Ubuntu 12.04/14.04 SCAP Profiles
with profile Ubuntu 12.04/14.04 ServerThis profile contains all of the checks available.
Evaluation Characteristics
Target machine | debian |
---|---|
Benchmark URL | ubuntu-xccdf.xml |
Benchmark ID | xccdf_ubuntu_benchmark_draft |
Profile ID | xccdf_ubuntu_profile_default |
Started at | 2017-10-22T02:40:36 |
Finished at | 2017-10-22T02:41:00 |
Performed by | root |
CPE Platforms
- cpe:/o:ubuntu-trusty:linux
Addresses
- IPv4 127.0.0.1
- IPv4 172.42.208.129
- IPv6 0:0:0:0:0:0:0:1
- IPv6 fe80:0:0:0:20c:29ff:febf:153e
- MAC 00:00:00:00:00:00
- MAC 00:0C:29:BF:15:3E
Compliance and Scoring
Rule results
Severity of failed rules
Score
Scoring system | Score | Maximum | Percent |
---|---|---|---|
urn:xccdf:scoring:default | 43.832069 | 100.000000 | |
urn:xccdf:scoring:flat | 37.000000 | 99.000000 | |
urn:xccdf:scoring:flat-unweighted | 37.000000 | 99.000000 |
Rule Overview
Result Details
Ensure /tmp Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||
Result | fail | ||
Time | 2017-10-22T02:40:36 | ||
Severity | low | ||
Identifiers and References | identifiers: CCE-26435-8 references: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf, 1208, | ||
Description |
The | ||
Rationale |
The | ||
OVAL details Items not found violating /tmp on own partition:Object oval:ssg:obj:2106 of type partition_object
|
Ensure /var Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var | ||
Result | fail | ||
Time | 2017-10-22T02:40:36 | ||
Severity | low | ||
Identifiers and References | identifiers: CCE-26639-5 references: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf, 1208, | ||
Description | The | ||
Rationale |
Ensuring that | ||
OVAL details Items not found violating /var on own partition:Object oval:ssg:obj:1850 of type partition_object
|
Ensure /var/log Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log | ||
Result | fail | ||
Time | 2017-10-22T02:40:36 | ||
Severity | low | ||
Identifiers and References | identifiers: CCE-26215-4 | ||
Description |
System logs are stored in the | ||
Rationale |
Placing | ||
OVAL details Items not found violating /var/log on own partition:Object oval:ssg:obj:1556 of type partition_object
|
Ensure /var/log/audit Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | ||
Result | fail | ||
Time | 2017-10-22T02:40:36 | ||
Severity | low | ||
Identifiers and References | identifiers: CCE-26436-6 | ||
Description |
Audit logs are stored in the | ||
Rationale |
Placing | ||
OVAL details Items not found violating check for /var/log/audit partition:Object oval:ssg:obj:1987 of type partition_object
|
Ensure /home Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_home | ||
Result | fail | ||
Time | 2017-10-22T02:40:36 | ||
Severity | low | ||
Identifiers and References | identifiers: CCE-26557-9 references: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf, 1208, | ||
Description |
If user home directories will be stored locally, create a separate partition
for | ||
Rationale |
Ensuring that | ||
OVAL details Items not found violating /home on own partition:Object oval:ssg:obj:1735 of type partition_object
|
Add nodev Option to Non-Root Local Partitions
Rule ID | xccdf_org.ssgproject.content_rule_mountopt_nodev_on_nonroot_partitions | ||||||||
Result | pass | ||||||||
Time | 2017-10-22T02:40:36 | ||||||||
Severity | low | ||||||||
Identifiers and References | identifiers: CCE-27045-4 references: CM-7 | ||||||||
Description | The | ||||||||
Rationale | The | ||||||||
OVAL details Items not found satisfying nodev on local filesystems:Object oval:ssg:obj:1851 of type partition_object
State oval:ssg:ste:1852 of type partition_state
|
Add nodev Option to Removable Media Partitions
Rule ID | xccdf_org.ssgproject.content_rule_mountopt_nodev_on_removable_partitions | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||
Severity | low | ||||||||||||
Identifiers and References | identifiers: CCE-26860-7 | ||||||||||||
Description | The | ||||||||||||
Rationale | The only legitimate location for device files is the | ||||||||||||
