041, Req-8.2.1, 5.6.2.2, 3.13.11 | ||||
Description |
In crypt_style = sha512 | ||||
Rationale |
Passwords need to be protected at all times, and encryption is the standard method for protecting
passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily
compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they
are kepy in plain text.
| ||||
OVAL details Items found satisfying The password hashing algorithm should be set correctly in /etc/libuser.conf:
|
Set Last Logon/Access Notification
Rule ID | xccdf_org.ssgproject.content_rule_display_login_attempts | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | low | ||||
Identifiers and References | References: AC-9, 366, Req-10.2.4, SRG-OS-000480-GPOS-00227, 5.5.2 | ||||
Description | To configure the system to notify users of last logon/access
using session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed | ||||
Rationale | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. | ||||
OVAL details Items found satisfying Check the pam_lastlog configuration of /etc/pam.d/postlogin:
|
Ensure that Root's Path Does Not Include Relative Paths or Null Directories
Rule ID | xccdf_org.ssgproject.content_rule_root_path_no_dot |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description |
Ensure that none of the directories in root's path is equal to a single
PATH=:/bin PATH=/bin: PATH=/bin::/sbinThese empty elements have the same effect as a single . character.
|
Rationale | Including these entries increases the risk that root could execute code from an untrusted location. |
Ensure that Root's Path Does Not Include World or Group-Writable Directories
Rule ID | xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description | For each element in root's path, run: # ls -ld DIRand ensure that write permissions are disabled for group and other. |
Rationale | Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code. |
Ensure the Default Bash Umask is Set Correctly
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description |
To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask 077 |
Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. |
Ensure the Default C Shell Umask is Set Correctly
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description |
To ensure the default umask for users of the C shell is set properly,
add or correct the umask 077 |
Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. |
Ensure the Default Umask is Set Correctly in /etc/profile
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description |
To ensure the default umask controlled by umask 077 |
Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. |
Ensure the Default Umask is Set Correctly in login.defs
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | low | ||||
Identifiers and References | References: CM-6(b), SA-8, 366, SRG-OS-000480-GPOS-00228 | ||||
Description |
To ensure the default umask controlled by UMASK 077 | ||||
Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. | ||||
OVAL details Items found satisfying Test the retrieved /etc/login.defs umask value(s) match the var_accounts_user_umask requirement:
|
Ensure Home Directories are Created for New Users
Rule ID | xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs | ||||||
Result | fail | ||||||
Time | 2017-10-21T14:39:49 | ||||||
Severity | medium | ||||||
Identifiers and References | References: SRG-OS-000480-GPOS-00227 | ||||||
Description |
All local interactive user accounts, upon creation, should be assigned a home directory.
CREATE_HOME yes | ||||||
Rationale | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. | ||||||
OVAL details Items not found violating Check value of CREATE_HOME in /etc/login.defs:Object oval:ssg-obj_accounts_have_homedir_login_defs:obj:1 of type textfilecontent54_object
|
Set Interactive Session Timeout
Rule ID | xccdf_org.ssgproject.content_rule_accounts_tmout | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | References: AC-12, SC-10, 1133, 0361, SRG-OS-000163-GPOS-00072, 3.1.11 | ||||||||||||||
Description |
Setting the TMOUT=600 | ||||||||||||||
Rationale | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. | ||||||||||||||
OVAL details Items found satisfying TMOUT in /etc/profile:
Items not found satisfying TMOUT in /etc/profile.d/*.sh:Object oval:ssg-object_etc_profiled_tmout:obj:1 of type textfilecontent54_object
State oval:ssg-state_etc_profile_tmout:ste:1 of type textfilecontent54_state
|
Limit the Number of Concurrent Login Sessions Allowed Per User
Rule ID | xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions | ||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||
Identifiers and References | References: AC-10, 54, SRG-OS-000027-GPOS-00008 | ||||||||||||||||||||||
Description |
Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in * hard maxlogins 10 | ||||||||||||||||||||||
Rationale | Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. | ||||||||||||||||||||||
OVAL details Items not found satisfying the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf:Object oval:ssg-object_etc_security_limitsd_conf_maxlogins:obj:1 of type textfilecontent54_object
State oval:ssg-state_maxlogins:ste:1 of type textfilecontent54_state
Items not found satisfying the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf:Object oval:ssg-object_etc_security_limitsd_conf_maxlogins_exists:obj:1 of type textfilecontent54_object
Items found satisfying the value maxlogins should be set appropriately in /etc/security/limits.conf:
|
Ensure the Logon Failure Delay is Set Correctly in login.defs
Rule ID | xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | low | ||||
Identifiers and References | References: CM-6(b), 366, SRG-OS-000480-GPOS-00226 | ||||
Description |
To ensure the logon failure delay controlled by FAIL_DELAY 4 | ||||
Rationale | Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack. | ||||
OVAL details Items found satisfying check FAIL_DELAY in /etc/login.defs:
|
Verify /boot/grub2/grub.cfg User Ownership
Rule ID | xccdf_org.ssgproject.content_rule_file_user_owner_grub2_cfg |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description | The file $ sudo chown root /boot/grub2/grub.cfg |
Rationale | Only root should be able to modify important boot parameters. |
Verify /boot/grub2/grub.cfg Group Ownership
Rule ID | xccdf_org.ssgproject.content_rule_file_group_owner_grub2_cfg |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description | The file $ sudo chgrp root /boot/grub2/grub.cfg |
Rationale |
The |
Set Boot Loader Password
Rule ID | xccdf_org.ssgproject.content_rule_bootloader_password | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||||||||||||||
Severity | high | ||||||||||||||||||||||||
Identifiers and References | References: IA-2(1), IA-5(e), AC-3, 213, SRG-OS-000080-GPOS-00048, 1.5.3, 3.4.5 | ||||||||||||||||||||||||
Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
$ grub2-mkpasswd-pbkdf2When prompted, enter the password that was selected and insert the returned password hash into the /etc/grub.d/01_users configuration file
immediately after the superuser account.
(Use the output from grub2-mkpasswd-pbkdf2 as the value of
password-hash):
password_pbkdf2 superusers-account password-hashNOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfgNOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
| ||||||||||||||||||||||||
Rationale | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to | ||||||||||||||||||||||||
Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
| ||||||||||||||||||||||||
OVAL details Items found violating /boot/grub2/grub.cfg does not exist:
Items not found violating make sure a password is defined in /boot/grub2/grub.cfg:Object oval:ssg-object_bootloader_password:obj:1 of type textfilecontent54_object
Items not found violating superuser is defined in /boot/grub2/grub.cfg files. Superuser is not root, admin, or administrator:Object oval:ssg-object_bootloader_superuser:obj:1 of type textfilecontent54_object
|
Set the UEFI Boot Loader Password
Rule ID | xccdf_org.ssgproject.content_rule_bootloader_uefi_password | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | References: AC-3, 213, SRG-OS-000080-GPOS-00048, 3.4.5 | ||||||||||||||
Description | The UEFI grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
$ grub2-mkpasswd-pbkdf2When prompted, enter the password that was selected and insert the returned password hash into the /etc/grub.d/01_users configuration file immediately
after the superuser account.
(Use the output from grub2-mkpasswd-pbkdf2 as the value of
password-hash):
password_pbkdf2 superusers-account password-hashNOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgNOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
| ||||||||||||||
Rationale | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to | ||||||||||||||
Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
| ||||||||||||||
OVAL details Items not found satisfying /boot/efi/EFI/redhat/grub.cfg does not exist:Object oval:ssg-object_bootloader_uefi_grub_cfg:obj:1 of type file_object
Items not found satisfying make sure a password is defined in /boot/efi/EFI/redhat/grub.cfg:Object oval:ssg-object_bootloader_uefi_password:obj:1 of type textfilecontent54_object
Items not found satisfying superuser is defined in /boot/efi/EFI/redhat/grub.cfg. Superuser is not root, admin, or administrator:Object oval:ssg-object_bootloader_uefi_superuser:obj:1 of type textfilecontent54_object
|
Install the screen Package
Rule ID | xccdf_org.ssgproject.content_rule_package_screen_installed | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | References: AC-11(a), 57, SRG-OS-000029-GPOS-00010, 3.1.10 | ||||||||||||||||
Description |
To enable console screen locking, install the $ sudo yum install screenInstruct users to begin new terminal sessions with the following command: $ screenThe console can now be locked with the following key combination: ctrl+a x | ||||||||||||||||
Rationale |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but des not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity,
operating systems need to be able to identify when a user's session has idled and take action to initiate the
session lock.
| ||||||||||||||||
OVAL details Items found satisfying package screen is installed:
|
Enable Smart Card Login
Rule ID | xccdf_org.ssgproject.content_rule_smartcard_auth | ||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | References: IA-2(2), 765, 766, 767, 768, 771, 772, 884, Req-8.3, SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058 | ||||||||||||||||||||||||
Description | To enable smart card authentication, consult the documentation at: For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: | ||||||||||||||||||||||||
Rationale | Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. | ||||||||||||||||||||||||
OVAL details Items found satisfying Test ocsp_on in /etc/pam_pkcs11/pkcs11.conf:
Items found satisfying Test smartcard authentication is enabled in /etc/pam.d/system-auth file:
Items not found satisfying Test smartcard authentication is required in /etc/pam.d/system-auth file:Object oval:ssg-object_smart_card_required_system_auth:obj:1 of type textfilecontent54_object
Items found satisfying Test smartcard authentication is required in /etc/pam.d/smartcard-auth file:
|
Require Authentication for Single User Mode
Rule ID | xccdf_org.ssgproject.content_rule_require_singleuser_auth |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
|
Rationale | This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. |
Disable debug-shell SystemD Service
Rule ID | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | References: 3.4.5 |
Description | SystemD's $ sudo systemctl disable debug-shell.service |
Rationale | This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. |
Disable Ctrl-Alt-Del Reboot Activation
Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | high | ||||
Identifiers and References | References: AC-6, 366, SRG-OS-000480-GPOS-00227, 3.4.5 | ||||
Description |
By default, ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.targetor systemctl mask ctrl-alt-del.target Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates.
| ||||
Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. | ||||
Warnings | warning
Disabling the Ctrl-Alt-Del key sequence
with SystemD DOES NOT disable the Ctrl-Alt-Del key sequence
if running in graphical.target mode (e.g. in GNOME, KDE, etc.)! The
Ctrl-Alt-Del key sequence will only be disabled if running in
the non-graphical multi-user.target mode.
| ||||
OVAL details Items found satisfying Disable Ctrl-Alt-Del key sequence override exists:
|
Verify that Interactive Boot is Disabled
Rule ID | xccdf_org.ssgproject.content_rule_disable_interactive_boot |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
Red Hat Enterprise Linux systems support an "interactive boot" option that can
be used to prevent services from being started. On a Red Hat Enterprise Linux 7
system, interactive boot can be enabled by providing a systemd.confirm_spawn=(1|yes|true|on)from the kernel arguments in that file to disable interactive boot. |
Rationale | Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. |
Warnings | warning
The GRUB 2 configuration file, grub.cfg ,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -ocommand as follows:
|
Disable Kernel Parameter for Sending ICMP Redirects by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects | ||||||||
Result | fail | ||||||||
Time | 2017-10-21T14:39:49 | ||||||||
Severity | medium | ||||||||
Identifiers and References | References: AC-4, CM-7, SC-5, SC-7, 366, 4.1.2, SRG-OS-000480-GPOS-00227, 5.10.1.1, 3.1.20 | ||||||||
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.send_redirects = 0 | ||||||||
Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
| ||||||||
Remediation Shell script: (show)
|
Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects | ||||||||
Result | fail | ||||||||
Time | 2017-10-21T14:39:49 | ||||||||
Severity | medium | ||||||||
Identifiers and References | References: AC-4, CM-7, SC-5(1), 366, 4.1.2, SRG-OS-000480-GPOS-00227, 5.10.1.1, 3.1.20 | ||||||||
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.send_redirects = 0 | ||||||||
Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
| ||||||||
Remediation Shell script: (show)
|
Disable Kernel Parameter for IP Forwarding
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward | ||||||||
Result | fail | ||||||||
Time | 2017-10-21T14:39:49 | ||||||||
Severity | medium | ||||||||
Identifiers and References | References: CM-7, SC-5, SC-32, 366, 4.1.1, SRG-OS-000480-GPOS-00227, 3.1.20 | ||||||||
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.ip_forward=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.ip_forward = 0 | ||||||||
Rationale | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. | ||||||||
Remediation Shell script: (show)
|
Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route |
Result | pass |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | References: AC-4, CM-7, SC-5, 366, SRG-OS-000480-GPOS-00227, 4.2.1, 3.1.20 |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.accept_source_route = 0 |
Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and
the system is functioning as a router.
|
Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects | ||||||||
Result | fail | ||||||||
Time | 2017-10-21T14:39:49 | ||||||||
Severity | medium | ||||||||
Identifiers and References | References: CM-6(d), CM-7, SC-5, 366, 1503, 1551, 4.2.2, SRG-OS-000480-GPOS-00227, 5.10.1.1, 3.1.20 | ||||||||
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.accept_redirects = 0 | ||||||||
Rationale | ICMP redirect messages are used by routers to inform hosts that a more direct
route exists for a particular destination. These messages modify the host's route table
and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle
attack.
| ||||||||
Remediation Shell script: (show)
|
Configure Kernel Parameter for Accepting Secure Redirects for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.secure_redirects = 0 |
Rationale | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. |
Configure Kernel Parameter to Log Martian Packets
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.log_martians=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.log_martians = 1 |
Rationale | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. |
Configure Kernel Parameter to Log Martian Packets By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.log_martians=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.log_martians = 1 |
Rationale | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. |
Configure Kernel Parameter for Accepting Source-Routed Packets By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route |
Result | pass |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | References: AC-4, CM-7, SC-5, SC-7, 366, 1551, SRG-OS-000480-GPOS-00227, 4.2.1, 5.10.1.1, 3.1.20 |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.accept_source_route = 0 |
Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures.
|
Configure Kernel Parameter for Accepting ICMP Redirects By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects | ||||||||
Result | fail | ||||||||
Time | 2017-10-21T14:39:49 | ||||||||
Severity | medium | ||||||||
Identifiers and References | References: AC-4, CM-7, SC-5, SC-7, 1551, 4.2.2, SRG-OS-000480-GPOS-00227, 5.10.1.1, 3.1.20 | ||||||||
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.accept_redirects = 0 | ||||||||
Rationale | ICMP redirect messages are used by routers to inform hosts that a more direct
route exists for a particular destination. These messages modify the host's route table
and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle
attack.
| ||||||||
Remediation Shell script: (show)
|
Configure Kernel Parameter for Accepting Secure Redirects By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.secure_redirects = 0 |
Rationale | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. |
Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts | ||||||||
Result | fail | ||||||||
Time | 2017-10-21T14:39:49 | ||||||||
Severity | medium | ||||||||
Identifiers and References | References: AC-4, CM-7, SC-5, 366, SRG-OS-000480-GPOS-00227, 4.2.5, 5.10.1.1, 3.1.20 | ||||||||
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.icmp_echo_ignore_broadcasts = 1 | ||||||||
Rationale | Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
| ||||||||
Remediation Shell script: (show)
|
Configure Kernel Parameter to Ignore Bogus ICMP Error Responses
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.icmp_ignore_bogus_error_responses = 1 |
Rationale | Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. |
Configure Kernel Parameter to Use Reverse Path Filtering for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.rp_filter = 1 |
Rationale | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. |
Configure Kernel Parameter to Use Reverse Path Filtering by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.rp_filter = 1 |
Rationale | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. |
Disable WiFi or Bluetooth in BIOS
Rule ID | xccdf_org.ssgproject.content_rule_wireless_disable_in_bios |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | References: AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, 85 |
Description | Some machines that include built-in wireless support offer the ability to disable the device through the BIOS. This is hardware-specific; consult your hardware manual or explore the BIOS setup during boot. |
Rationale | Disabling wireless support in the BIOS prevents easy activation of the wireless interface, generally requiring administrators to reboot the system first. |
Deactivate Wireless Network Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_wireless_disable_interfaces |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | References: AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, 85, 4.3.1, 3.1.16 |
Description | Deactivating wireless network interfaces should prevent
normal usage of the wireless capability.