OVAL details Items not found violating nodev on removable partition:Object oval:ssg:obj:1288 of type partition_object
State oval:ssg:ste:1289 of type partition_state
Items not found violating removable partition /etc/fstab:Object oval:ssg:obj:1290 of type textfilecontent54_object
State oval:ssg:ste:1291 of type textfilecontent54_state
|
Add noexec Option to Removable Media Partitions
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||
Severity | low | ||||||||||||
Identifiers and References | identifiers: CCE-27196-5 | ||||||||||||
Description | The | ||||||||||||
Rationale | Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. | ||||||||||||
OVAL details Items not found violating noexec on removable partition:Object oval:ssg:obj:1584 of type partition_object
State oval:ssg:ste:1585 of type partition_state
Items not found violating removable partition /etc/fstab:Object oval:ssg:obj:1586 of type textfilecontent54_object
State oval:ssg:ste:1587 of type textfilecontent54_state
|
Add nosuid Option to Removable Media Partitions
Rule ID | xccdf_org.ssgproject.content_rule_mountopt_nosuid_on_removable_partitions | ||||||||||||
Result | fail | ||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||
Severity | low | ||||||||||||
Identifiers and References | identifiers: CCE-27056-1 | ||||||||||||
Description | The | ||||||||||||
Rationale | The presence of suid and sgid executables should be tightly controlled. Allowing users to introduce suid or sgid binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. | ||||||||||||
OVAL details Items not found violating nosuid on removable partition:Object oval:ssg:obj:1263 of type partition_object
State oval:ssg:ste:1264 of type partition_state
Items not found violating removable partition /etc/fstab:Object oval:ssg:obj:1265 of type textfilecontent54_object
State oval:ssg:ste:1266 of type textfilecontent54_state
|
Add nodev Option to /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev | ||||
Result | fail | ||||
Time | 2017-10-22T02:40:36 | ||||
Severity | low | ||||
Identifiers and References | identifiers: CCE-26499-4 | ||||
Description |
The | ||||
Rationale | The only legitimate location for device files is the | ||||
OVAL details Items not found violating nodev on /tmp:Object oval:ssg:obj:1240 of type partition_object
State oval:ssg:ste:1241 of type partition_state
|
Add noexec Option to /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec | ||||
Result | fail | ||||
Time | 2017-10-22T02:40:36 | ||||
Severity | low | ||||
Identifiers and References | identifiers: CCE-26720-3 | ||||
Description | The | ||||
Rationale | Allowing users to execute binaries from world-writable directories
such as | ||||
OVAL details Items not found violating noexec on /tmp:Object oval:ssg:obj:1535 of type partition_object
State oval:ssg:ste:1536 of type partition_state
|
Add nosuid Option to /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid | ||||
Result | fail | ||||
Time | 2017-10-22T02:40:36 | ||||
Severity | low | ||||
Identifiers and References | identifiers: CCE-26762-5 | ||||
Description | The | ||||
Rationale | The presence of suid and sgid executables should be tightly controlled. Users should not be able to execute suid or sgid binaries from temporary storage partitions. | ||||
OVAL details Items not found violating nosuid on /tmp:Object oval:ssg:obj:1870 of type partition_object
State oval:ssg:ste:1871 of type partition_state
|
Add nodev Option to /dev/shm
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev | ||||||||||||||||||||
Result | pass | ||||||||||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||||||||||
Severity | low | ||||||||||||||||||||
Identifiers and References | identifiers: CCE-26778-1 | ||||||||||||||||||||
Description | The | ||||||||||||||||||||
Rationale | The only legitimate location for device files is the | ||||||||||||||||||||
OVAL details Items found satisfying nodev on /dev/shm:
|
Add noexec Option to /dev/shm
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec | ||||||||||||||||||||
Result | fail | ||||||||||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||||||||||