$ ifconfig -aAdditionally, the following command may be used to determine whether wireless support is included for a particular interface, though this may not always be a clear indicator: $ iwconfigAfter identifying any wireless interfaces (which may have names like wlan0 , ath0 , wifi0 , em1 or
eth0 ), deactivate the interface with the command:
$ sudo ifdown interfaceThese changes will only last until the next reboot. To disable the interface for future boots, remove the appropriate interface file from /etc/sysconfig/network-scripts :
$ sudo rm /etc/sysconfig/network-scripts/ifcfg-interface |
Rationale | Wireless networking allows attackers within physical proximity to launch network-based attacks against systems, including those against local LAN protocols which were not designed with security in mind. |
Disable Bluetooth Service
Rule ID | xccdf_org.ssgproject.content_rule_service_bluetooth_disabled |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | References: AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, 85, 1551, 3.1.16 |
Description |
The $ sudo systemctl disable bluetooth.service $ sudo service bluetooth stop |
Rationale | Disabling the |
Disable Bluetooth Kernel Modules
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | References: AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, 85, 1551, 5.13.1.3, 3.1.16 |
Description | The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate install bluetooth /bin/true |
Rationale | If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. |
Disable IPv6 Networking Support Automatic Loading
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description | To disable support for ( net.ipv6.conf.all.disable_ipv6 = 1This disables IPv6 on all network interfaces as other services and system functionality require the IPv6 stack loaded to work. |
Rationale | Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. |
Disable Interface Usage of IPv6
Rule ID | xccdf_org.ssgproject.content_rule_network_ipv6_disable_interfaces |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description | To disable interface usage of IPv6, add or correct the following lines in NETWORKING_IPV6=no IPV6INIT=no |
Disable Support for RPC IPv6
Rule ID | xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description | RPC services for NFSv4 try to load transport modules for
udp6 tpi_clts v inet6 udp - - tcp6 tpi_cots_ord v inet6 tcp - - |
Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route | ||||||||
Result | fail | ||||||||
Time | 2017-10-21T14:39:49 | ||||||||
Severity | medium | ||||||||
Identifiers and References | References: AC-4, 366, SRG-OS-000480-GPOS-00227, 3.1.20 | ||||||||
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.all.accept_source_route = 0 | ||||||||
Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
| ||||||||
Remediation Shell script: (show)
|
Configure Accepting IPv6 Router Advertisements
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.all.accept_ra = 0 |
Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
Configure Accepting IPv6 Router Advertisements
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.default.accept_ra = 0 |
Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
Configure Accepting IPv6 Redirects By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.all.accept_redirects = 0 |
Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
Configure Accepting IPv6 Redirects By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.default.accept_redirects = 0 |
Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
Configure Kernel Parameter for Accepting Source-Routed Packets for Interfaces By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.default.accept_source_route = 0 |
Rationale | Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
Disable Kernel Parameter for IPv6 Forwarding
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.all.forwarding=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.all.forwarding = 0 |
Rationale | IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. |
Manually Assign Global IPv6 Address
Rule ID | xccdf_org.ssgproject.content_rule_network_ipv6_static_address |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | References: 366 |
Description | To manually assign an IP address for an interface, edit the
file IPV6ADDR=2001:0DB8::ABCD/64Manually assigning an IP address is preferable to accepting one from routers or from the network otherwise. The example address here is an IPv6 address reserved for documentation purposes, as defined by RFC3849. |
Use Privacy Extensions for Address
Rule ID | xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description | To introduce randomness into the automatic generation of IPv6
addresses, add or correct the following line in
IPV6_PRIVACY=rfc3041Automatically-generated IPv6 addresses are based on the underlying hardware (e.g. Ethernet) address, and so it becomes possible to track a piece of hardware over its lifetime using its traffic. If it is important for a system's IP address to not trivially reveal its hardware address, this setting should be applied. |
Manually Assign IPv6 Router Address
Rule ID | xccdf_org.ssgproject.content_rule_network_ipv6_default_gateway |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | References: 366 |
Description | Edit the file
IPV6_DEFAULTGW=2001:0DB8::0001Router addresses should be manually set and not accepted via any auto-configuration or router advertisement. |
Verify firewalld Enabled
Rule ID | xccdf_org.ssgproject.content_rule_service_firewalld_enabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | References: CM-6(b), 366, 4.7, SRG-OS-000480-GPOS-00227, 3.1.3, 3.4.7 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description |
The $ sudo systemctl enable firewalld.service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Items found satisfying systemd test:
|
Set Default firewalld Zone for Incoming Packets
Rule ID | xccdf_org.ssgproject.content_rule_set_firewalld_default_zone | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:49 | ||||
Severity | medium | ||||
Identifiers and References | References: CM-6(b), CM-7, 366, SRG-OS-000480-GPOS-00227, 5.10.1, 3.1.3, 3.4.7, 3.13.6 | ||||
Description | To set the default zone to DefaultZone=drop | ||||
Rationale | In | ||||
OVAL details Items found satisfying Check /etc/firewalld/firewalld.conf DefaultZone for drop:
|
Disable DCCP Support
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | References: CM-7, http://iase.disa.mil/stigs/cci/Pages/index.aspx, 4.6.1, 5.10.1, 3.4.6 |
Description |
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the install dccp /bin/true |
Rationale | Disabling DCCP protects the system against exploitation of any flaws in its implementation. |
Disable SCTP Support
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | References: CM-7, http://iase.disa.mil/stigs/cci/Pages/index.aspx, 4.6.2, 5.10.1, 3.4.6 |
Description |
The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the install sctp /bin/true |
Rationale | Disabling SCTP protects the system against exploitation of any flaws in its implementation. |
Install libreswan Package
Rule ID | xccdf_org.ssgproject.content_rule_package_libreswan_installed |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description | The Libreswan package provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks.
The $ sudo yum install libreswan |
Rationale | Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. |
Verify Any Configured IPSec Tunnel Connections
Rule ID | xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels |
Result | notchecked |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | References: AC-4, 336, SRG-OS-000480-GPOS-00227 |
Description | Libreswan provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks. As such, IPsec can be used to circumvent certain
network requirements such as filtering. Verify that if any IPsec connection
( |
Rationale | IP tunneling mechanisms can be used to bypass network filtering. |
Disable Client Dynamic DNS Updates
Rule ID | xccdf_org.ssgproject.content_rule_network_disable_ddns_interfaces |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | References: CM-6(b), 366, SRG-OS-000480-GPOS-00227 |
Description |
Dynamic DNS allows clients to dynamically update their own DNS records.
The updates are transmitted by unencrypted means which can reveal information
to a potential malicious user. If the system does not require Dynamic DNS,
remove all |
Rationale | Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed. |
Disable Zeroconf Networking
Rule ID | xccdf_org.ssgproject.content_rule_network_disable_zeroconf |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | Zeroconf networking allows the system to assign itself an IP
address and engage in IP communication without a statically-assigned address or
even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not
recommended. To disable Zeroconf automatic route assignment in the 169.254.0.0
subnet, add or correct the following line in NOZEROCONF=yes |
Rationale | Zeroconf addresses are in the network 169.254.0.0. The networking scripts add entries to the system's routing table for these addresses. Zeroconf address assignment commonly occurs when the system is configured to use DHCP but fails to receive an address assignment from the DHCP server. |
Configure Multiple DNS Servers in /etc/resolv.conf
Rule ID | xccdf_org.ssgproject.content_rule_network_configure_name_resolution | ||||||
Result | fail | ||||||
Time | 2017-10-21T14:39:49 | ||||||
Severity | low | ||||||
Identifiers and References | References: SC-22, 366, SRG-OS-000480-GPOS-00227 | ||||||
Description | Multiple Domain Name System (DNS) Servers should be configured
in search example.com nameserver 192.168.0.1 nameserver 192.168.0.2 | ||||||
Rationale | To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. | ||||||
OVAL details Items not found violating check if more than one nameserver in /etc/resolv.conf:Object oval:ssg-obj_network_configure_name_resolution:obj:1 of type textfilecontent54_object
|
Ensure System is Not Acting as a Network Sniffer
Rule ID | xccdf_org.ssgproject.content_rule_network_sniffer_disabled | ||||||
Result | pass | ||||||
Time | 2017-10-21T14:39:49 | ||||||
Severity | medium | ||||||
Identifiers and References | References: CM-7, CM-7(2).1(i), http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, MA-3, 366, SRG-OS-000480-GPOS-00227 | ||||||
Description | The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: $ ip link | grep PROMISC | ||||||
Rationale |
Network interfaces in promiscuous mode allow for the capture of all network traffic
visible to the system. If unauthorized individuals can access these applications, it
may allow them to collect information such as logon IDs, passwords, and key exchanges
between systems.
| ||||||
OVAL details Items not found satisfying random:Object oval:ssg-object_promisc_interfaces:obj:1 of type interface_object
State oval:ssg-state_promisc:ste:1 of type interface_state
|
Ensure Log Files Are Owned By Appropriate User
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_files_ownership |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | References: AC-6, SI-11, 1314, Req-10.5.1, Req-10.5.2 |
Description | The owner of all log files written by
$ ls -l LOGFILEIf the owner is not root , run the following command to
correct this:
$ sudo chown root LOGFILE |
Rationale | The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. |
Ensure Log Files Are Owned By Appropriate Group
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | References: AC-6, SI-11, 1314, Req-10.5.1, Req-10.5.2 |
Description | The group-owner of all log files written by
$ ls -l LOGFILEIf the owner is not root , run the following command to
correct this:
$ sudo chgrp root LOGFILE |
Rationale | The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. |
Ensure cron Is Logging To Rsyslog
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_cron_logging | ||||||||||||
Result | pass | ||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-2(d), 366, SRG-OS-000480-GPOS-00227 | ||||||||||||
Description | Cron logging must be implemented to spot intrusions or trace
cron job status. If cron.* /var/log/cron | ||||||||||||
Rationale | Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. | ||||||||||||
OVAL details Items found satisfying cron is configured in /etc/rsyslog.conf:
Items not found satisfying cron is configured in /etc/rsyslog.d:Object oval:ssg-obj_cron_logging_rsyslog_dir:obj:1 of type textfilecontent54_object
|
Ensure Logs Sent To Remote Host
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost | ||||||||||||||
Result | fail | ||||||||||||||
Time | 2017-10-21T14:39:49 | ||||||||||||||
Severity | low | ||||||||||||||
Identifiers and References | References: AU-3(2), AU-4(1), AU-9, 366, 1348, 136, 1851, 5.1.5, SRG-OS-000480-GPOS-00227 | ||||||||||||||
Description |
To configure rsyslog to send logs to a remote log server,
open *.* @loghost.example.com To use TCP for log message delivery: *.* @@loghost.example.com To use RELP for log message delivery: *.* :omrelp:loghost.example.com | ||||||||||||||
Rationale | A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. | ||||||||||||||
OVAL details Items not found violating Ensures system configured to export logs to remote host:Object oval:ssg-object_remote_loghost_rsyslog_conf:obj:1 of type textfilecontent54_object
Items not found violating Ensures system configured to export logs to remote host:Object oval:ssg-object_remote_loghost_rsyslog_d:obj:1 of type textfilecontent54_object
| |||||||||||||||
Remediation Shell script: (show)
|
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_nolisten | ||||||
Result | pass | ||||||
Time | 2017-10-21T14:39:49 | ||||||
Severity | low | ||||||
Identifiers and References | References: AU-9(2), AC-4, CM-6(c), 318, 368, 1812, 1813, 1814, SRG-OS-000480-GPOS-00227 | ||||||
Description | The $ModLoad imtcp $InputTCPServerRun port $ModLoad imudp $UDPServerRun port $ModLoad imrelp $InputRELPServerRun port | ||||||
Rationale | Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network. | ||||||
OVAL details Items not found satisfying Ensure that the /etc/rsyslog.conf does not contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun:Object oval:ssg-object_rsyslog_nolisten:obj:1 of type textfilecontent54_object
|
Ensure Logrotate Runs Periodically
Rule ID | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description | The # rotate log files frequency daily |
Rationale | Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full. |
Configure Logwatch HostLimit Line
Rule ID | xccdf_org.ssgproject.content_rule_logwatch_configured_hostlimit |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description | On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate
on the logserver itself. The HostLimit = no |
Configure Logwatch SplitHosts Line
Rule ID | xccdf_org.ssgproject.content_rule_logwatch_configured_splithosts |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description |
If SplitHosts = yes |
Ensure rsyslog is Installed
Rule ID | xccdf_org.ssgproject.content_rule_package_rsyslog_installed |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description |
Rsyslog is installed by default.
The $ sudo yum install rsyslog |
Rationale | The rsyslog package provides the rsyslog daemon, which provides system logging services. |
Enable rsyslog Service
Rule ID | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | medium |
Identifiers and References | |
Description | The $ sudo systemctl enable rsyslog.service |
Rationale | The |
Disable Logwatch on Clients if a Logserver Exists
Rule ID | xccdf_org.ssgproject.content_rule_disable_logwatch_for_logserver |
Result | notselected |
Time | 2017-10-21T14:39:49 |
Severity | low |
Identifiers and References | |
Description | Does your site have a central logserver which has been configured to report on logs received from all systems? If so: $ sudo rm /etc/cron.daily/0logwatchIf no logserver exists, it will be necessary for each system to run Logwatch individually. Using a central logserver provides the security and reliability benefits discussed earlier, and also makes monitoring logs easier and less time-intensive for administrators. |
Configure auditd Number of Logs Retained
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | medium |
Identifiers and References | |
Description | Determine how many log files
num_logs = NUMLOGSSet the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation. |
Rationale | The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. |
Configure auditd Max Log File Size
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | medium |
Identifiers and References | References: AU-1(b), AU-11, IR-5, Req-10.7, 5.2.1.1, 5.4.1.1 |
Description | Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
max_log_file = STOREMBSet the value to 6 (MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data. |
Rationale | The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. |
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | medium |
Identifiers and References | References: AU-1(b), AU-4, AU-11, IR-5, Req-10.7, 5.2.1.3, 5.4.1.1 |
Description | The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by max_log_file_action = ACTIONPossible values for ACTION are described in the auditd.conf man
page. These include:
ACTION to rotate to ensure log rotation
occurs. This is the default. The setting is case-insensitive.
|
Rationale | Automatically rotating logs (by setting this to |
Configure auditd space_left Action on Low Disk Space
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action | ||||||
Result | fail | ||||||
Time | 2017-10-21T14:39:50 | ||||||
Severity | medium | ||||||
Identifiers and References | References: AU-1(b), AU-4, AU-5(1), AU-5(b), IR-5, 1855, Req-10.7, 5.2.1.2, SRG-OS-000343-GPOS-00134, 030340, 5.4.1.1, 3.3.1 | ||||||
Description | The space_left_action = ACTIONPossible values for ACTION are described in the auditd.conf man page.
These include:
email (instead of the default,
which is suspend ) as it is more likely to get prompt attention. Acceptable values
also include suspend , single , and halt .
| ||||||
Rationale | Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. | ||||||
OVAL details Items found violating space left action:
| |||||||
Remediation Shell script: (show)
|
Configure auditd admin_space_left Action on Low Disk Space
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | medium |
Identifiers and References | References: AU-1(b), AU-4, AU-5(b), IR-5, 140, 1343, Req-10.7, 5.2.1.2, 5.4.1.1, 3.3.1 |
Description | The admin_space_left_action = ACTIONSet this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include suspend and
halt . For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page.
|
Rationale | Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. |
Configure auditd mail_acct Action on Low Disk Space
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:50 | ||||
Severity | medium | ||||
Identifiers and References | References: AU-1(b), AU-4, AU-5(1), AU-5(a), IR-5, 1855, Req-10.7.a, 5.2.1.2, SRG-OS-000343-GPOS-00134, 5.4.1.1, 3.3.1 | ||||
Description | The action_mail_acct = root | ||||
Rationale | Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. | ||||
OVAL details Items found satisfying email account for actions:
|
Configure auditd flush priority
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_flush |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | low |
Identifiers and References | |
Description | The flush = data |
Rationale | Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk. |
Configure auditd to use audispd's syslog plugin
Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | medium |
Identifiers and References | References: AU-1(b), AU-3(2), IR-5, 136, Req-10.5.3, 5.4.1.1, 3.3.1 |
Description | To configure the $ sudo service auditd restart |
Rationale | The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server |
Record attempts to alter time through adjtimex
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | low |
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 5.2.4, Req-10.4.2.b, 1487, 169, 5.4.1.1, 3.1.7 |
Description | If the -a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rulesIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Rationale | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. |
Record attempts to alter time through settimeofday
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | low |
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 5.2.4, Req-10.4.2.b, 1487, 169, 5.4.1.1, 3.1.7 |
Description | If the -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rulesIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Rationale | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. |
Record Attempts to Alter Time Through stime
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_stime |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | low |
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.4.2.b, 1487, 169, 5.4.1.1, 3.1.7 |
Description | If the -a always,exit -F arch=b32 -S stime -F key=audit_time_rulesSince the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to
read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rulesSince the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Rationale | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. |
Record Attempts to Alter Time Through clock_settime
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | low |
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 5.2.4, Req-10.4.2.b, 1487, 169, 5.4.1.1, 3.1.7 |
Description | If the -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-changeIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-changeIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-changeThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
Rationale | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. |
Record Attempts to Alter the localtime File
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | low |
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(b), IR-5, 5.2.4, Req-10.4.2.b, 1487, 169, 5.4.1.1, 3.1.7 |
Description | If the -w /etc/localtime -p wa -k audit_time_rulesIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/localtime -p wa -k audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used. |
Rationale | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. |
Record Events that Modify the System's Discretionary Access Controls - chmod
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 126, 172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit chmod:Object oval:ssg-object_32bit_ardm_chmod_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit chmod:Object oval:ssg-object_64bit_ardm_chmod_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit chmod:Object oval:ssg-object_32bit_ardm_chmod_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit chmod:Object oval:ssg-object_64bit_ardm_chmod_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Events that Modify the System's Discretionary Access Controls - chown
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 126, 172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit chown:Object oval:ssg-object_32bit_ardm_chown_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit chown:Object oval:ssg-object_64bit_ardm_chown_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit chown:Object oval:ssg-object_32bit_ardm_chown_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit chown:Object oval:ssg-object_64bit_ardm_chown_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Events that Modify the System's Discretionary Access Controls - fchmod
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 126, 172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit fchmod:Object oval:ssg-object_32bit_ardm_fchmod_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit fchmod:Object oval:ssg-object_64bit_ardm_fchmod_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit fchmod:Object oval:ssg-object_32bit_ardm_fchmod_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit fchmod:Object oval:ssg-object_64bit_ardm_fchmod_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Events that Modify the System's Discretionary Access Controls - fchmodat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 126, 172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit fchmodat:Object oval:ssg-object_32bit_ardm_fchmodat_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit fchmodat:Object oval:ssg-object_64bit_ardm_fchmodat_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit fchmodat:Object oval:ssg-object_32bit_ardm_fchmodat_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit fchmodat:Object oval:ssg-object_64bit_ardm_fchmodat_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Events that Modify the System's Discretionary Access Controls - fchown
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 126, 172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit fchown:Object oval:ssg-object_32bit_ardm_fchown_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit fchown:Object oval:ssg-object_64bit_ardm_fchown_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit fchown:Object oval:ssg-object_32bit_ardm_fchown_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit fchown:Object oval:ssg-object_64bit_ardm_fchown_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Events that Modify the System's Discretionary Access Controls - fchownat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 126, 172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit fchownat:Object oval:ssg-object_32bit_ardm_fchownat_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit fchownat:Object oval:ssg-object_64bit_ardm_fchownat_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit fchownat:Object oval:ssg-object_32bit_ardm_fchownat_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit fchownat:Object oval:ssg-object_64bit_ardm_fchownat_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root.