Severity | low | ||||||||||||||||||||
Identifiers and References | identifiers: CCE-26622-1 | ||||||||||||||||||||
Description | The | ||||||||||||||||||||
Rationale | Allowing users to execute binaries from world-writable directories
such as | ||||||||||||||||||||
OVAL details Items found violating noexec on /dev/shm:
|
Add nosuid Option to /dev/shm
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid | ||||||||||||||||||||
Result | pass | ||||||||||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||||||||||
Severity | low | ||||||||||||||||||||
Identifiers and References | identifiers: CCE-26486-1 | ||||||||||||||||||||
Description | The | ||||||||||||||||||||
Rationale | The presence of suid and sgid executables should be tightly controlled. Users should not be able to execute suid or sgid binaries from temporary storage partitions. | ||||||||||||||||||||
OVAL details Items found satisfying nosuid on /dev/shm:
|
Bind Mount /var/tmp To /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind_var | ||||||||
Result | fail | ||||||||
Time | 2017-10-22T02:40:36 | ||||||||
Severity | low | ||||||||
Identifiers and References | identifiers: CCE-26582-7 references: CM-7 | ||||||||
Description | The /tmp /var/tmp none rw,nodev,noexec,nosuid,bind 0 0See the mount(8) man page for further explanation of bind mounting.
| ||||||||
Rationale | Having multiple locations for temporary storage is not required. Unless absolutely
necessary to meet requirements, the storage location | ||||||||
OVAL details Items not found violating Ensure /var/tmp is mounted:Object oval:ssg:obj:2185 of type partition_object
Items not found violating Ensure bind mount option is on /var/tmp:Object oval:ssg:obj:2186 of type textfilecontent54_object
|
Disable Mounting of cramfs
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled | ||||||||||||||
Result | fail | ||||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||||
Severity | low | ||||||||||||||
Identifiers and References | identifiers: CCE-26340-0 references: CM-7 | ||||||||||||||
Description |
To configure the system to prevent the install cramfs /bin/falseThis effectively prevents usage of this uncommon filesystem. | ||||||||||||||
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | ||||||||||||||
OVAL details Items not found violating kernel module cramfs disabled:Object oval:ssg:obj:1653 of type textfilecontent54_object
Items not found violating kernel module cramfs disabled in /etc/modprobe.conf:Object oval:ssg:obj:1654 of type textfilecontent54_object
| |||||||||||||||
Remediation script:
|
Disable Mounting of freevxfs
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled | ||||||||||||||
Result | fail | ||||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||||
Severity | low | ||||||||||||||
Identifiers and References | identifiers: CCE-26544-7 references: CM-7 | ||||||||||||||
Description |
To configure the system to prevent the install freevxfs /bin/falseThis effectively prevents usage of this uncommon filesystem. | ||||||||||||||
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | ||||||||||||||
OVAL details Items not found violating kernel module freevxfs disabled:Object oval:ssg:obj:1386 of type textfilecontent54_object
Items not found violating kernel module freevxfs disabled in /etc/modprobe.conf:Object oval:ssg:obj:1387 of type textfilecontent54_object
| |||||||||||||||
Remediation script:
|
Disable Mounting of jffs2
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled | ||||||||||||||
Result | fail | ||||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||||
Severity | low | ||||||||||||||
Identifiers and References | identifiers: CCE-26670-0 references: CM-7 | ||||||||||||||
Description |
To configure the system to prevent the install jffs2 /bin/falseThis effectively prevents usage of this uncommon filesystem. | ||||||||||||||
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | ||||||||||||||
OVAL details Items not found violating kernel module jffs2 disabled:Object oval:ssg:obj:2131 of type textfilecontent54_object
Items not found violating kernel module jffs2 disabled in /etc/modprobe.conf:Object oval:ssg:obj:2132 of type textfilecontent54_object
| |||||||||||||||
Remediation script:
|
Disable Mounting of hfs
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled | ||||||||||||||
Result | fail | ||||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||||
Severity | low | ||||||||||||||
Identifiers and References | identifiers: CCE-26800-3 references: CM-7 | ||||||||||||||
Description |
To configure the system to prevent the install hfs /bin/falseThis effectively prevents usage of this uncommon filesystem. | ||||||||||||||
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | ||||||||||||||
OVAL details Items not found violating kernel module hfs disabled:Object oval:ssg:obj:1539 of type textfilecontent54_object
Items not found violating kernel module hfs disabled in /etc/modprobe.conf:Object oval:ssg:obj:1540 of type textfilecontent54_object
| |||||||||||||||
Remediation script:
|
Disable Mounting of hfsplus
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled | ||||||||||||||
Result | fail | ||||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||||
Severity | low | ||||||||||||||
Identifiers and References | identifiers: CCE-26361-6 references: CM-7 | ||||||||||||||
Description |
To configure the system to prevent the install hfsplus /bin/falseThis effectively prevents usage of this uncommon filesystem. | ||||||||||||||
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | ||||||||||||||
OVAL details Items not found violating kernel module hfsplus disabled:Object oval:ssg:obj:1742 of type textfilecontent54_object
Items not found violating kernel module hfsplus disabled in /etc/modprobe.conf:Object oval:ssg:obj:1743 of type textfilecontent54_object
| |||||||||||||||
Remediation script:
|
Disable Mounting of squashfs
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled | ||||||||||||||
Result | fail | ||||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||||
Severity | low | ||||||||||||||
Identifiers and References | identifiers: CCE-26404-4 references: CM-7 | ||||||||||||||
Description |
To configure the system to prevent the install squashfs /bin/falseThis effectively prevents usage of this uncommon filesystem. | ||||||||||||||
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | ||||||||||||||
OVAL details Items not found violating kernel module squashfs disabled:Object oval:ssg:obj:1828 of type textfilecontent54_object
Items not found violating kernel module squashfs disabled in /etc/modprobe.conf:Object oval:ssg:obj:1829 of type textfilecontent54_object
| |||||||||||||||
Remediation script:
|
Disable Mounting of udf
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled | ||||||||||||||
Result | fail | ||||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||||
Severity | low | ||||||||||||||
Identifiers and References | identifiers: CCE-26677-5 references: CM-7 | ||||||||||||||
Description |
To configure the system to prevent the install udf /bin/falseThis effectively prevents usage of this uncommon filesystem. | ||||||||||||||
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | ||||||||||||||
OVAL details Items not found violating kernel module udf disabled:Object oval:ssg:obj:1364 of type textfilecontent54_object
Items not found violating kernel module udf disabled in /etc/modprobe.conf:Object oval:ssg:obj:1365 of type textfilecontent54_object
| |||||||||||||||
Remediation script:
|
Verify User Who Owns shadow File
Rule ID | xccdf_org.ssgproject.content_rule_userowner_shadow_file | ||||||||||||
Result | pass | ||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | identifiers: CCE-26947-2 | ||||||||||||
Description |
To properly set the owner of # chown root/etc/shadow | ||||||||||||
Rationale | The | ||||||||||||
OVAL details Items found satisfying Testing user ownership of /etc/shadow:
|
Verify User Who Owns group File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_group | ||||||||||||