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit fremovexattr:Object oval:ssg-object_32bit_ardm_fremovexattr_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit fremovexattr:Object oval:ssg-object_64bit_ardm_fremovexattr_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit fremovexattr:Object oval:ssg-object_32bit_ardm_fremovexattr_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit fremovexattr:Object oval:ssg-object_64bit_ardm_fremovexattr_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 126, 172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit fsetxattr:Object oval:ssg-object_32bit_ardm_fsetxattr_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit fsetxattr:Object oval:ssg-object_64bit_ardm_fsetxattr_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit fsetxattr:Object oval:ssg-object_32bit_ardm_fsetxattr_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit fsetxattr:Object oval:ssg-object_64bit_ardm_fsetxattr_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Events that Modify the System's Discretionary Access Controls - lchown
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 126, 172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit lchown:Object oval:ssg-object_32bit_ardm_lchown_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit lchown:Object oval:ssg-object_64bit_ardm_lchown_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit lchown:Object oval:ssg-object_32bit_ardm_lchown_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit lchown:Object oval:ssg-object_64bit_ardm_lchown_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root.
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit lremovexattr:Object oval:ssg-object_32bit_ardm_lremovexattr_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit lremovexattr:Object oval:ssg-object_64bit_ardm_lremovexattr_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit lremovexattr:Object oval:ssg-object_32bit_ardm_lremovexattr_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit lremovexattr:Object oval:ssg-object_64bit_ardm_lremovexattr_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 126, 172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit lsetxattr:Object oval:ssg-object_32bit_ardm_lsetxattr_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit lsetxattr:Object oval:ssg-object_64bit_ardm_lsetxattr_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit lsetxattr:Object oval:ssg-object_32bit_ardm_lsetxattr_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctls 64-bit lsetxattr:Object oval:ssg-object_64bit_ardm_lsetxattr_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Events that Modify the System's Discretionary Access Controls - removexattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root.
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit removexattr:Object oval:ssg-object_32bit_ardm_removexattr_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit removexattr:Object oval:ssg-object_64bit_ardm_removexattr_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit removexattr:Object oval:ssg-object_32bit_ardm_removexattr_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit removexattr:Object oval:ssg-object_64bit_ardm_removexattr_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Events that Modify the System's Discretionary Access Controls - setxattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 126, 172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit setxattr:Object oval:ssg-object_32bit_ardm_setxattr_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit setxattr:Object oval:ssg-object_64bit_ardm_setxattr_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit setxattr:Object oval:ssg-object_32bit_ardm_setxattr_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit setxattr:Object oval:ssg-object_64bit_ardm_setxattr_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Attempts to Alter Logon and Logout Events
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | medium |
Identifiers and References | References: AC-17(7), AU-1(b), AU-12(a), AU-12(c), IR-5, 172, 2884, Req-10.2.3, 5.2.8, 5.4.1.1, 3.1.7 |
Description | The audit system already collects login information for all users
and root. If the -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins |
Rationale | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. |
Record Attempts to Alter Logon and Logout Events - tallylog
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-12(a), AU-12(c), IR-5, 172, 2884, 126, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, Req-10.2.3, 5.2.8, 3.1.7 | ||||||||||||
Description | The audit system already collects login information for all users
and root. If the -w /var/log/tallylog -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins | ||||||||||||
Rationale | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | ||||||||||||
OVAL details Items not found violating audit augenrules tallylog:Object oval:ssg-object_arle_tallylog_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl tallylog:Object oval:ssg-object_arle_tallylog_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Record Attempts to Alter Logon and Logout Events - faillock
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-12(a), AU-12(c), IR-5, 172, 2884, 126, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, Req-10.2.3, 5.2.8, 3.1.7 | ||||||||||||
Description | The audit system already collects login information for all users
and root. If the -w /var/run/faillock/ -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/run/faillock/ -p wa -k logins | ||||||||||||
Rationale | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | ||||||||||||
OVAL details Items not found violating audit augenrules faillock:Object oval:ssg-object_arle_faillock_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl faillock:Object oval:ssg-object_arle_faillock_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Record Attempts to Alter Logon and Logout Events - lastlog
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-12(a), AU-12(c), IR-5, 172, 2884, 126, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, Req-10.2.3, 5.2.8, 3.1.7 | ||||||||||||
Description | The audit system already collects login information for all users
and root. If the -w /var/log/lastlog -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins | ||||||||||||
Rationale | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | ||||||||||||
OVAL details Items not found violating audit augenrules lastlog:Object oval:ssg-object_arle_lastlog_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl lastlog:Object oval:ssg-object_arle_lastlog_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | medium |
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 172, 2884, Req-10.2.4, Req-10.2.1, 5.2.10, 5.4.1.1, 3.1.7 |
Description | At a minimum the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access |
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
Record Unauthorized Access Attempts to Files (unsuccessful) - creat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat | ||||||||||||||||||||||||||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 172, 2884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7 | ||||||||||||||||||||||||||||||||||||||||||||||||
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access | ||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit file eaccess:Object oval:ssg-object_32bit_arufm_eaccess_creat_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 32-bit file eperm:Object oval:ssg-object_32bit_arufm_eperm_creat_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit file eaccess:Object oval:ssg-object_64bit_arufm_eaccess_creat_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit file eperm:Object oval:ssg-object_64bit_arufm_eperm_creat_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit file eaccess:Object oval:ssg-object_32bit_arufm_eaccess_creat_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit file eperm:Object oval:ssg-object_32bit_arufm_eperm_creat_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit file eaccess:Object oval:ssg-object_64bit_arufm_eaccess_creat_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit file eperm:Object oval:ssg-object_64bit_arufm_eperm_creat_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Unauthorized Access Attempts to Files (unsuccessful) - open
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open | ||||||||||||||||||||||||||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 172, 2884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7 | ||||||||||||||||||||||||||||||||||||||||||||||||
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access | ||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit file eaccess:Object oval:ssg-object_32bit_arufm_eaccess_open_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 32-bit file eperm:Object oval:ssg-object_32bit_arufm_eperm_open_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit file eaccess:Object oval:ssg-object_64bit_arufm_eaccess_open_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit file eperm:Object oval:ssg-object_64bit_arufm_eperm_open_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit file eaccess:Object oval:ssg-object_32bit_arufm_eaccess_open_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit file eperm:Object oval:ssg-object_32bit_arufm_eperm_open_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit file eaccess:Object oval:ssg-object_64bit_arufm_eaccess_open_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit file eperm:Object oval:ssg-object_64bit_arufm_eperm_open_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Unauthorized Access Attempts to Files (unsuccessful) - openat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat | ||||||||||||||||||||||||||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 172, 2884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7 | ||||||||||||||||||||||||||||||||||||||||||||||||
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access | ||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit file eaccess:Object oval:ssg-object_32bit_arufm_eaccess_openat_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 32-bit file eperm:Object oval:ssg-object_32bit_arufm_eperm_openat_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit file eaccess:Object oval:ssg-object_64bit_arufm_eaccess_openat_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit file eperm:Object oval:ssg-object_64bit_arufm_eperm_openat_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit file eaccess:Object oval:ssg-object_32bit_arufm_eaccess_openat_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit file eperm:Object oval:ssg-object_32bit_arufm_eperm_openat_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit file eaccess:Object oval:ssg-object_64bit_arufm_eaccess_openat_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit file eperm:Object oval:ssg-object_64bit_arufm_eperm_openat_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at | ||||||||||||||||||||||||||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 172, 2884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7 | ||||||||||||||||||||||||||||||||||||||||||||||||
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access | ||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit file eaccess:Object oval:ssg-object_32bit_arufm_eaccess_open_by_handle_at_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 32-bit file eperm:Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit file eaccess:Object oval:ssg-object_64bit_arufm_eaccess_open_by_handle_at_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit file eperm:Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit file eaccess:Object oval:ssg-object_32bit_arufm_eaccess_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit file eperm:Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit file eaccess:Object oval:ssg-object_64bit_arufm_eaccess_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit file eperm:Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Unauthorized Access Attempts to Files (unsuccessful) - truncate
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate | ||||||||||||||||||||||||||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 172, 2884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7 | ||||||||||||||||||||||||||||||||||||||||||||||||
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access | ||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit file eaccess:Object oval:ssg-object_32bit_arufm_eaccess_truncate_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 32-bit file eperm:Object oval:ssg-object_32bit_arufm_eperm_truncate_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit file eaccess:Object oval:ssg-object_64bit_arufm_eaccess_truncate_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit file eperm:Object oval:ssg-object_64bit_arufm_eperm_truncate_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit file eaccess:Object oval:ssg-object_32bit_arufm_eaccess_truncate_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit file eperm:Object oval:ssg-object_32bit_arufm_eperm_truncate_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit file eaccess:Object oval:ssg-object_64bit_arufm_eaccess_truncate_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit file eperm:Object oval:ssg-object_64bit_arufm_eperm_truncate_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate | ||||||||||||||||||||||||||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 172, 2884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7 | ||||||||||||||||||||||||||||||||||||||||||||||||
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access | ||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit file eaccess:Object oval:ssg-object_32bit_arufm_eaccess_ftruncate_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 32-bit file eperm:Object oval:ssg-object_32bit_arufm_eperm_ftruncate_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit file eaccess:Object oval:ssg-object_64bit_arufm_eaccess_ftruncate_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit file eperm:Object oval:ssg-object_64bit_arufm_eperm_ftruncate_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit file eaccess:Object oval:ssg-object_32bit_arufm_eaccess_ftruncate_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit file eperm:Object oval:ssg-object_32bit_arufm_eperm_ftruncate_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit file eaccess:Object oval:ssg-object_64bit_arufm_eaccess_ftruncate_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit file eperm:Object oval:ssg-object_64bit_arufm_eperm_ftruncate_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
|
Record Any Attempts to Run semanage
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-12(c), 172, 2884, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules semanage:Object oval:ssg-object_audit_rules_execution_semanage_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl semanage:Object oval:ssg-object_audit_rules_execution_semanage_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Record Any Attempts to Run setsebool
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-12(c), 172, 2884, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules setsebool:Object oval:ssg-object_audit_rules_execution_setsebool_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl setsebool:Object oval:ssg-object_audit_rules_execution_setsebool_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Record Any Attempts to Run chcon
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-12(c), 172, 2884, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules chcon:Object oval:ssg-object_audit_rules_execution_chcon_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl chcon:Object oval:ssg-object_audit_rules_execution_chcon_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Record Any Attempts to Run restorecon
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-12(c), 172, 2884, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules restorecon:Object oval:ssg-object_audit_rules_execution_restorecon_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl restorecon:Object oval:ssg-object_audit_rules_execution_restorecon_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands | ||||||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||||||
Time | 2017-10-21T14:39:58 | ||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-2(4), AU-6(9), AU-12(a), AU-12(c), IR-5, 2234, SRG-OS-000327-GPOS-00127, Req-10.2.2, 5.2.10, 5.4.1.1, 3.1.7 | ||||||||||||||||||||||||||||
Description | At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/nullIf the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add a line of
the following form to a file with suffix .rules in the directory
/etc/audit/rules.d for each setuid / setgid program on the system,
replacing the SETUID_PROG_PATH part with the full path of that setuid /
setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules for each setuid / setgid program on the
system, replacing the SETUID_PROG_PATH part with the full path of that
setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||||||||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules suid sgid:Object oval:ssg-object_arpc_suid_sgid_augenrules:obj:1 of type textfilecontent54_object
State oval:ssg-state_audit_rules_privileged_commands:ste:1 of type textfilecontent54_state
Items found violating audit augenrules binaries count matches rules count:
Items not found violating audit auditctl suid sgid:Object oval:ssg-object_arpc_suid_sgid_auditctl:obj:1 of type textfilecontent54_object
State oval:ssg-state_audit_rules_privileged_commands:ste:1 of type textfilecontent54_state
Items found violating audit auditctl binaries count matches rules count:
| |||||||||||||||||||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands - passwd
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:58 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-3(1), AU-12(c), 135, 172, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules passwd:Object oval:ssg-object_audit_rules_privileged_commands_passwd_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl passwd:Object oval:ssg-object_audit_rules_privileged_commands_passwd_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:58 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-3(1), AU-12(c), 135, 172, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules unix_chkpwd:Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl unix_chkpwd:Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:58 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-3(1), AU-12(c), 135, 172, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules gpasswd:Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl gpasswd:Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands - chage
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:58 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-3(1), AU-12(c), 135, 172, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules chage:Object oval:ssg-object_audit_rules_privileged_commands_chage_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl chage:Object oval:ssg-object_audit_rules_privileged_commands_chage_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:58 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-3(1), AU-12(c), 135, 172, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules userhelper:Object oval:ssg-object_audit_rules_privileged_commands_userhelper_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl userhelper:Object oval:ssg-object_audit_rules_privileged_commands_userhelper_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands - su
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:58 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-3(1), AU-12(c), 135, 172, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules su:Object oval:ssg-object_audit_rules_privileged_commands_su_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl su:Object oval:ssg-object_audit_rules_privileged_commands_su_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands - sudo
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:58 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-3(1), AU-12(c), 135, 172, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules sudo:Object oval:ssg-object_audit_rules_privileged_commands_sudo_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl sudo:Object oval:ssg-object_audit_rules_privileged_commands_sudo_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:58 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-3(1), AU-12(c), 135, 172, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules sudoedit:Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl sudoedit:Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp |
Result | notselected |
Time | 2017-10-21T14:39:58 |
Severity | medium |
Identifiers and References | References: AU-3(1), AU-12(c), 135, 172, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 |
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged |
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
Ensure auditd Collects Information on the Use of Privileged Commands - chsh
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:58 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-3(1), AU-12(c), 135, 172, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules chsh:Object oval:ssg-object_audit_rules_privileged_commands_chsh_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl chsh:Object oval:ssg-object_audit_rules_privileged_commands_chsh_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands - umount
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:58 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-3(1), AU-12(c), 135, 172, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules umount:Object oval:ssg-object_audit_rules_privileged_commands_umount_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl umount:Object oval:ssg-object_audit_rules_privileged_commands_umount_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:58 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-3(1), AU-12(c), 135, 172, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules postdrop:Object oval:ssg-object_audit_rules_privileged_commands_postdrop_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl postdrop:Object oval:ssg-object_audit_rules_privileged_commands_postdrop_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:58 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-3(1), AU-12(c), 135, 172, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules postqueue:Object oval:ssg-object_audit_rules_privileged_commands_postqueue_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl postqueue:Object oval:ssg-object_audit_rules_privileged_commands_postqueue_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:58 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-3(1), AU-12(c), 135, 172, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/libexec/openssh/key-sign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules ssh_keysign:Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl ssh_keysign:Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:58 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-3(1), AU-12(c), 135, 172, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules pt_chown:Object oval:ssg-object_audit_rules_privileged_commands_pt_chown_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl pt_chown:Object oval:ssg-object_audit_rules_privileged_commands_pt_chown_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands - crontab
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-3(1), AU-12(c), 135, 172, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||
OVAL details Items not found violating audit augenrules crontab:Object oval:ssg-object_audit_rules_privileged_commands_crontab_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl crontab:Object oval:ssg-object_audit_rules_privileged_commands_crontab_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects File Deletion Events by User
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.7, 5.2.14, 366, 172, 2884, 5.4.1.1, 3.1.7 |
Description | At a minimum the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete |
Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
Ensure auditd Collects File Deletion Events by User - rmdir
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), 366, 172, 2884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete | ||||||||||||||||||||||||
Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit rmdir:Object oval:ssg-object_32bit_ardm_rmdir_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit rmdir:Object oval:ssg-object_64bit_ardm_rmdir_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit rmdir:Object oval:ssg-object_32bit_ardm_rmdir_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit rmdir:Object oval:ssg-object_64bit_ardm_rmdir_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects File Deletion Events by User - unlink
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), 366, 172, 2884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete | ||||||||||||||||||||||||
Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit unlink:Object oval:ssg-object_32bit_ardm_unlink_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit unlink:Object oval:ssg-object_64bit_ardm_unlink_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit unlink:Object oval:ssg-object_32bit_ardm_unlink_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit unlink:Object oval:ssg-object_64bit_ardm_unlink_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects File Deletion Events by User - unlinkat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), 366, 172, 2884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete | ||||||||||||||||||||||||
Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit unlinkat:Object oval:ssg-object_32bit_ardm_unlinkat_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit unlinkat:Object oval:ssg-object_64bit_ardm_unlinkat_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit unlinkat:Object oval:ssg-object_32bit_ardm_unlinkat_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit unlinkat:Object oval:ssg-object_64bit_ardm_unlinkat_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects File Deletion Events by User - rename
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), 366, 172, 2884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete | ||||||||||||||||||||||||
Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit rename:Object oval:ssg-object_32bit_ardm_rename_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit rename:Object oval:ssg-object_64bit_ardm_rename_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit rename:Object oval:ssg-object_32bit_ardm_rename_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit rename:Object oval:ssg-object_64bit_ardm_rename_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects File Deletion Events by User - renameat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), 366, 172, 2884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete | ||||||||||||||||||||||||
Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit renameat:Object oval:ssg-object_32bit_ardm_renameat_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit renameat:Object oval:ssg-object_64bit_ardm_renameat_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit renameat:Object oval:ssg-object_32bit_ardm_renameat_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit renameat:Object oval:ssg-object_64bit_ardm_renameat_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on Kernel Module Loading and Unloading
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.7, 5.2.17, 172, 5.4.1.1, 3.1.7 |
Description | If the -w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modulesIf the auditd daemon is configured to use the auditctl utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules |
Rationale | The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. |
Ensure auditd Collects Information on Kernel Module Loading and Unloading - init_module
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7 | ||||||||||||||||||||||||
Description | If the -a always,exit -F arch=ARCH -S init_module -F key=modulesIf the auditd daemon is configured to use the auditctl utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S init_module -F key=modules | ||||||||||||||||||||||||
Rationale | The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit init_module:Object oval:ssg-object_32bit_ardm_init_module_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit init_module:Object oval:ssg-object_64bit_ardm_init_module_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit init_module:Object oval:ssg-object_32bit_ardm_init_module_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit init_module:Object oval:ssg-object_64bit_ardm_init_module_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on Kernel Module Loading and Unloading - delete_module
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7 | ||||||||||||||||||||||||
Description | If the -a always,exit -F arch=ARCH -S delete_module -F key=modulesIf the auditd daemon is configured to use the auditctl utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S delete_module -F key=modules | ||||||||||||||||||||||||
Rationale | The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules 32-bit delete_module:Object oval:ssg-object_32bit_ardm_delete_module_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules 64-bit delete_module:Object oval:ssg-object_64bit_ardm_delete_module_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 32-bit delete_module:Object oval:ssg-object_32bit_ardm_delete_module_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl 64-bit delete_module:Object oval:ssg-object_64bit_ardm_delete_module_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on Kernel Module Loading and Unloading - insmod
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7 | ||||||||||||
Description | If the -w /usr/sbin/insmod -p x -k modulesIf the auditd daemon is configured to use the auditctl utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-w /usr/sbin/insmod -p x -k modules | ||||||||||||
Rationale | The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | ||||||||||||
OVAL details Items not found violating audit augenrules insmod:Object oval:ssg-object_audit_rule_kernel_module_loading_insmod_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl insmod:Object oval:ssg-object_audit_rule_kernel_module_loading_insmod_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on Kernel Module Loading and Unloading - rmmod
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7 | ||||||||||||
Description | If the -w /usr/sbin/rmmod -p x -k modulesIf the auditd daemon is configured to use the auditctl utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-w /usr/sbin/rmmod -p x -k modules | ||||||||||||
Rationale | The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | ||||||||||||
OVAL details Items not found violating audit augenrules rmmod:Object oval:ssg-object_audit_rule_kernel_module_loading_rmmod_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl rmmod:Object oval:ssg-object_audit_rule_kernel_module_loading_rmmod_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobe
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7 | ||||||||||||
Description | If the -w /usr/sbin/modprobe -p x -k modulesIf the auditd daemon is configured to use the auditctl utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-w /usr/sbin/modprobe -p x -k modules | ||||||||||||
Rationale | The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | ||||||||||||
OVAL details Items not found violating audit augenrules modprobe:Object oval:ssg-object_audit_rule_kernel_module_loading_modprobe_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl modprobe:Object oval:ssg-object_audit_rule_kernel_module_loading_modprobe_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Shutdown System When Auditing Failures Occur
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AU-5, AU-5(a), 139, SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023, 3.3.1, 3.3.4 | ||||||||||||
Description | If the -f 2If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to the
top of the /etc/audit/audit.rules file:
-f 2 | ||||||||||||
Rationale | It is critical for the appropriate personnel to be aware if a system
is at risk of failing to process audit logs as required. Without this
notification, the security personnel may be unaware of an impending failure of
the audit capability, and system operation may be adversely affected.