Result | pass | ||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | identifiers: CCE-26822-7 references: AC-6, | ||||||||||||
Description |
To properly set the owner of # chown root/etc/group | ||||||||||||
Rationale | The | ||||||||||||
OVAL details Items found satisfying Testing user ownership:
|
Verify Group Who Owns group File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | ||||||||||||
Result | pass | ||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | identifiers: CCE-26930-8 | ||||||||||||
Description |
To properly set the group owner of # chgrp root/etc/group | ||||||||||||
Rationale | The | ||||||||||||
OVAL details Items found satisfying Testing group ownership:
|
Verify User Who Owns gshadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow | ||||||||||||
Result | pass | ||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | identifiers: CCE-27026-4 | ||||||||||||
Description |
To properly set the owner of # chown root/etc/gshadow | ||||||||||||
Rationale | The | ||||||||||||
OVAL details Items found satisfying Testing gshadow ownership:
|
Verify User Who Owns passwd File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd | ||||||||||||
Result | pass | ||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | identifiers: CCE-26953-0 | ||||||||||||
Description |
To properly set the owner of # chown root/etc/passwd | ||||||||||||
Rationale | The | ||||||||||||
OVAL details Items found satisfying Testing user ownership:
|
Verify Group Who Owns passwd File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | ||||||||||||
Result | pass | ||||||||||||
Time | 2017-10-22T02:40:36 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | identifiers: CCE-26856-5 | ||||||||||||
Description |
To properly set the group owner of # chgrp root/etc/passwd | ||||||||||||
Rationale | The | ||||||||||||
OVAL details Items found satisfying Testing group ownership of /etc/passwd:
|
Verify that Shared Library Files Have Root Ownership
Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_library_dirs | ||||||||||||
Result | pass | ||||||||||||
Time | 2017-10-22T02:40:38 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | identifiers: CCE-27424-1 | ||||||||||||
Description | System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules . All files in these directories should be
owned by the root user. If the directory, or any file in these
directories, is found to be owned by a user other than root correct its
ownership with the following command:
# chown root FILE | ||||||||||||
Rationale | Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. | ||||||||||||
OVAL details Items not found satisfying library directories uid root:Object oval:ssg:obj:1698 of type file_object
Items not found satisfying library files uid root:Object oval:ssg:obj:1699 of type file_object
|
Verify that System Executables Have Root Ownership
Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs | ||||||||||||
Result | pass | ||||||||||||
Time | 2017-10-22T02:40:38 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | identifiers: CCE-27623-8 | ||||||||||||
Description | System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbinAll files in these directories should be owned by the root user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
# chown root FILE | ||||||||||||
Rationale | System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. | ||||||||||||
OVAL details Items not found satisfying binary directories uid root:Object oval:ssg:obj:1397 of type file_object
Items not found satisfying binary files uid root:Object oval:ssg:obj:1398 of type file_object
|
Verify that All World-Writable Directories Have Sticky Bits Set
Rule ID | xccdf_org.ssgproject.content_rule_sticky_world_writable_dirs | ||||||||||||
Result | pass | ||||||||||||
Time | 2017-10-22T02:40:41 | ||||||||||||
Severity | low | ||||||||||||
Identifiers and References | identifiers: CCE-26840-9 references: AC-6, | ||||||||||||
Description | When the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
# chmod +t DIR | ||||||||||||
Rationale |
Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.