| ||||||||||||
OVAL details Items not found violating audit augenrules configuration shutdown:Object oval:ssg-object_ars_shutdown_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl configuration shutdown:Object oval:ssg-object_ars_shutdown_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Record Events that Modify User/Group Information
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | low |
Identifiers and References | References: AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 18, 172, 1403, 2130, Req-10.2.5, 5.2.5, SRG–OS–000004–GPOS–00004, SRG–OS–000239–GPOS–00089, SRG–OS–000241–GPOS–00090, SRG–OS–000241–GPOS–00091, SRG–OS–000303–GPOS–00120, SRG–OS–000476–GPOS–00221, 5.4.1.1, 3.1.7 |
Description | If the -w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification -w /etc/passwd -p wa -k audit_rules_usergroup_modification -w /etc/gshadow -p wa -k audit_rules_usergroup_modification -w /etc/shadow -p wa -k audit_rules_usergroup_modification -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification |
Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. |
Record Events that Modify User/Group Information - /etc/group
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 18, 172, 1403, 2130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, 5.4.1.1, 3.1.7 | ||||||||||||
Description | If the -w /etc/group -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification | ||||||||||||
Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | ||||||||||||
OVAL details Items not found violating audit augenrules /etc/group:Object oval:ssg-object_audit_rules_usergroup_modification_group_etc_group_augen:obj:1 of type textfilecontent54_object
Items not found violating audit /etc/group:Object oval:ssg-object_audit_rules_usergroup_modification_group_etc_group_auditctl:obj:1 of type textfilecontent54_object
|
Record Events that Modify User/Group Information - /etc/gshadow
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 18, 172, 1403, 2130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, 5.4.1.1, 3.1.7 | ||||||||||||
Description | If the -w /etc/gshadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification | ||||||||||||
Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | ||||||||||||
OVAL details Items not found violating audit augenrules /etc/gshadow:Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_etc_gshadow_augen:obj:1 of type textfilecontent54_object
Items not found violating audit /etc/gshadow:Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_etc_gshadow_auditctl:obj:1 of type textfilecontent54_object
|
Record Events that Modify User/Group Information - /etc/shadow
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 18, 172, 1403, 2130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, 5.4.1.1, 3.1.7 | ||||||||||||
Description | If the -w /etc/shadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification | ||||||||||||
Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | ||||||||||||
OVAL details Items not found violating audit augenrules /etc/shadow:Object oval:ssg-object_audit_rules_usergroup_modification_shadow_etc_shadow_augen:obj:1 of type textfilecontent54_object
Items not found violating audit /etc/shadow:Object oval:ssg-object_audit_rules_usergroup_modification_shadow_etc_shadow_auditctl:obj:1 of type textfilecontent54_object
|
Record Events that Modify User/Group Information - passwd
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 18, 172, 1403, 2130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221, 5.4.1.1, 3.1.7 | ||||||||||||
Description | If the -w /etc/passwd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification | ||||||||||||
Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | ||||||||||||
OVAL details Items not found violating audit augenrules /etc/passwd:Object oval:ssg-object_audit_rules_usergroup_modification_passwd_etc_passwd_augen:obj:1 of type textfilecontent54_object
Items not found violating audit /etc/passwd:Object oval:ssg-object_audit_rules_usergroup_modification_passwd_etc_passwd_auditctl:obj:1 of type textfilecontent54_object
|
Record Events that Modify User/Group Information - opasswd
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, 18, 172, 1403, 2130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, 5.4.1.1, 3.1.7 | ||||||||||||
Description | If the -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification | ||||||||||||
Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | ||||||||||||
OVAL details Items not found violating audit augenrules /etc/security/opasswd:Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_etc_security_opasswd_augen:obj:1 of type textfilecontent54_object
Items not found violating audit /etc/security/opasswd:Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_etc_security_opasswd_auditctl:obj:1 of type textfilecontent54_object
|
Record Events that Modify the System's Network Environment
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | low |
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, 5.4.1.1, 5.2.6, 3.1.7 |
Description | If the -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modificationIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification |
Rationale | The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. |
System Audit Logs Must Be Owned By Root
Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | medium |
Identifiers and References | References: AC-6, AU-1(b), AU-9, IR-5, 163, SRG-OS-000058-GPOS-00028, Req-10.5.1, 5.4.1.1, 3.3.1 |
Description | All audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/. To properly set the owner of /var/log/audit , run the command:
$ sudo chown root /var/log/auditTo properly set the owner of /var/log/audit/* , run the command:
$ sudo chown root /var/log/audit/* |
Rationale | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. |
Record Events that Modify the System's Mandatory Access Controls
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_mac_modification |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | low |
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.5.5, 5.2.7, 5.4.1.1, 3.1.8 |
Description | If the -w /etc/selinux/ -p wa -k MAC-policyIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy |
Rationale | The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. |
Record Attempts to Alter Process and Session Initiation Information
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_session_events |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | low |
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, Req-10.2.3, 5.2.9, 5.4.1.1, 3.1.7 |
Description | The audit system already collects process information for all
users and root. If the -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k sessionIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session |
Rationale | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. |
Ensure auditd Collects Information on Exporting to Media (successful)
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_media_export | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | References: AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-3(1), AU-12(a), AU-12(c), IR-5, 135, 2884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.13, 5.4.1.1, 3.1.7 | ||||||||||||||||||||||||
Description | At a minimum, the audit system should collect media exportation
events for all users and root. If the -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=exportIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export | ||||||||||||||||||||||||
Rationale | The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. | ||||||||||||||||||||||||
OVAL details Items not found violating audit augenrules mount 32-bit:Object oval:ssg-object_audit_rules_media_export_mount_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit augenrules mount 64-bit:Object oval:ssg-object_64bit_ardm_media_export_mount_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl mount 32-bit:Object oval:ssg-object_audit_rules_media_export_mount_auditctl:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl mount 64-bit:Object oval:ssg-object_64bit_ardm_media_export_mount_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show)
|
Ensure auditd Collects System Administrator Actions
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||
Severity | low | ||||||||||||
Identifiers and References | References: AC-2(7)(b), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), iAU-3(1), AU-12(a), AU-12(c), IR-5, 126, 130, 135, 172, 2884, Req-10.2.2, Req-10.2.5.b, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, 5.4.1.1, 3.1.7 | ||||||||||||
Description | At a minimum, the audit system should collect administrator actions
for all users and root. If the -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actionsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions | ||||||||||||
Rationale | The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. | ||||||||||||
OVAL details Items not found violating audit augenrules sudoers:Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_augenrules:obj:1 of type textfilecontent54_object
Items not found violating audit auditctl sudoers:Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show)
|
Make the auditd Configuration Immutable
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_immutable |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | References: AC-6, AU-1(b), AU-2(a), AU-2(c), AU-2(d), IR-5, Req-10.5.2, 5.2.18, 5.4.1.1, 3.3.1, 3.4.3 |
Description | If the -e 2If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2With this setting, a reboot will be required to change any audit rules. |
Rationale | Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation |
Enable auditd Service
Rule ID | xccdf_org.ssgproject.content_rule_service_auditd_enabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2017-10-21T14:39:50 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Severity | high | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | References: AU-3, AC-17(1), AU-1(b), AU-10, AU-12(a), AU-12(c), AU-14(1), IR-5, 126, 131, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, Req-10, 5.2.2, 5.4.1.1, 3.3.1, 3.3.2, 3.3.6 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description | The $ sudo systemctl enable auditd.service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Items found satisfying systemd test:
|
Enable Auditing for Processes Which Start Prior to the Audit Daemon
Rule ID | xccdf_org.ssgproject.content_rule_bootloader_audit_argument |
Result | notselected |
Time | 2017-10-21T14:39:50 |
Severity | medium |
Identifiers and References | References: AC-17(1), AU-14(1), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-10, IR-5, 1464, 130, Req-10.3, 5.2.3, 5.4.1.1, 3.3.1 |
Description | To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1" |
Rationale |
Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although |
Warnings | warning
The GRUB 2 configuration file, grub.cfg ,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -ocommand as follows:
|
Disable xinetd Service
Rule ID | xccdf_org.ssgproject.content_rule_service_xinetd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description |
The $ sudo systemctl disable xinetd.service |
Rationale | The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself. |
Uninstall xinetd Package
Rule ID | xccdf_org.ssgproject.content_rule_package_xinetd_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The $ sudo yum erase xinetd |
Rationale |
Removing the |
Install tcp_wrappers Package
Rule ID | xccdf_org.ssgproject.content_rule_package_tcp_wrappers_installed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | References: CM-6(b), 366, SRG-OS-000480-GPOS-00227 |
Description |
When network services are using the $ sudo yum install tcp_wrappers |
Rationale | Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. |
Disable telnet Service
Rule ID | xccdf_org.ssgproject.content_rule_service_telnet_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | high |
Identifiers and References | References: AC-17(8), CM-7, IA-5(1)(c), http://iase.disa.mil/stigs/cci/Pages/index.aspx, 3.1.13, 3.4.7 |
Description |
The # description: The telnet server serves telnet sessions; it uses \\ # unencrypted username/password pairs for authentication. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = yes }If the /etc/xinetd.d/telnet file does not exist, make sure that
the activation of the telnet service on system boot is disabled
via the following command:
The rexec socket can be disabled with the following command:
$ sudo systemctl disable rexec.socket |
Rationale | The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. |
Uninstall telnet-server Package
Rule ID | xccdf_org.ssgproject.content_rule_package_telnet-server_removed | ||
Result | pass | ||
Time | 2017-10-21T14:39:59 | ||
Severity | high | ||
Identifiers and References | References: AC-17(8), CM-7(a), 381, SRG-OS-000095-GPOS-00049, 2.1.1 | ||
Description | The $ sudo yum erase telnet-server | ||
Rationale |
It is detrimental for operating systems to provide, or install by default, functionality exceeding
requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore
may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
| ||
OVAL details Items not found satisfying package telnet-server is removed:Object oval:ssg-obj_package_telnet-server_removed:obj:1 of type rpminfo_object
|
Remove telnet Clients
Rule ID | xccdf_org.ssgproject.content_rule_package_telnet_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The telnet client allows users to start connections to other systems via the telnet protocol. |
Rationale | The |
Uninstall rsh-server Package
Rule ID | xccdf_org.ssgproject.content_rule_package_rsh-server_removed | ||
Result | pass | ||
Time | 2017-10-21T14:39:59 | ||
Severity | high | ||
Identifiers and References | References: AC-17(8), CM-7(a), 381, SRG-OS-000095-GPOS-00049, 2.1.3 | ||
Description | The $ sudo yum erase rsh-server | ||
Rationale | The | ||
OVAL details Items not found satisfying package rsh-server is removed:Object oval:ssg-obj_package_rsh-server_removed:obj:1 of type rpminfo_object
|
Disable rexec Service
Rule ID | xccdf_org.ssgproject.content_rule_service_rexec_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | high |
Identifiers and References | |
Description | The $ sudo systemctl disable rexec.socket |
Rationale | The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. |
Disable rsh Service
Rule ID | xccdf_org.ssgproject.content_rule_service_rsh_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | high |
Identifiers and References | References: AC-17(8), CM-7, IA-5(1)(c), 68, 1436, 3.1.13, 3.4.7 |
Description | The $ sudo systemctl disable rsh.socket |
Rationale | The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. |
Uninstall rsh Package
Rule ID | xccdf_org.ssgproject.content_rule_package_rsh_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The |
Rationale | These legacy clients contain numerous security exposures and have
been replaced with the more secure SSH package. Even if the server is removed,
it is best to ensure the clients are also removed to prevent users from
inadvertently attempting to use these commands and therefore exposing
their credentials. Note that removing the |
Disable rlogin Service
Rule ID | xccdf_org.ssgproject.content_rule_service_rlogin_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | high |
Identifiers and References | |
Description | The $ sudo systemctl disable rlogin.socket |
Rationale | The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. |
Remove Rsh Trust Files
Rule ID | xccdf_org.ssgproject.content_rule_no_rsh_trust_files |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | high |
Identifiers and References | |
Description | The files $ sudo rm /etc/hosts.equiv $ rm ~/.rhosts |
Rationale | Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. |
Uninstall ypserv Package
Rule ID | xccdf_org.ssgproject.content_rule_package_ypserv_removed | ||
Result | pass | ||
Time | 2017-10-21T14:39:59 | ||
Severity | high | ||
Identifiers and References | References: AC-17(8), CM-7(a), 381, SRG-OS-000095-GPOS-00049, 2.1.6 | ||
Description | The $ sudo yum erase ypserv | ||
Rationale | The NIS service provides an unencrypted authentication service which does not
provide for the confidentiality and integrity of user passwords or the remote session.
Removing the | ||
OVAL details Items not found satisfying package ypserv is removed:Object oval:ssg-obj_package_ypserv_removed:obj:1 of type rpminfo_object
|
Disable ypbind Service
Rule ID | xccdf_org.ssgproject.content_rule_service_ypbind_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description | The $ sudo systemctl disable ypbind.service |
Rationale |
Disabling the |
Remove NIS Client
Rule ID | xccdf_org.ssgproject.content_rule_package_ypbind_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: 2.1.5 |
Description | The Network Information Service (NIS), formerly known as Yellow Pages,
is a client-server directory service protocol used to distribute system configuration
files. The NIS client ( |
Rationale | The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed. |
Disable tftp Service
Rule ID | xccdf_org.ssgproject.content_rule_service_tftp_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description | The $ sudo systemctl disable tftp.service |
Rationale |
Disabling the |
Uninstall tftp-server Package
Rule ID | xccdf_org.ssgproject.content_rule_package_tftp-server_removed | ||
Result | pass | ||
Time | 2017-10-21T14:39:59 | ||
Severity | high | ||
Identifiers and References | References: AC-17(8), CM-6(c), CM-7, 318, 368, 1812, 1813, 1814, SRG-OS-000480-GPOS-00227, 2.1.8 | ||
Description |
The $ sudo yum erase tftp-server | ||
Rationale |
Removing the | ||
OVAL details Items not found satisfying package tftp-server is removed:Object oval:ssg-obj_package_tftp-server_removed:obj:1 of type rpminfo_object
|
Remove tftp Daemon
Rule ID | xccdf_org.ssgproject.content_rule_package_tftp_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | high |
Identifiers and References | References: 2.1.7 |
Description | Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
typically used to automatically transfer configuration or boot files between systems.
TFTP does not support authentication and can be easily hacked. The package
|
Rationale | It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server). In that case, use extreme caution when configuring the services. |
Ensure tftp Daemon Uses Secure Mode
Rule ID | xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode | ||||||
Result | pass | ||||||
Time | 2017-10-21T14:39:59 | ||||||
Severity | medium | ||||||
Identifiers and References | References: AC-6, AC-17(8), CM-7, 366, SRG-OS-000480-GPOS-00227 | ||||||
Description | If running the server_args = -s /var/lib/tftpboot | ||||||
Rationale | Using the | ||||||
OVAL details Items not found satisfying tftpd secure mode:Object oval:ssg-object_tftpd_uses_secure_mode:obj:1 of type textfilecontent54_object
|
Uninstall talk-server Package
Rule ID | xccdf_org.ssgproject.content_rule_package_talk-server_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | References: 2.1.10 |
Description |
The $ sudo yum erase talk-server |
Rationale |
The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the |
Uninstall talk Package
Rule ID | xccdf_org.ssgproject.content_rule_package_talk_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: 2.1.9 |
Description | The $ sudo yum erase talk |
Rationale |
The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the |
Disable Automatic Bug Reporting Tool (abrtd)
Rule ID | xccdf_org.ssgproject.content_rule_service_abrtd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: AC-17(8), CM-7, http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description | The Automatic Bug Reporting Tool ( $ sudo systemctl disable abrtd.service |
Rationale | Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers. |
Disable Advanced Configuration and Power Interface (acpid)
Rule ID | xccdf_org.ssgproject.content_rule_service_acpid_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | The Advanced Configuration and Power Interface Daemon ( $ sudo systemctl disable acpid.service |
Rationale | ACPI support is highly desirable for systems in some network roles, such as laptops or desktops. For other systems, such as servers, it may permit accidental or trivially achievable denial of service situations and disabling it is appropriate. |
Disable Certmonger Service (certmonger)
Rule ID | xccdf_org.ssgproject.content_rule_service_certmonger_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | Certmonger is a D-Bus based service that attempts to simplify interaction
with certifying authorities on networks which use public-key infrastructure. It is often
combined with Red Hat's IPA (Identity Policy Audit) security information management
solution to aid in the management of certificates.
The $ sudo systemctl disable certmonger.service |
Rationale | The services provided by certmonger may be essential for systems fulfilling some roles a PKI infrastructure, but its functionality is not necessary for many other use cases. |
Disable Control Group Config (cgconfig)
Rule ID | xccdf_org.ssgproject.content_rule_service_cgconfig_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | Control groups allow an administrator to allocate system resources (such as CPU,
memory, network bandwidth, etc) among a defined group (or groups) of processes executing on
a system. The $ sudo systemctl disable cgconfig.service |
Rationale | Unless control groups are used to manage system resources, running the cgconfig service is not necessary. |
Disable Control Group Rules Engine (cgred)
Rule ID | xccdf_org.ssgproject.content_rule_service_cgred_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | The $ sudo systemctl disable cgred.service |
Rationale | Unless control groups are used to manage system resources, running the cgred service service is not necessary. |
Disable CPU Speed (cpupower)
Rule ID | xccdf_org.ssgproject.content_rule_service_cpupower_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | The $ sudo systemctl disable cpupower.service |
Rationale | The |
Enable IRQ Balance (irqbalance)
Rule ID | xccdf_org.ssgproject.content_rule_service_irqbalance_enabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | The $ sudo systemctl enable irqbalance.service |
Rationale | In an environment with multiple processors (now common), the irqbalance service provides potential speedups for handling interrupt requests. |
Disable KDump Kernel Crash Analyzer (kdump)
Rule ID | xccdf_org.ssgproject.content_rule_service_kdump_disabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | References: AC-17(8), CM-7, CM-6(b), 366, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description | The $ sudo systemctl disable kdump.service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Items found violating systemd test:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
|
Disable Software RAID Monitor (mdmonitor)
Rule ID | xccdf_org.ssgproject.content_rule_service_mdmonitor_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | The $ sudo systemctl disable mdmonitor.service |
Rationale | If software RAID monitoring is not required, there is no need to run this service. |
Disable Network Console (netconsole)
Rule ID | xccdf_org.ssgproject.content_rule_service_netconsole_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The $ sudo systemctl disable netconsole.service |
Rationale | The |
Disable ntpdate Service (ntpdate)
Rule ID | xccdf_org.ssgproject.content_rule_service_ntpdate_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The $ sudo systemctl disable ntpdate.service |
Rationale | The |
Disable Odd Job Daemon (oddjobd)
Rule ID | xccdf_org.ssgproject.content_rule_service_oddjobd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The $ sudo systemctl disable oddjobd.service |
Rationale | The |
Disable Portreserve (portreserve)
Rule ID | xccdf_org.ssgproject.content_rule_service_portreserve_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The $ sudo systemctl disable portreserve.service |
Rationale | The |
Enable Process Accounting (psacct)
Rule ID | xccdf_org.ssgproject.content_rule_service_psacct_enabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The process accounting service, $ sudo systemctl enable psacct.service |
Rationale | The |
Disable Apache Qpid (qpidd)
Rule ID | xccdf_org.ssgproject.content_rule_service_qpidd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The $ sudo systemctl disable qpidd.service |
Rationale | The qpidd service is automatically installed when the "base"
package selection is selected during installation. The qpidd service listens
for network connections, which increases the attack surface of the system. If
the system is not intended to receive AMQP traffic, then the |
Disable Quota Netlink (quota_nld)
Rule ID | xccdf_org.ssgproject.content_rule_service_quota_nld_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | The $ sudo systemctl disable quota_nld.service |
Rationale | If disk quotas are enforced on the local system, then the
|
Disable Network Router Discovery Daemon (rdisc)
Rule ID | xccdf_org.ssgproject.content_rule_service_rdisc_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The $ sudo systemctl disable rdisc.service |
Rationale | General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information. |
Disable Red Hat Network Service (rhnsd)
Rule ID | xccdf_org.ssgproject.content_rule_service_rhnsd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The Red Hat Network service automatically queries Red Hat Network
servers to determine whether there are any actions that should be executed,
such as package updates. This only occurs if the system was registered to an
RHN server or satellite and managed as such.
The $ sudo systemctl disable rhnsd.service |
Rationale | Although systems management and patching is extremely important to
system security, management by a system outside the enterprise enclave is not
desirable for some environments. However, if the system is being managed by RHN or
RHN Satellite Server the |
Disable Red Hat Subscription Manager Daemon (rhsmcertd)
Rule ID | xccdf_org.ssgproject.content_rule_service_rhsmcertd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | The Red Hat Subscription Manager (rhsmcertd) periodically checks for
changes in the entitlement certificates for a registered system and updates it
accordingly.
The $ sudo systemctl disable rhsmcertd.service |
Rationale | The |
Disable Cyrus SASL Authentication Daemon (saslauthd)
Rule ID | xccdf_org.ssgproject.content_rule_service_saslauthd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The $ sudo systemctl disable saslauthd.service |
Rationale | The |
Disable SMART Disk Monitoring Service (smartd)
Rule ID | xccdf_org.ssgproject.content_rule_service_smartd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | SMART (Self-Monitoring, Analysis, and Reporting Technology) is a
feature of hard drives that allows them to detect symptoms of disk failure and
relay an appropriate warning.
The $ sudo systemctl disable smartd.service |
Rationale | SMART can help protect against denial of service due to failing hardware. Nevertheless, if it is not needed or the system's drives are not SMART-capable (such as solid state drives), it can be disabled. |
Disable System Statistics Reset Service (sysstat)
Rule ID | xccdf_org.ssgproject.content_rule_service_sysstat_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | The $ sudo systemctl disable sysstat.service |
Rationale | By default the |
Verify User Who Owns /etc/cron.allow file
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_allow | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:59 | ||||
Severity | medium | ||||
Identifiers and References | References: AC-6, 366, SRG-OS-000480-GPOS-00227 | ||||
Description |
If $ sudo chown root /etc/cron.allow | ||||
Rationale | If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. | ||||
OVAL details Items not found satisfying Testing user ownership of /etc/cron.allow:Object oval:ssg-object_file_etc_cron_allow:obj:1 of type file_object
State oval:ssg-state_etc_cron_allow_uid_root:ste:1 of type file_state
|
Verify Group Who Owns /etc/cron.allow file
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:59 | ||||
Severity | medium | ||||
Identifiers and References | References: AC-6, 366, SRG-OS-000480-GPOS-00227 | ||||
Description |
If $ sudo chgrp root /etc/cron.allow | ||||
Rationale | If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. | ||||
OVAL details Items not found satisfying Testing group ownership /etc/cron.allow:Object oval:ssg-object_groupowner_cron_allow_file:obj:1 of type file_object
State oval:ssg-state_groupowner_cron_allow_file:ste:1 of type file_state
|
Enable cron Service
Rule ID | xccdf_org.ssgproject.content_rule_service_crond_enabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description | The $ sudo systemctl enable crond.service |
Rationale | Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. |
Disable anacron Service
Rule ID | xccdf_org.ssgproject.content_rule_disable_anacron |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | The $ sudo yum erase cronie-anacron |
Rationale |
The |
Disable At Service (atd)
Rule ID | xccdf_org.ssgproject.content_rule_service_atd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The $ sudo systemctl disable atd.service |
Rationale |
The |
Enable the Docker service
Rule ID | xccdf_org.ssgproject.content_rule_service_docker_enabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | References: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx, http://iase.disa.mil/stigs/srgs/Pages/index.aspx |
Description | The docker service is commonly needed to
create containers.
The $ sudo systemctl enable docker.service |
Rationale | To be able to find any problems with misconfiguration of the docker daemon and running containers, the docker service has to be enabled. |
Use direct-lvm with the Device Mapper Storage Driver
Rule ID | xccdf_org.ssgproject.content_rule_docker_storage_configured |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | To use Docker in production with the device mapper storage driver, the Docker daemon should be configured to use direct-lvm instead of loopback device as a storage. For setting up the LVM and configuring Docker, see the Docker Device Mapper Storage Documentation. |
Rationale | For using Docker in production, the device mapper storage driver with loopback devices is discouraged. The suggested way of configuring device mapper storage driver is direct-lvm. Choosing the right storage driver and backing filesystem is crucial to stability and performance. |
Enable SSH Server firewalld Firewall exception
Rule ID | xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: 3.1.12 |
Description | By default, inbound connections to SSH's port are allowed. If
the SSH server is being used but denied by the firewall, this exception should
be added to the firewall configuration.
|
Rationale | If inbound SSH connections are expected, adding a firewall rule exception will allow remote access through the SSH port. |
Allow Only SSH Protocol 2
Rule ID | xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:59 | ||||
Severity | high | ||||
Identifiers and References | References: AC-17(8).1(ii), IA-5(1)(c), 197, 366, 6.2.1, SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227, 5.5.6, 3.1.13, 3.5.4 | ||||
Description | Only SSH protocol version 2 connections should be
permitted. The default setting in
Protocol 2 | ||||
Rationale | SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. | ||||
OVAL details Items found satisfying sshd uses protocol 2:
|
Limit Users' SSH Access
Rule ID | xccdf_org.ssgproject.content_rule_sshd_limit_user_access |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | By default, the SSH configuration allows any user with an account
to access the system. In order to specify the users that are allowed to login
via SSH and deny all other users, add or correct the following line in the
DenyUsers USER1 USER2Where USER1 and USER2 are valid user names.
|
Rationale | Specifying which accounts are allowed SSH access into the system reduces the possibility of unauthorized access to the system. |
Disable GSSAPI Authentication
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:59 | ||||
Severity | medium | ||||
Identifiers and References | References: CM-6(c), 368, 318, 1812, 1813, 1814, SRG-OS-000364-GPOS-00151, 3.1.12 | ||||
Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or
correct the following line in the GSSAPIAuthentication no | ||||
Rationale | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. | ||||
OVAL details Items found satisfying tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file:
|
Disable Kerberos Authentication
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:59 | ||||
Severity | medium | ||||
Identifiers and References | References: CM-6(c), 368, 318, 1812, 1813, 1814, SRG-OS-000364-GPOS-00151, 3.1.12 | ||||
Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos. To disable Kerberos authentication, add
or correct the following line in the KerberosAuthentication no | ||||
Rationale | Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. | ||||
OVAL details Items found satisfying tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config file:
|
Enable Use of Strict Mode Checking
Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:59 | ||||
Severity | medium | ||||
Identifiers and References | References: AC-6, 366, SRG-OS-000480-GPOS-00227, 3.1.12 | ||||
Description | SSHs StrictModes option checks file and ownership permissions in
the user's home directory StrictModes yes | ||||
Rationale | If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. | ||||
OVAL details Items found satisfying tests the value of StrictModes setting in the /etc/ssh/sshd_config file:
|
Enable Use of Privilege Separation
Rule ID | xccdf_org.ssgproject.content_rule_sshd_use_priv_separation | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:59 | ||||
Severity | medium | ||||
Identifiers and References | References: AC-6, 366, SRG-OS-000480-GPOS-00227, 3.1.12 | ||||
Description | When enabled, SSH will create an unprivileged child process that
has the privilege of the authenticated user. To enable privilege separation in
SSH, add or correct the following line in the UsePrivilegeSeparation yes | ||||
Rationale | SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section. | ||||
OVAL details Items found satisfying tests the value of UsePrivilegeSeparation setting in the /etc/ssh/sshd_config file:
|
Disable Compression Or Set Compression to delayed
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_compression | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:59 | ||||
Severity | medium | ||||
Identifiers and References | References: CM-6(b), 366, SRG-OS-000480-GPOS-00227, 3.1.12 | ||||
Description | Compression is useful for slow network connections over long
distances but can cause performance issues on local LANs. If use of compression
is required, it should be enabled only after a user has authenticated; otherwise
, it should be disabled. To disable compression or delay compression until after
a user has successfully authenticated, add or correct the following line in the
Compression noor Compression delayed | ||||
Rationale | If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially wih root privileges. | ||||
OVAL details Items found satisfying tests the value of Compression setting in the /etc/ssh/sshd_config file:
|
Print Last Log
Rule ID | xccdf_org.ssgproject.content_rule_sshd_print_last_log | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:59 | ||||
Severity | low | ||||
Identifiers and References | References: AC-9, 366, SRG-OS-000480-GPOS-00227 | ||||
Description | When enabled, SSH will display the date and time of the last
successful account logon. To enable LastLog in
SSH, add or correct the following line in the PrintLastLog yes | ||||
Rationale | Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. | ||||
OVAL details Items found satisfying tests the value of PrintLastLog setting in the /etc/ssh/sshd_config file:
|
Set LogLevel to INFO
Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: 5.2.9 |
Description | The INFO parameter specifices that record login and logout activity will be logged.
To specify the log level in
SSH, add or correct the following line in the LogLevel INFO |
Rationale |
SSH provides several logging levels with varying amounts of verbosity. |
Set SSH Idle Timeout Interval
Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:59 | ||||
Severity | low | ||||
Identifiers and References | References: AC-2(5), SA-8(i), AC-12, 1133, 2361, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, Req-8.1.8, 6.2.12, 5.5.6, 3.1.11 | ||||
Description | SSH allows administrators to set an idle timeout
interval.
After this interval has passed, the idle user will be
automatically logged out.
ClientAliveInterval intervalThe timeout interval is given in seconds. To have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. | ||||
Rationale | Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. | ||||
OVAL details Items found satisfying timeout is configured:
|
Set SSH Client Alive Count
Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_keepalive | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:59 | ||||
Severity | medium | ||||
Identifiers and References | References: AC-2(5), SA-8, AC-12, 1133, 2361, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, 6.2.12, 5.5.6, 3.1.11 | ||||
Description | To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax 0 | ||||
Rationale |
This ensures a user login will be terminated as soon as the | ||||
OVAL details Items found satisfying Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file:
|
Set SSH authentication attempt limit
Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description | The MaxAuthTries tries |
Rationale | Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. |
Disable SSH Support for .rhosts Files
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_rhosts | ||||||
Result | pass | ||||||
Time | 2017-10-21T14:39:59 | ||||||
Severity | medium | ||||||
Identifiers and References | References: AC-3, CM-6(a), 366, 6.2.6, SRG-OS-000480-GPOS-00227, 5.5.6, 3.1.12 | ||||||
Description | SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via IgnoreRhosts yes | ||||||
Rationale | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | ||||||
OVAL details Items not found satisfying Tests the value of the IgnoreRhosts[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file:Object oval:ssg-obj_sshd_rsh_emulation_disabled:obj:1 of type textfilecontent54_object
|
Disable SSH Support for User Known Hosts
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:59 | ||||
Severity | medium | ||||
Identifiers and References | References: CM-6(a), 366, SRG-OS-000480-GPOS-00227, 3.1.12 | ||||
Description | SSH can allow system users user host-based authentication to connect
to systems if a cache of the remote systems public keys are available.