| ||||||||||||
OVAL details Items not found satisfying all local world-writable directories have sticky bit set:Object oval:ssg:obj:1319 of type file_object
State oval:ssg:ste:1320 of type file_state
|
Ensure No World-Writable Files Exist
Rule ID | xccdf_org.ssgproject.content_rule_world_writeable_files | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2017-10-22T02:40:49 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | identifiers: CCE-26910-0 references: AC-6 | ||||||||||||||
Description | It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. | ||||||||||||||
Rationale | Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files. | ||||||||||||||
OVAL details Items not found satisfying world writable files:Object oval:ssg:obj:1652 of type file_object
|
Ensure All Files Are Owned by a User
Rule ID | xccdf_org.ssgproject.content_rule_no_files_unowned_by_user | ||||||||
Result | pass | ||||||||
Time | 2017-10-22T02:40:58 | ||||||||
Severity | low | ||||||||
Identifiers and References | identifiers: CCE-27032-2 | ||||||||
Description | If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. | ||||||||
Rationale | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. | ||||||||
OVAL details Items not found satisfying Check user ids on all files on the system:Object oval:ssg:obj:1849 of type file_object
|
Ensure All World-Writable Directories Are Owned by a System Account
Rule ID | xccdf_org.ssgproject.content_rule_world_writable_files_system_ownership | ||||||||||||
Result | pass | ||||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||||
Severity | low | ||||||||||||
Identifiers and References | identifiers: CCE-26642-9 references: AC-6, | ||||||||||||
Description | All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. | ||||||||||||
Rationale | Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. | ||||||||||||
OVAL details Items not found satisfying check for local directories that are world writable and have uid greater than or equal to 500:Object oval:ssg:obj:1789 of type file_object
State oval:ssg:ste:1790 of type file_state
|
Disable Core Dumps for All Users
Rule ID | xccdf_org.ssgproject.content_rule_disable_users_coredumps | ||||||||
Result | fail | ||||||||
Time | 2017-10-22T02:40:59 | ||||||||
Severity | low | ||||||||
Identifiers and References | identifiers: CCE-27033-0 references: SC-5 | ||||||||
Description | To disable core dumps for all users, add the following line to
* hard core 0 | ||||||||
Rationale | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. | ||||||||
OVAL details Items not found violating Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file:Object oval:ssg:obj:2041 of type textfilecontent54_object
State oval:ssg:ste:2042 of type textfilecontent54_state
| |||||||||
Remediation script:
|
Disable Core Dumps for SUID programs
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | low | ||||||||||
Identifiers and References | identifiers: CCE-27044-7 references: SI-11 | ||||||||||
Description |
To set the runtime status of the # sysctl -w fs.suid_dumpable=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
fs.suid_dumpable = 0 | ||||||||||
Rationale | The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. | ||||||||||
OVAL details Items found violating kernel runtime parameter fs.suid_dumpable set to 0:
Items not found violating fs.suid_dumpable static configuration:Object oval:ssg:obj:1674 of type textfilecontent54_object
| |||||||||||
Remediation script:
|
Enable Randomized Layout of Virtual Address Space
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | medium | ||||||||||
Identifiers and References | identifiers: CCE-26999-3 references: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf, | ||||||||||
Description |
To set the runtime status of the # sysctl -w kernel.randomize_va_space=2If this is not the system's default value, add the following line to /etc/sysctl.conf :
kernel.randomize_va_space = 2 | ||||||||||
Rationale | Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. | ||||||||||
OVAL details Items found violating kernel runtime parameter kernel.randomize_va_space set to 2:
Items not found violating kernel.randomize_va_space static configuration:Object oval:ssg:obj:1238 of type textfilecontent54_object
| |||||||||||
Remediation script:
|
Restrict Virtual Console Root Logins
Rule ID | xccdf_org.ssgproject.content_rule_securetty_root_login_console_only | ||||||
Result | pass | ||||||
Time | 2017-10-22T02:40:59 | ||||||
Severity | medium | ||||||
Identifiers and References | identifiers: CCE-26855-7 | ||||||
Description |
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in vc/1 vc/2 vc/3 vc/4 | ||||||
Rationale | Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. | ||||||
OVAL details Items not found satisfying virtual consoles /etc/securetty:Object oval:ssg:obj:2007 of type textfilecontent54_object