This should be disabled.
IgnoreUserKnownHosts yes | ||||
Rationale | Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. | ||||
OVAL details Items found satisfying Tests the value of the IgnoreUserKnownHosts[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file:
|
Disable SSH Support for Rhosts RSA Authentication
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:59 | ||||
Severity | medium | ||||
Identifiers and References | References: CM-6(a), 366, SRG-OS-000480-GPOS-00227, 3.1.12 | ||||
Description | SSH can allow authentication through the obsolete rsh
command through the use of the authenticating user's SSH keys. This should be disabled.
RhostsRSAAuthentication no | ||||
Rationale | Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. | ||||
OVAL details Items found satisfying Tests the value of the RhostsRSAAuthentication[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file:
|
Disable Host-Based Authentication
Rule ID | xccdf_org.ssgproject.content_rule_disable_host_auth | ||||||
Result | pass | ||||||
Time | 2017-10-21T14:39:59 | ||||||
Severity | medium | ||||||
Identifiers and References | References: AC-3, CM-6(b), 366, SRG-OS-000480-GPOS-00229, 6.2.7, 5.5.6, 3.1.12 | ||||||
Description | SSH's cryptographic host-based authentication is
more secure than HostbasedAuthentication no | ||||||
Rationale | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | ||||||
OVAL details Items not found satisfying sshd HostbasedAuthentication:Object oval:ssg-object_sshd_hostbasedauthentication:obj:1 of type textfilecontent54_object
|
Enable Encrypted X11 Fordwarding
Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:59 | ||||
Severity | high | ||||
Identifiers and References | References: CM-2(1)(b), 366, SRG-OS-000480-GPOS-00227, 3.1.13 | ||||
Description | By default, remote X11 connections are not encrypted when initiated
by users. SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding yes | ||||
Rationale | Open X displays allow an attacker to capture keystrokes and to execute commands remotely. | ||||
OVAL details Items found satisfying tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file:
|
Disable SSH Root Login
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_root_login | ||||||
Result | fail | ||||||
Time | 2017-10-21T14:39:59 | ||||||
Severity | medium | ||||||
Identifiers and References | References: AC-3, AC-6(2), IA-2(1), IA-2(5), 366, SRG-OS-000480-GPOS-00227, 6.2.8, 5.5.6, 3.1.1, 3.1.5 | ||||||
Description | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in PermitRootLogin no | ||||||
Rationale | Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. | ||||||
OVAL details Items not found violating Tests the value of the PermitRootLogin[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file:Object oval:ssg-obj_sshd_permitrootlogin_no:obj:1 of type textfilecontent54_object
| |||||||
Remediation Shell script: (show)
|
Disable SSH Access via Empty Passwords
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords | ||||
Result | pass | ||||
Time | 2017-10-21T14:39:59 | ||||
Severity | high | ||||
Identifiers and References | References: AC-3, AC-6, CM-6(b), 366, SRG-OS-000480-GPOS-00229, 5.5.6, 3.1.1, 3.1.5 | ||||
Description | To explicitly disallow SSH login from accounts with
empty passwords, add or correct the following line in PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. | ||||
Rationale | Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. | ||||
OVAL details Items found satisfying Tests the value of the PermitEmptyPasswords[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file:
|
Do Not Allow SSH Environment Options
Rule ID | xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env | ||||||
Result | fail | ||||||
Time | 2017-10-21T14:39:59 | ||||||
Severity | medium | ||||||
Identifiers and References | References: CM-6(b), 366, SRG-OS-000480-GPOS-00229, 6.2.10, 5.5.6, 3.1.12 | ||||||
Description | To ensure users are not able to override environment
options to the SSH daemon, add or correct the following line
in PermitUserEnvironment no | ||||||
Rationale | SSH environment options potentially allow users to bypass access restriction in some configurations. | ||||||
OVAL details Items not found violating Check value of PermitUserEnvironment in /etc/ssh/sshd_config:Object oval:ssg-obj_sshd_no_user_envset:obj:1 of type textfilecontent54_object
| |||||||
Remediation Shell script: (show)
| |||||||
Remediation Ansible snippet: (show)
|
Use Only FIPS 140-2 Validated Ciphers
Rule ID | xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers | ||||||
Result | fail | ||||||
Time | 2017-10-21T14:39:59 | ||||||
Severity | medium | ||||||
Identifiers and References | References: AC-3, AC-17(2), AU-10(5), CM-6(b), IA-5(1)(c), IA-7, 68, 366, 803, SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, 6.2.11, 5.5.6, 3.1.13, 3.13.11, 3.13.8 | ||||||
Description | Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in Ciphers aes128-ctr,aes192-ctr,aes256-ctr The following ciphers are FIPS 140-2 certified on RHEL 7: - aes128-ctr - aes192-ctr - aes256-ctr - aes128-cbc - aes192-cbc - aes256-cbc - 3des-cbc - rijndael-cbc@lysator.liu.se Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf. | ||||||
Rationale |
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
| ||||||
OVAL details Items found violating tests the value of Ciphers setting in the /etc/ssh/sshd_config file:
| |||||||
Remediation Shell script: (show)
|
Use Only FIPS 140-2 Validated MACs
Rule ID | xccdf_org.ssgproject.content_rule_sshd_use_approved_macs | ||||||
Result | fail | ||||||
Time | 2017-10-21T14:39:59 | ||||||
Severity | medium | ||||||
Identifiers and References | References: AC-17(2), IA-7, SC-13, 1453, SRG-OS-000250-GPOS-00093, 3.1.13, 3.13.11, 3.13.8 | ||||||
Description | Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in MACs hmac-sha2-512,hmac-sha2-256 Only the following message authentication codes are FIPS 140-2 certified on RHEL 7: - hmac-sha1 - hmac-sha2-256 - hmac-sha2-512 - hmac-sha1-etm@openssh.com - hmac-sha2-256-etm@openssh.com - hmac-sha2-512-etm@openssh.com Any combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf. | ||||||
Rationale | DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. | ||||||
OVAL details Items not found violating tests the value of MACs setting in the /etc/ssh/sshd_config file:Object oval:ssg-obj_sshd_use_approved_macs:obj:1 of type variable_object
State oval:ssg-ste_sshd_use_approved_macs:ste:1 of type variable_state
| |||||||
Remediation Shell script: (show)
|
Use Only Strong Ciphers
Rule ID | xccdf_org.ssgproject.content_rule_sshd_use_strong_ciphers |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description | Limit the ciphers to strong algorithms.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in Ciphers aes128-ctr,aes192-ctr,aes256-ctr chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctrThe man page sshd_config(5) contains a list of supported ciphers.
|
Rationale | Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses that allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was encrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter mode algorithms (as described in RFC4344) were designed that are not vulnerable to these types of attacks and these algorithms are now recommended for standard use. |
Use Only Strong MACs
Rule ID | xccdf_org.ssgproject.content_rule_sshd_use_strong_macs |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description | Limit the MACs to strong hash algorithms.
The following line in MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 |
Rationale | MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information |
Install the OpenSSH Server Package
Rule ID | xccdf_org.ssgproject.content_rule_package_openssh-server_installed | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | References: SC-8, 2418, 2420, 2421, 2422, SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS000423-GPOS-00190 | ||||||||||||||||
Description |
The $ sudo yum install openssh-server | ||||||||||||||||
Rationale | Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. | ||||||||||||||||
OVAL details Items found satisfying package openssh-server is installed:
|
Enable the OpenSSH Service
Rule ID | xccdf_org.ssgproject.content_rule_service_sshd_enabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | References: SC-8, 2418, 2420, 2421, 2422, SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS000423-GPOS-00190, 3.1.13, 3.5.4, 3.13.8 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description | The SSH server service, sshd, is commonly needed.
The $ sudo systemctl enable sshd.service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rationale |
Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Items found satisfying systemd test:
|
Disable SSH Server If Possible (Unusual)
Rule ID | xccdf_org.ssgproject.content_rule_service_sshd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The SSH server service, sshd, is commonly needed.
However, if it can be disabled, do so.
The $ sudo systemctl disable sshd.serviceThis is unusual, as SSH is a common method for encrypted and authenticated remote access. |
Remove SSH Server firewalld Firewall exception (Unusual)
Rule ID | xccdf_org.ssgproject.content_rule_firewalld_sshd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: 3.1.12 |
Description | By default, inbound connections to SSH's port are allowed. If
the SSH server is not being used, this exception should be removed from the
firewall configuration.
|
Rationale | If inbound SSH connections are not expected, disallowing access to the SSH port will avoid possible exploitation of the port by an attacker. |
Install the SSSD Package
Rule ID | xccdf_org.ssgproject.content_rule_package_sssd_installed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description |
The $ sudo yum install sssd |
Rationale |
|
Enable the SSSD Service
Rule ID | xccdf_org.ssgproject.content_rule_service_sssd_enabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description | The SSSD service should be enabled.
The $ sudo systemctl enable sssd.service |
Rationale |
|
Configure SSSD's Memory Cache to Expire
Rule ID | xccdf_org.ssgproject.content_rule_sssd_memcache_timeout |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | References: IA-5(13), 2007, SRG-OS-000383-GPOS-00166 |
Description |
SSSD's memory cache should be configured to set to expire records after 1 day.
To configure SSSD to expire memory cache, set [nss] memcache_timeout = 86400 |
Rationale | If cached authentication information is out-of-date, the validity of the authentication information may be questionable. |
Configure SSSD to Expire Offline Credentials
Rule ID | xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | References: IA-5(13), 2007, SRG-OS-000383-GPOS-00166 |
Description |
SSSD should be configured to expire offline credentials after 1 day.
To configure SSSD to expire offline credentials, set
[pam] offline_credentials_expiration = 1 |
Rationale | If cached authentication information is out-of-date, the validity of the authentication information may be questionable. |
Configure SSSD to Expire SSH Known Hosts
Rule ID | xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | References: IA-5(13), 2007, SRG-OS-000383-GPOS-00166, IA-5(13), 2007 |
Description |
SSSD should be configured to expire keys from known SSH hosts after 1 day.
To configure SSSD to known SSH hosts, set [ssh] ssh_known_hosts_timeout = 86400 |
Rationale | If cached authentication information is out-of-date, the validity of the authentication information may be questionable. |
Configure PAM in SSSD Services
Rule ID | xccdf_org.ssgproject.content_rule_sssd_enable_pam_services | ||||||
Result | fail | ||||||
Time | 2017-10-21T14:39:59 | ||||||
Severity | medium | ||||||
Identifiers and References | References: IA-2(11), 1948, 1953, 1954, SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162 | ||||||
Description |
SSSD should be configured to run SSSD [sssd] services = sudo, autofs, pam | ||||||
Rationale | Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. | ||||||
OVAL details Items not found violating check if pam is configured in the services setting of the sssd section:Object oval:ssg-obj_sssd_enable_pam_services:obj:1 of type textfilecontent54_object
|
Disable X Windows Startup By Setting Default Target
Rule ID | xccdf_org.ssgproject.content_rule_xwindows_runlevel_setting |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | References: AC-17(8).1(ii), 366, SRG-OS-000480-GPOS-00227 |
Description | Systems that do not require a graphical user interface should only boot by
default into $ systemctl set-default multi-user.targetYou should see the following output: rm '/etc/systemd/system/default.target' ln -s '/usr/lib/systemd/system/multi-user.target' '/etc/systemd/system/default.target' |
Rationale | Services that are not required for system and application processes must not be active to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be used unless approved and documented. |
Remove the X Windows Package Group
Rule ID | xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed | ||
Result | pass | ||
Time | 2017-10-21T14:39:59 | ||
Severity | medium | ||
Identifiers and References | References: AC-17(8).1(ii), 366, 3.2, SRG-OS-000480-GPOS-00227 | ||
Description | By removing the xorg-x11-server-common package, the system no longer has X Windows
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a $ sudo yum groupremove "X Window System" $ sudo yum remove xorg-x11-server-common | ||
Rationale | Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented. | ||
OVAL details Items not found satisfying package xorg-x11-server-common is removed:Object oval:ssg-obj_package_xorg-x11-server-common_removed:obj:1 of type rpminfo_object
|
Disable Avahi Server Software
Rule ID | xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The $ sudo systemctl disable avahi-daemon.service |
Rationale | Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted. |
Serve Avahi Only via Required Protocol
Rule ID | xccdf_org.ssgproject.content_rule_avahi_ip_only |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description |
If you are using only IPv4, edit use-ipv6=noSimilarly, if you are using only IPv6, disable IPv4 sockets with the line: use-ipv4=no |
Check Avahi Responses' TTL Field
Rule ID | xccdf_org.ssgproject.content_rule_avahi_check_ttl |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description |
To make Avahi ignore packets unless the TTL field is 255, edit
check-response-ttl=yes |
Rationale | This helps to ensure that only mDNS responses from the local network are processed, because the TTL field in a packet is decremented from its initial value of 255 whenever it is routed from one network to another. Although a properly-configured router or firewall should not allow mDNS packets into the local network at all, this option provides another check to ensure they are not permitted. |
Prevent Other Programs from Using Avahi's Port
Rule ID | xccdf_org.ssgproject.content_rule_avahi_prevent_port_sharing |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description |
To prevent other mDNS stacks from running, edit disallow-other-stacks=yes |
Rationale | This helps ensure that only Avahi is responsible for mDNS traffic coming from that port on the system. |
Disable Avahi Publishing
Rule ID | xccdf_org.ssgproject.content_rule_avahi_disable_publishing |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description |
To prevent other mDNS stacks from running, edit disallow-other-stacks=yes |
Rationale | This helps ensure that only Avahi is responsible for mDNS traffic coming from that port on the system. |
Restrict Information Published by Avahi
Rule ID | xccdf_org.ssgproject.content_rule_avahi_restrict_published_information |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description |
If it is necessary to publish some information to the network, it should not be joined
by any extraneous information, or by information supplied by a non-trusted source
on the system.
Prevent user applications from using Avahi to publish services by adding or
correcting the following line in the disable-user-service-publishing=yesImplement as many of the following lines as possible, to restrict the information published by Avahi. publish-addresses=no publish-hinfo=no publish-workstation=no publish-domain=noInspect the files in the directory /etc/avahi/services/ . Unless there
is an operational need to publish information about each of these services,
delete the corresponding file.
|
Rationale | These options prevent publishing attempts from succeeding, and can be applied even if publishing is disabled entirely via disable-publishing. Alternatively, these can be used to restrict the types of published information in the event that some information must be published. |
Disable Printer Browsing Entirely if Possible
Rule ID | xccdf_org.ssgproject.content_rule_cups_disable_browsing |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | By default, CUPS listens on the network for printer list
broadcasts on UDP port 631. This functionality is called printer browsing.
To disable printer browsing entirely, edit the CUPS configuration
file, located at Browsing Off BrowseAllow none |
Rationale | The CUPS print service can be configured to broadcast a list of available printers to the network. Other systems on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing capability, the system will no longer generate or receive such broadcasts. |
Disable Print Server Capabilities
Rule ID | xccdf_org.ssgproject.content_rule_cups_disable_printserver |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | To prevent remote users from potentially connecting to and using locally configured printers, disable the CUPS print server sharing capabilities. To do so, limit how the server will listen for print jobs by removing the more generic port directive from /etc/cups/cupsd.conf: Port 631and replacing it with the Listen directive:
Listen localhost:631This will prevent remote users from printing to locally configured printers while still allowing local users on the system to print normally. |
Rationale | By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers, even if they cannot actually print to them. To limit print serving to a particular set of users, use the Policy directive. |
Disable the CUPS Service
Rule ID | xccdf_org.ssgproject.content_rule_service_cups_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The $ sudo systemctl disable cups.service |
Rationale | Turn off unneeded services to reduce attack surface. |
Disable DHCP Service
Rule ID | xccdf_org.ssgproject.content_rule_service_dhcpd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description | The $ sudo systemctl disable dhcpd.service |
Rationale | Unmanaged or unintentionally activated DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site DHCP server if there is one. |
Uninstall DHCP Server Package
Rule ID | xccdf_org.ssgproject.content_rule_package_dhcp_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description | If the system does not need to act as a DHCP server,
the dhcp package can be uninstalled.