|
Restrict Serial Port Root Logins
Rule ID | xccdf_org.ssgproject.content_rule_restrict_serial_port_logins | ||||||||||||||
Result | fail | ||||||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||||||
Severity | low | ||||||||||||||
Identifiers and References | identifiers: CCE-27047-0 | ||||||||||||||
Description | To restrict root logins on serial ports,
ensure lines of this form do not appear in ttyS0 ttyS1 | ||||||||||||||
Rationale | Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. | ||||||||||||||
OVAL details Items found violating serial ports /etc/securetty:
|
Verify Only Root Has UID 0
Rule ID | xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero | ||||||
Result | pass | ||||||
Time | 2017-10-22T02:40:59 | ||||||
Severity | medium | ||||||
Identifiers and References | identifiers: CCE-26971-2 | ||||||
Description | If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. | ||||||
Rationale | An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. | ||||||
OVAL details Items not found satisfying test that there are no accounts with UID 0 except root in the /etc/passwd file:Object oval:ssg:obj:1744 of type textfilecontent54_object
|
Prevent Log In to Accounts With Empty Password
Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords | ||||||
Result | pass | ||||||
Time | 2017-10-22T02:40:59 | ||||||
Severity | high | ||||||
Identifiers and References | identifiers: CCE-27038-9 references: IA-5(b), IA-5(c), IA-5(1)(a), | ||||||
Description | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the | ||||||
Rationale | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. | ||||||
OVAL details Items not found satisfying make sure nullok is not used in /etc/pam.d/system-auth:Object oval:ssg:obj:1664 of type textfilecontent54_object
|
Verify All Account Password Hashes are Shadowed
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | identifiers: CCE-26476-2 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description |
If any password hashes are stored in | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rationale |
The hashes for all user account passwords should be stored in
the file | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Items found satisfying password hashes are shadowed:
|
Set Password Minimum Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs | ||||
Result | fail | ||||
Time | 2017-10-22T02:40:59 | ||||
Severity | medium | ||||
Identifiers and References | identifiers: CCE-27013-2 references: IA-5(f), IA-5(1)(d), 198, | ||||
Description | To specify password minimum age for new accounts,
edit the file PASS_MIN_DAYS DAYSA value of 1 day is considered for sufficient for many environments. The DoD requirement is 1. | ||||
Rationale | Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. | ||||
OVAL details Items found violating Tests the value of PASS_MIN_DAYS in /etc/login.defs:
| |||||
Remediation script:
|
Set Password Maximum Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs | ||||
Result | fail | ||||
Time | 2017-10-22T02:40:59 | ||||
Severity | medium | ||||
Identifiers and References | identifiers: CCE-26985-2 references: IA-5(f), IA-5(g), IA-5(1)(d), 180, 199, | ||||
Description | To specify password maximum age for new accounts,
edit the file PASS_MAX_DAYS DAYSA value of 180 days is sufficient for many environments. The DoD requirement is 60. | ||||
Rationale | Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. | ||||
OVAL details Items found violating the value PASS_MAX_DAYS should be set appropriately in /etc/login.defs:
| |||||
Remediation script:
|
Set Password Warning Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs | ||||
Result | pass | ||||
Time | 2017-10-22T02:40:59 | ||||
Severity | low | ||||
Identifiers and References | identifiers: CCE-26988-6 references: IA-5(f), | ||||
Description | To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file PASS_WARN_AGE DAYSThe DoD requirement is 7. | ||||
Rationale | Setting the password warning age enables users to make the change at a practical time. | ||||
OVAL details Items found satisfying Tests the value of PASS_WARN_AGE in /etc/login.defs:
|
Set Account Expiration Following Inactivity
Rule ID | xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration | ||||||||
Result | fail | ||||||||
Time | 2017-10-22T02:40:59 | ||||||||
Severity | low | ||||||||
Identifiers and References | identifiers: CCE-27283-1 | ||||||||
Description | To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in INACTIVE=NUM_DAYSA value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity
timeout must be done with careful consideration of the length of a "normal"
period of inactivity for users in the particular environment. Setting
the timeout too low incurs support costs and also has the potential to impact
availability of the system to legitimate users.