The $ sudo yum erase dhcp |
Rationale | Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation. |
Do Not Use Dynamic DNS
Rule ID | xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | To prevent the DHCP server from receiving DNS information from
clients, edit ddns-update-style none; |
Rationale | The Dynamic DNS protocol is used to remotely update the data served by a DNS server. DHCP servers can use Dynamic DNS to publish information about their clients. This setup carries security risks, and its use is not recommended. If Dynamic DNS must be used despite the risks it poses, it is critical that Dynamic DNS transactions be protected using TSIG or some other cryptographic authentication mechanism. See dhcpd.conf(5) for more information about protecting the DHCP server from passing along malicious DNS data from its clients. |
Warnings | warning
The ddns-update-style option controls only whether
the DHCP server will attempt to act as a Dynamic DNS client. As long as the DNS
server itself is correctly configured to reject DDNS attempts, an incorrect
ddns-update-style setting on the client is harmless (but should be fixed as a
best practice). |
Deny Decline Messages
Rule ID | xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | Edit deny declines; |
Rationale | The DHCPDECLINE message can be sent by a DHCP client to indicate that it does not consider the lease offered by the server to be valid. By issuing many DHCPDECLINE messages, a malicious client can exhaust the DHCP server's pool of IP addresses, causing the DHCP server to forget old address allocations. |
Deny BOOTP Queries
Rule ID | xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | Unless your network needs to support older BOOTP clients, disable support for the bootp protocol by adding or correcting the global option: deny bootp; |
Rationale | The bootp option tells dhcpd to respond to BOOTP queries. If support for this simpler protocol is not needed, it should be disabled to remove attack vectors against the DHCP server. |
Configure Logging
Rule ID | xccdf_org.ssgproject.content_rule_dhcp_server_configure_logging |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: AU-12 |
Description | Ensure that the following line exists in
daemon.* /var/log/daemon.logConfigure logwatch or other log monitoring tools to summarize error conditions reported by the dhcpd process. |
Rationale | By default, dhcpd logs notices to the daemon facility. Sending all daemon messages to a dedicated log file is part of the syslog configuration outlined in the Logging and Auditing section |
Disable DHCP Client
Rule ID | xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
For each interface on the system (e.g. eth0), edit
|
Rationale | DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances. |
Enable the NTP Daemon
Rule ID | xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description |
The $ sudo systemctl enable chronyd.serviceNote: The chronyd daemon is enabled by default.
The ntpd service can be enabled with the following command:
$ sudo systemctl enable ntpd.serviceNote: The ntpd daemon is not enabled by default. Though as mentioned
in the previous sections in certain environments the ntpd daemon might
be preferred to be used rather than the chronyd one. Refer to:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html
for guidance which NTP daemon to choose depending on the environment used.
|
Rationale | Enabling some of |
Specify a Remote NTP Server
Rule ID | xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | References: AU-8(1), 160, Req-10.4.1, Req-10.4.3, 3.6, 3.3.7 |
Description | Depending on specific functional requirements of a concrete
production environment, the Red Hat Enterprise Linux 7 Server system can be
configured to utilize the services of the
server ntpserverThis instructs the NTP software to contact that remote server to obtain time data. |
Rationale | Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. |
Specify Additional Remote NTP Servers
Rule ID | xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: AU-8(1), Req-10.4.3 |
Description | Depending on specific functional requirements of a concrete
production environment, the Red Hat Enterprise Linux 7 Server system can be
configured to utilize the services of the
server ntpserver |
Rationale | Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems. |
Configure NTP Maxpoll Interval
Rule ID | xccdf_org.ssgproject.content_rule_ntp_set_maxpoll | ||||||||
Result | fail | ||||||||
Time | 2017-10-21T14:39:59 | ||||||||
Severity | low | ||||||||
Identifiers and References | References: AU-8(1)(a), 1891, 2046, SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144 | ||||||||
Description | The maxpoll 17 | ||||||||
Rationale | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. | ||||||||
OVAL details Items not found violating check if maxpoll is set in /etc/ntp.conf:Object oval:ssg-obj_ntp_set_maxpoll:obj:1 of type textfilecontent54_object
State oval:ssg-state_ntp_set_maxpoll:ste:1 of type textfilecontent54_state
|
Disable Postfix Network Listening
Rule ID | xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description |
Edit the file inet_interfaces = localhost |
Rationale |
This ensures |
Enable Postfix Service
Rule ID | xccdf_org.ssgproject.content_rule_service_postfix_enabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The Postfix mail transfer agent is used for local mail delivery
within the system. The default configuration only listens for connections to
the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is
recommended to leave this service enabled for local mail delivery.
The $ sudo systemctl enable postfix.service |
Rationale | Local mail delivery is essential to some system maintenance and notification tasks. |
Uninstall Sendmail Package
Rule ID | xccdf_org.ssgproject.content_rule_package_sendmail_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | References: CM-7 |
Description | Sendmail is not the default mail transfer agent and is
not installed by default.
The $ sudo yum erase sendmail |
Rationale | The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead. |
Configure LDAP Client to Use TLS For All Transactions
Rule ID | xccdf_org.ssgproject.content_rule_ldap_client_start_tls | ||||||
Result | pass | ||||||
Time | 2017-10-21T14:39:59 | ||||||
Severity | medium | ||||||
Identifiers and References | References: AC-17(2), CM-7, 1453, SRG-OS-000250-GPOS-00093 | ||||||
Description | This check verifies that RHEL7 implements cryptography
to protect the integrity of remote LDAP authentication sessions.
$ sudo grep -i useldapauth /etc/sysconfig/authconfig If USELDAPAUTH=yes , then LDAP is being used. To check if LDAP is
configured to use TLS, use the following command:
$ sudo grep -i ssl /etc/pam_ldap.conf | ||||||
Rationale | Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. | ||||||
OVAL details Items not found satisfying Tests the value of the ssl start_tls setting in the /etc/nslcd.conf file:Object oval:ssg-obj_ldap_client_start_tls_ssl:obj:1 of type textfilecontent54_object
|
Configure Certificate Directives for LDAP Use of TLS
Rule ID | xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description | Ensure a copy of a trusted CA certificate has been placed in
the file tls_cacertdir /etc/pki/tls/CAor tls_cacertfile /etc/pki/tls/CA/cacert.pemThen review the LDAP server and ensure TLS has been configured. |
Rationale | The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA. |
Uninstall openldap-servers Package
Rule ID | xccdf_org.ssgproject.content_rule_package_openldap-servers_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The $ sudo yum erase openldap-serversThe openldap-servers RPM is not installed by default on Red Hat Enterprise Linux 7 system. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed. |
Rationale | Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems. |
Disable Network File System Lock Service (nfslock)
Rule ID | xccdf_org.ssgproject.content_rule_service_nfslock_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: 3.8 |
Description | The Network File System Lock (nfslock) service starts the required
remote procedure call (RPC) processes which allow clients to lock files on the
server. If the local system is not configured to mount NFS filesystems then
this service should be disabled.
The $ sudo systemctl disable nfslock.service |
Disable Secure RPC Client Service (rpcgssd)
Rule ID | xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: 3.8 |
Description |
The rpcgssd service manages RPCSEC GSS contexts required to secure protocols
that use RPC (most often Kerberos and NFS). The rpcgssd service is the
client-side of RPCSEC GSS. If the system does not require secure RPC then this
service should be disabled.
The $ sudo systemctl disable rpcgssd.service |
Disable rpcbind Service
Rule ID | xccdf_org.ssgproject.content_rule_service_rpcbind_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: 3.8 |
Description |
The rpcbind utility maps RPC services to the ports on which they listen. RPC
processes notify rpcbind when they start, registering the ports they are
listening on and the RPC program numbers they expect to serve. The rpcbind
service redirects the client to the proper port number so it can communicate
with the requested service. If the system does not require RPC (such as for NFS
servers) then this service should be disabled.
The $ sudo systemctl disable rpcbind.service |
Disable RPC ID Mapping Service (rpcidmapd)
Rule ID | xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: 3.8 |
Description | The rpcidmapd service is used to map user names and groups to UID
and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then
this service should be disabled.
The $ sudo systemctl disable rpcidmapd.service |
Configure lockd to use static TCP port
Rule ID | xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_tcp_port |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | Configure the LOCKD_TCPPORT=lockd-portWhere lockd-port is a port which is not used by any other service on
your network.
|
Rationale | Restrict service to always use a given port, so that firewalling can be done effectively. |
Configure lockd to use static UDP port
Rule ID | xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_udp_port |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | Configure the LOCKD_UDPPORT=lockd-portWhere lockd-port is a port which is not used by any other service on
your network.
|
Rationale | Restricting services to always use a given port enables firewalling to be done more effectively. |
Configure statd to use static port
Rule ID | xccdf_org.ssgproject.content_rule_nfs_fixed_statd_port |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | Configure the STATD_PORT=statd-portWhere statd-port is a port which is not used by any other service on your network.
|
Rationale | Restricting services to always use a given port enables firewalling to be done more effectively. |
Configure mountd to use static port
Rule ID | xccdf_org.ssgproject.content_rule_nfs_fixed_mountd_port |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | Configure the MOUNTD_PORT=statd-portWhere mountd-port is a port which is not used by any other service on your network.
|
Rationale | Restricting services to always use a given port enables firewalling to be done more effectively. |
Specify UID and GID for Anonymous NFS Connections
Rule ID | xccdf_org.ssgproject.content_rule_nfs_no_anonymous |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | To specify the UID and GID for remote root users, edit the anonuid=Alternatively, functionally equivalent values of 60001, 65534, 65535 may be used. |
Rationale | Specifying the anonymous UID and GID ensures that the remote root user is mapped to a local account which has no permissions on the system. |
Disable Network File System (nfs)
Rule ID | xccdf_org.ssgproject.content_rule_service_nfs_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: AC-3 |
Description | The Network File System (NFS) service allows remote hosts to mount
and interact with shared filesystems on the local system. If the local system
is not designated as a NFS server then this service should be disabled.
The $ sudo systemctl disable nfs.service |
Rationale | Unnecessary services should be disabled to decrease the attack surface of the system. |
Disable Secure RPC Server Service (rpcsvcgssd)
Rule ID | xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | The rpcsvcgssd service manages RPCSEC GSS contexts required to
secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd
service is the server-side of RPCSEC GSS. If the system does not require secure
RPC then this service should be disabled.
The $ sudo systemctl disable rpcsvcgssd.service |
Rationale | Unnecessary services should be disabled to decrease the attack surface of the system. |
Mount Remote Filesystems with nodev
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description |
Add the |
Rationale | Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. |
Mount Remote Filesystems with nosuid
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | References: AC-6, 366, SRG-OS-000480-GPOS-00227 | ||||||||||||||
Description |
Add the | ||||||||||||||
Rationale | NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. | ||||||||||||||
OVAL details Items not found satisfying no nfs:Object oval:ssg-object_no_nfs_defined_etc_fstab_nosuid:obj:1 of type textfilecontent54_object
Items not found satisfying all nfs has nosuid:Object oval:ssg-object_nfs_nosuid_etc_fstab:obj:1 of type textfilecontent54_object
State oval:ssg-state_remote_filesystem_nosuid:ste:1 of type textfilecontent54_state
|
Mount Remote Filesystems with noexec
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | References: AC-6, 366, SRG-OS-000480-GPOS-00227 | ||||||||||||||
Description |
Add the | ||||||||||||||
Rationale | The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. | ||||||||||||||
OVAL details Items not found satisfying no nfs:Object oval:ssg-object_no_nfs_defined_etc_fstab_noexec:obj:1 of type textfilecontent54_object
Items not found satisfying all nfs has noexec:Object oval:ssg-object_nfs_noexec_etc_fstab:obj:1 of type textfilecontent54_object
State oval:ssg-state_remote_filesystem_noexec:ste:1 of type textfilecontent54_state
|
Mount Remote Filesystems with Kerberos Security
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2017-10-21T14:39:59 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | References: AC-14(1), 366, SRG-OS-000480-GPOS-00227 | ||||||||||||||
Description |
Add the | ||||||||||||||
Rationale | When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. | ||||||||||||||
OVAL details Items not found satisfying no nfs:Object oval:ssg-object_no_nfs_defined_etc_fstab_krb_sec:obj:1 of type textfilecontent54_object
Items not found satisfying all nfs has krb_sec:Object oval:ssg-object_nfs_krb_sec_etc_fstab:obj:1 of type textfilecontent54_object
State oval:ssg-state_remote_filesystem_krb_sec:ste:1 of type textfilecontent54_state
|
Use Root-Squashing on All Exports
Rule ID | xccdf_org.ssgproject.content_rule_use_root_squashing_all_exports |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | If a filesystem is exported using root squashing, requests from root on the client
are considered to be unprivileged (mapped to a user such as nobody). This provides some mild
protection against remote abuse of an NFS server. Root squashing is enabled by default, and
should not be disabled.
|
Rationale | If the NFS server allows root access to local file systems from remote hosts, this access could be used to compromise the system. |
Restrict NFS Clients to Privileged Ports
Rule ID | xccdf_org.ssgproject.content_rule_restrict_nfs_clients_to_privileged_ports |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: AC-3 |
Description | By default, the server NFS implementation requires that all client requests be made
from ports less than 1024. If your organization has control over systems connected to its
network, and if NFS requests are prohibited at the border firewall, this offers some protection
against malicious requests from unprivileged users. Therefore, the default should not be changed.
|
Rationale | Allowing client requests to be made from ports higher than 1024 could allow a unprivileged user to initiate an NFS connection. If the unprivileged user account has been compromised, an attacker could gain access to data on the NFS server. |
Ensure Insecure File Locking is Not Allowed
Rule ID | xccdf_org.ssgproject.content_rule_no_insecure_locks_exports |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | References: 764 |
Description | By default the NFS server requires secure file-lock requests,
which require credentials from the client in order to lock a file. Most NFS
clients send credentials with file lock requests, however, there are a few
clients that do not send credentials when requesting a file-lock, allowing the
client to only be able to lock world-readable files. To get around this, the
|
Rationale | Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. |
Use Kerberos Security on All Exports
Rule ID | xccdf_org.ssgproject.content_rule_use_kerberos_security_all_exports |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | References: AC-14(1), 366, SRG-OS-000480-GPOS-00227 |
Description |
Using Kerberos on all exported mounts prevents a malicious client or user from
impersonating a system user. To cryptography authenticate users to the NFS server,
add |
Rationale | When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. |
Disable DNS Server
Rule ID | xccdf_org.ssgproject.content_rule_service_named_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The $ sudo systemctl disable named.service |
Rationale | All network services involve some risk of compromise due to implementation flaws and should be disabled if possible. |
Uninstall bind Package
Rule ID | xccdf_org.ssgproject.content_rule_package_bind_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | To remove the $ sudo yum erase bind |
Rationale | If there is no need to make DNS server software available, removing it provides a safeguard against its activation. |
Disable Zone Transfers from the Nameserver
Rule ID | xccdf_org.ssgproject.content_rule_dns_server_disable_zone_transfers |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | Is it necessary for a secondary nameserver to receive zone data
via zone transfer from the primary server? If not, follow the instructions in
this section. If so, see the next section for instructions on protecting zone
transfers.
Add or correct the following directive within options { allow-transfer { none; }; ... } |
Rationale | If both the primary and secondary nameserver are under your control, or if you have only one nameserver, it may be possible to use an external configuration management mechanism to distribute zone updates. In that case, it is not necessary to allow zone transfers within BIND itself, so they should be disabled to avoid the potential for abuse. |
Authenticate Zone Transfers
Rule ID | xccdf_org.ssgproject.content_rule_dns_server_authenticate_zone_transfers |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | If it is necessary for a secondary nameserver to receive zone data via zone transfer from the primary server, follow the instructions here. Use dnssec-keygen to create a symmetric key file in the current directory: $ cd /tmp $ sudo dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dns.example.com Kdns.example.com .+aaa +iiiiiThis output is the name of a file containing the new key. Read the file to find the base64-encoded key string: $ sudo cat Kdns.example.com .+NNN +MMMMM .key dns.example.com IN KEY 512 3 157 base64-key-stringAdd the directives to /etc/named.conf on the primary server:
key zone-transfer-key { algorithm hmac-md5; secret "base64-key-string "; }; zone "example.com " IN { type master; allow-transfer { key zone-transfer-key; }; ... };Add the directives below to /etc/named.conf on the secondary nameserver:
key zone-transfer-key { algorithm hmac-md5; secret "base64-key-string "; }; server IP-OF-MASTER { keys { zone-transfer-key; }; }; zone "example.com " IN { type slave; masters { IP-OF-MASTER ; }; ... }; |
Rationale | The BIND transaction signature (TSIG) functionality allows primary and secondary nameservers to use a shared secret to verify authorization to perform zone transfers. This method is more secure than using IP-based limiting to restrict nameserver access, since IP addresses can be easily spoofed. However, if you cannot configure TSIG between your servers because, for instance, the secondary nameserver is not under your control and its administrators are unwilling to configure TSIG, you can configure an allow-transfer directive with numerical IP addresses or ACLs as a last resort. |
Warnings | warning
The purpose of the dnssec-keygen command is to
create the shared secret string base64-key-string. Once this secret has been
obtained and inserted into named.conf on the primary and secondary servers, the
key files Kdns.example.com .+NNN +MMMMM .key and Kdns.example.com .+NNN +MMMMM
.private are no longer needed, and may safely be deleted. |
Disable Dynamic Updates
Rule ID | xccdf_org.ssgproject.content_rule_dns_server_disable_dynamic_updates |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | Is there a mission-critical reason to enable the risky dynamic
update functionality? If not, edit zone "example.com " IN { allow-update { none; }; ... }; |
Rationale | Dynamic updates allow remote servers to add, delete, or modify any entries in your zone file. Therefore, they should be considered highly risky, and disabled unless there is a very good reason for their use. If dynamic updates must be allowed, IP-based ACLs are insufficient protection, since they are easily spoofed. Instead, use TSIG keys (see the previous section for an example), and consider using the update-policy directive to restrict changes to only the precise type of change needed. |
Disable vsftpd Service
Rule ID | xccdf_org.ssgproject.content_rule_service_vsftpd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The $ sudo systemctl disable vsftpd.service |
Rationale | Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information. |
Uninstall vsftpd Package
Rule ID | xccdf_org.ssgproject.content_rule_package_vsftpd_removed | ||
Result | pass | ||
Time | 2017-10-21T14:39:59 | ||
Severity | high | ||
Identifiers and References | References: CM-6(b), CM-7, 366, SRG-OS-000480-GPOS-00227, 3.10 | ||
Description |
The $ sudo yum erase vsftpd | ||
Rationale | Removing the vsftpd package decreases the risk of its accidental activation. | ||
OVAL details Items not found satisfying package vsftpd is removed:Object oval:ssg-obj_package_vsftpd_removed:obj:1 of type rpminfo_object
|
Install vsftpd Package
Rule ID | xccdf_org.ssgproject.content_rule_package_vsftpd_installed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | If this system must operate as an FTP server, install the $ sudo yum install vsftpd |
Rationale | After Red Hat Enterprise Linux 2.1, Red Hat switched from distributing wu-ftpd with Red Hat Enterprise Linux to distributing vsftpd. For security and for consistency with future Red Hat releases, the use of vsftpd is recommended. |
Restrict Access to Anonymous Users if Possible
Rule ID | xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option: local_enable=NOIf non-anonymous FTP logins are necessary, follow the guidance in the remainder of this section to secure these logins as much as possible. |
Rationale | The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access. |
Enable Logging of All FTP Transactions
Rule ID | xccdf_org.ssgproject.content_rule_ftp_log_transactions |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | Add or correct the following configuration options within the xferlog_enable=YES xferlog_std_format=NO log_ftp_protocol=YES |
Rationale | To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to
the FTP server are logged using the verbose vsftpd log
format. The default vsftpd log file is |
Warnings | warning
If verbose logging to vsftpd.log is done, sparse logging of downloads to /var/log/xferlog will not also occur. However, the information about what files were downloaded is included in the information logged to vsftpd.log |
Disable FTP Uploads if Possible
Rule ID | xccdf_org.ssgproject.content_rule_ftp_disable_uploads |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | Is there a mission-critical reason for users to upload files via FTP? If not, edit the vsftpd configuration file to add or correct the following configuration options: write_enable=NOIf FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions as much as possible. |
Rationale | Anonymous FTP can be a convenient way to make files available for universal download. However, it is less common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it is necessary to ensure that files cannot be uploaded and downloaded from the same directory. |
Place the FTP Home Directory on its Own Partition
Rule ID | xccdf_org.ssgproject.content_rule_ftp_home_partition |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | By default, the anonymous FTP root is the home directory of the FTP user account. The df command can be used to verify that this directory is on its own partition. |
Rationale | If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent these users from filling a disk used by other services. |
Disable httpd Service
Rule ID | xccdf_org.ssgproject.content_rule_service_httpd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description |
The $ sudo systemctl disable httpd.service |
Rationale | Running web server software provides a network-based avenue of attack, and should be disabled if not needed. |
Uninstall httpd Package
Rule ID | xccdf_org.ssgproject.content_rule_package_httpd_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The $ sudo yum erase httpd |
Rationale | If there is no need to make the web server software available, removing it provides a safeguard against its activation. |
Set httpd ServerTokens Directive to Prod
Rule ID | xccdf_org.ssgproject.content_rule_httpd_servertokens_prod |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description |
ServerTokens Prod |
Rationale | Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. |
Set httpd ServerSignature Directive to Off
Rule ID | xccdf_org.ssgproject.content_rule_httpd_serversignature_off |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description |
ServerSignature Off |
Rationale | Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. |
Disable HTTP Digest Authentication
Rule ID | xccdf_org.ssgproject.content_rule_httpd_digest_authentication |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The #LoadModule auth_digest_module modules/mod_auth_digest.so |
Rationale | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. |
Disable HTTP mod_rewrite
Rule ID | xccdf_org.ssgproject.content_rule_httpd_mod_rewrite |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The #LoadModule rewrite_module modules/mod_rewrite.so |
Rationale | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. |
Disable LDAP Support
Rule ID | xccdf_org.ssgproject.content_rule_httpd_ldap_support |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The #LoadModule ldap_module modules/mod_ldap.so #LoadModule authnz_ldap_module modules/mod_authnz_ldap.soIf LDAP is to be used, SSL encryption should be used as well. |
Rationale | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. |
Disable Server Side Includes
Rule ID | xccdf_org.ssgproject.content_rule_httpd_server_side_includes |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | Server Side Includes provide a method of dynamically generating web pages through the insertion of server-side code. However, the technology is also deprecated and introduces significant security concerns. If this functionality is unnecessary, comment out the related module: #LoadModule include_module modules/mod_include.soIf there is a critical need for Server Side Includes, they should be enabled with the option IncludesNoExec to prevent arbitrary code execution. Additionally, user
supplied data should be encoded to prevent cross-site scripting vulnerabilities.
|
Rationale | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. |
Disable MIME Magic
Rule ID | xccdf_org.ssgproject.content_rule_httpd_mime_magic |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The #LoadModule mime_magic_module modules/mod_mime_magic.so |
Rationale | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. |
Disable WebDAV (Distributed Authoring and Versioning)
Rule ID | xccdf_org.ssgproject.content_rule_httpd_webdav |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | WebDAV is an extension of the HTTP protocol that provides distributed and collaborative access to web content. If its functionality is unnecessary, comment out the related modules: #LoadModule dav_module modules/mod_dav.so #LoadModule dav_fs_module modules/mod_dav_fs.soIf there is a critical need for WebDAV, extra care should be taken in its configuration. Since DAV access allows remote clients to manipulate server files, any location on the server that is DAV enabled should be protected by access controls. |
Rationale | Minimizing the number of loadable modules available to the web server, reduces risk by limiting the capabilities allowed by the web server. |
Disable Server Activity Status
Rule ID | xccdf_org.ssgproject.content_rule_httpd_server_activity_status |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The #LoadModule status_module modules/mod_status.soIf there is a critical need for this module, ensure that access to the status page is properly restricted to a limited set of hosts in the status handler configuration. |
Rationale | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. |
Disable Web Server Configuration Display
Rule ID | xccdf_org.ssgproject.content_rule_httpd_server_configuration_display |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The #LoadModule info_module modules/mod_info.soIf there is a critical need for this module, use the Location directive to provide
an access control list to restrict access to the information.
|
Rationale | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. |
Disable URL Correction on Misspelled Entries
Rule ID | xccdf_org.ssgproject.content_rule_httpd_url_correction |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The #LoadModule speling_module modules/mod_speling.soThis functionality weakens server security by making site enumeration easier. |
Rationale | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. |
Disable Proxy Support
Rule ID | xccdf_org.ssgproject.content_rule_httpd_proxy_support |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The #LoadModule proxy_module modules/mod_proxy.soIf proxy support is needed, load mod_proxy and the appropriate proxy protocol handler
module (one of mod_proxy_http , mod_proxy_ftp , or mod_proxy_connect ). Additionally,
make certain that a server is secure before enabling proxying, as open proxy servers
are a security risk. mod_proxy_balancer enables load balancing, but requires that
mod status be enabled.
|
Rationale | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. |
Disable Cache Support
Rule ID | xccdf_org.ssgproject.content_rule_httpd_cache_support |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The #LoadModule cache_module modules/mod_cache.soIf caching is required, it should not be enabled for any limited-access content. |
Rationale | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. |
Disable CGI Support
Rule ID | xccdf_org.ssgproject.content_rule_httpd_cgi_support |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The #LoadModule cgi_module modules/mod_cgi.soIf the web server requires the use of CGI, enable mod_cgi .
|
Rationale | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. |
Restrict Root Directory
Rule ID | xccdf_org.ssgproject.content_rule_httpd_restrict_root_directory |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The <Directory / > Options None AllowOverride None Order allow,deny </Directory> |
Rationale | The Web Server's root directory content should be protected from unauthorized access by web clients. |
Restrict Web Directory
Rule ID | xccdf_org.ssgproject.content_rule_httpd_restrict_web_directory |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The default configuration for the web ( <Directory "/var/www/html"> # ... Options SymLinksIfOwnerMatch # ... </Directory> |
Rationale | Access to the web server's directory hierarchy could allow access to unauthorized files by web clients. Following symbolic links could also allow such access. |
Restrict Other Critical Directories
Rule ID | xccdf_org.ssgproject.content_rule_httpd_restrict_critical_directories |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
All accessible web directories should be configured with similarly restrictive settings.
The |
Rationale | Directories accessible from a web client should be configured with the least amount of access possible in order to avoid unauthorized access to restricted content or server information. |
Limit Available Methods
Rule ID | xccdf_org.ssgproject.content_rule_httpd_limit_available_methods |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
Web server methods are defined in section 9 of RFC 2616 (http://www.ietf.org/rfc/rfc2616.txt).
If a web server does not require the implementation of all available methods,
they should be disabled.
<Directory /var/www/html> # ... # Only allow specific methods (this command is case-sensitive!) <LimitExcept GET POST> Order allow,deny </LimitExcept> # ... </Directory> |
Rationale | Minimizing the number of available methods to the web client reduces risk by limiting the capabilities allowed by the web server. |
Install mod_ssl
Rule ID | xccdf_org.ssgproject.content_rule_httpd_install_mod_ssl |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
Install the $ sudo yum install mod_ssl |
Rationale |
|
Install mod_security
Rule ID | xccdf_org.ssgproject.content_rule_httpd_install_mod_security |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
Install the $ sudo yum install mod_security |
Rationale |
|
Set Permissions on the /var/log/httpd/ Directory
Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: CM-7 |
Description | Ensure that the permissions on the web server log directory is set to 700: $ sudo chmod 700 /var/log/httpd/This is its default setting. |
Rationale | Access to the web server's log files may allow an unauthorized user or attacker to access information about the web server or alter the server's log files. |
Set Permissions on the /etc/httpd/conf/ Directory
Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_etc_httpd_conf |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
To properly set the permissions of $ sudo chmod 0750 /etc/http/conf |
Rationale | Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or alter the server's configuration files. |
Disable Dovecot Service
Rule ID | xccdf_org.ssgproject.content_rule_service_dovecot_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The $ sudo systemctl disable dovecot.service |
Rationale | Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed. |
Uninstall dovecot Package
Rule ID | xccdf_org.ssgproject.content_rule_package_dovecot_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: 3.12 |
Description | The $ sudo yum erase dovecot |
Rationale | If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation. |
Enable the SSL flag in /etc/dovecot.conf
Rule ID | xccdf_org.ssgproject.content_rule_dovecot_enable_ssl |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | To allow clients to make encrypted connections the ssl = yes |
Rationale | SSL encrypt network traffic between the Dovecot server and its clients protecting user credentials, mail as it is downloaded, and clients may use SSL certificates to authenticate the server, preventing another system from impersonating the server. |
Configure Dovecot to Use the SSL Certificate file
Rule ID | xccdf_org.ssgproject.content_rule_dovecot_configure_ssl_cert |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | This option tells Dovecot where to find the the mail
server's SSL Certificate.
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem |
Rationale | SSL certificates are used by the client to authenticate the identity of the server, as well as to encrypt credentials and message traffic. Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network. |
Configure Dovecot to Use the SSL Key file
Rule ID | xccdf_org.ssgproject.content_rule_dovecot_configure_ssl_key |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | This option tells Dovecot where to find the the mail
server's SSL Key.
ssl_key = </etc/pki/dovecot/private/dovecot.pem |
Rationale | SSL certificates are used by the client to authenticate the identity of the server, as well as to encrypt credentials and message traffic. Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network. |
Disable Plaintext Authentication
Rule ID | xccdf_org.ssgproject.content_rule_dovecot_disable_plaintext_auth |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | To prevent Dovecot from attempting plaintext
authentication of clients, edit disable_plaintext_auth = yes |
Rationale | Using plain text authentication to the mail server could allow an attacker access to credentials by monitoring network traffic. |
Disable Quagga Service
Rule ID | xccdf_org.ssgproject.content_rule_service_zebra_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | References: SC-32, 366, SRG-OS-000480-GPOS-00227 |
Description |
The $ sudo systemctl disable zebra.service |
Rationale | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If routing daemons are used when not required, system network information may be unnecessarily transmitted across the network. |
Uninstall quagga Package
Rule ID | xccdf_org.ssgproject.content_rule_package_quagga_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | References: SC-32, 366, SRG-OS-000480-GPOS-00227 |
Description |
The $ sudo yum erase quagga |
Rationale |
Routing software is typically used on routers to exchange network topology information
with other routers. If routing software is used when not required, system network
information may be unnecessarily transmitted across the network.
|
Disable Samba
Rule ID | xccdf_org.ssgproject.content_rule_service_smb_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: 1436 |
Description |
The $ sudo systemctl disable smb.service |
Rationale | Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed. |
Uninstall Samba Package
Rule ID | xccdf_org.ssgproject.content_rule_package_samba_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: 3.13 |
Description | The $ sudo yum erase samba |
Rationale | If there is no need to make the Samba software available, removing it provides a safeguard against its activation. |
Install the Samba Common Package
Rule ID | xccdf_org.ssgproject.content_rule_package_samba-common_installed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description |
The $ sudo yum install samba-common |
Rationale | If the samba-common package is not installed, samba cannot be configured. |
Disable Root Access to SMB Shares
Rule ID | xccdf_org.ssgproject.content_rule_smb_server_disable_root |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | Administrators should not use administrator accounts to access Samba file and printer shares. Disable the root user and the wheel administrator group: [share] invalid users = root @wheelIf administrator accounts cannot be disabled, ensure that local system passwords and Samba service passwords do not match. |
Rationale |
Typically, administrator access is required when Samba must create user and
system accounts and shares. Domain member servers and standalone servers may
not need administrator access at all. If that is the case, add the invalid
users parameter to |
Require Client SMB Packet Signing, if using smbclient
Rule ID | xccdf_org.ssgproject.content_rule_require_smb_client_signing |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
To require samba clients running client signing = mandatoryRequiring samba clients such as smbclient to use packet
signing ensures they can
only communicate with servers that support packet signing.
|
Rationale | Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. |
Require Client SMB Packet Signing, if using mount.cifs
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description | Require packet signing of clients who mount Samba
shares using the |
Rationale | Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. |
Disable Squid
Rule ID | xccdf_org.ssgproject.content_rule_service_squid_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The $ sudo systemctl disable squid.service |
Rationale | Running proxy server software provides a network-based avenue of attack, and should be removed if not needed. |
Uninstall squid Package
Rule ID | xccdf_org.ssgproject.content_rule_package_squid_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: 3.14 |
Description |
The $ sudo yum erase squid |
Rationale | If there is no need to make the proxy server software available, removing it provides a safeguard against its activation. |
Disable snmpd Service
Rule ID | xccdf_org.ssgproject.content_rule_service_snmpd_disabled |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | |
Description |
The $ sudo systemctl disable snmpd.service |
Rationale | Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed. |
Uninstall net-snmp Package
Rule ID | xccdf_org.ssgproject.content_rule_package_net-snmp_removed |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: 3.15 |
Description | The $ sudo yum erase net-snmp |
Rationale | If there is no need to run SNMP server software, removing the package provides a safeguard against its activation. |
Configure SNMP Service to Use Only SNMPv3 or Newer
Rule ID | xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | medium |
Identifiers and References | |
Description |
Edit $ sudo service snmpd restart |
Rationale | Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information. |
Ensure Default SNMP Password Is Not Used
Rule ID | xccdf_org.ssgproject.content_rule_snmpd_not_default_password | ||||||
Result | pass | ||||||
Time | 2017-10-21T14:39:59 | ||||||
Severity | high | ||||||
Identifiers and References | References: IA-5.1(ii), 366, SRG-OS-000480-GPOS-00227 | ||||||
Description |
Edit $ sudo service snmpd restart | ||||||
Rationale | Whether active or not, default simple network management protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system and network(s). | ||||||
OVAL details Items not found satisfying Check snmpd configuration:Object oval:ssg-object_snmp_default_communities:obj:1 of type textfilecontent54_object
|
Procedural Requirement
Rule ID | xccdf_org.ssgproject.content_rule_c2s_procedural_requirement |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf |
Description | This requirement is procedural, and can not be met through automated means. |
Rationale | This requirement is procedural, and can not be met through automated means. |
Not Applicable to Operating System
Rule ID | xccdf_org.ssgproject.content_rule_c2s_not_OS_applicable |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf |
Description | While this requirement is applicable at an information system level, implementation is not performed within the Operating System. |
Rationale | This requirement is not applicable to an operating system. |
Product Meets this Requirement
Rule ID | xccdf_org.ssgproject.content_rule_c2s_met_inherently |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf |
Description | This requirement is permanent not a finding. No fix is required. |
Rationale | Red Hat Enterprise Linux meets this requirement through design and implementation. |
Requirement Applies to All Rules
Rule ID | xccdf_org.ssgproject.content_rule_apply_to_everything |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf |
Description | These are generic requirements, and apply to all rules |
Rationale | The following requirements apply to all rules |
Rule Compliance through Removal of xinetd
Rule ID | xccdf_org.ssgproject.content_rule_cis_xinetd |
Result | notselected |
Time | 2017-10-21T14:39:59 |
Severity | low |
Identifiers and References | References: 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18 |
Description | The upstream CIS guidance is incorrect, stating that xinetd services can be managed through systemctl. The proper way to disable xinetd services, such as chargen-dgram, is to create a |
Rationale | These rules are inherently compliant when xinetd is removed from the system |