| ||||||||
Rationale | Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. | ||||||||
OVAL details Items not found violating the value INACTIVE parameter should be set appropriately in /etc/default/useradd:Object oval:ssg:obj:1978 of type textfilecontent54_object
State oval:ssg:ste:1979 of type textfilecontent54_state
| |||||||||
Remediation script:
|
Set Password Hashing Algorithm in /etc/login.defs
Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs | ||||
Result | pass | ||||
Time | 2017-10-22T02:40:59 | ||||
Severity | medium | ||||
Identifiers and References | identifiers: CCE-27228-6 references: IA-5(b), IA-5(c), IA-5(1)(c), IA-7, 803, | ||||
Description |
In ENCRYPT_METHOD SHA512 | ||||
Rationale | Using a stronger hashing algorithm makes password cracking attacks more difficult. | ||||
OVAL details Items found satisfying check ENCRYPT_METHOD in /etc/login.defs:
|
Set Password Hashing Algorithm in /etc/libuser.conf
Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf | ||||||
Result | fail | ||||||
Time | 2017-10-22T02:40:59 | ||||||
Severity | medium | ||||||
Identifiers and References | identifiers: CCE-27229-4 references: IA-5(b), IA-5(c), IA-5(1)(c), IA-7, 803, | ||||||
Description |
In crypt_style = sha512 | ||||||
Rationale | Using a stronger hashing algorithm makes password cracking attacks more difficult. | ||||||
OVAL details Items not found violating The password hashing algorithm should be set correctly in /etc/libuser.conf:Object oval:ssg:obj:1243 of type textfilecontent54_object
|
Ensure that Root's Path Does Not Include Relative Paths or Null Directories
Rule ID | xccdf_org.ssgproject.content_rule_root_path_no_dot | ||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||||||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||||||||||||||
Identifiers and References | identifiers: CCE-26826-8 references: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf | ||||||||||||||||||||||||||||||||||||
Description |
Ensure that none of the directories in root's path is equal to a single
PATH=:/bin PATH=/bin: PATH=/bin::/sbinThese empty elements have the same effect as a single . character.
| ||||||||||||||||||||||||||||||||||||
Rationale | Including these entries increases the risk that root could execute code from an untrusted location. | ||||||||||||||||||||||||||||||||||||
OVAL details Items found satisfying environment variable PATH starts with : or .:
Items found satisfying environment variable PATH doesn't contain : twice in a row:
Items found satisfying environment variable PATH doesn't contain . twice in a row:
Items found satisfying environment variable PATH ends with : or .:
Items found satisfying environment variable PATH starts with an absolute path /:
Items found satisfying environment variable PATH contains relative paths:
|
Ensure that Root's Path Does Not Include World or Group-Writable Directories
Rule ID | xccdf_org.ssgproject.content_rule_root_path_no_groupother_writable | ||||||||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||||||||
Identifiers and References | identifiers: CCE-26768-2 references: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf | ||||||||||||||||||||||||||||||
Description | For each element in root's path, run: # ls -ld DIRand ensure that write permissions are disabled for group and other. | ||||||||||||||||||||||||||||||
Rationale | Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code. | ||||||||||||||||||||||||||||||
OVAL details Items found violating Check that write permission to group in root's path is denied:
Items not found violating Check that write permission to other in root's path is denied:Object oval:ssg:obj:1448 of type file_object
|
Ensure the Default Umask is Set Correctly in login.defs
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_login_defs | ||||
Result | fail | ||||
Time | 2017-10-22T02:40:59 | ||||
Severity | low | ||||
Identifiers and References | identifiers: CCE-26371-5 references: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf, 366, | ||||
Description |
To ensure the default umask controlled by UMASK 077 | ||||
Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. | ||||
OVAL details Items found violating Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/login.defs file:
| |||||
Remediation script:
|
Ensure that User Home Directories are not Group-Writable or World-Readable
Rule ID | xccdf_org.ssgproject.content_rule_homedir_perms_no_groupwrite_worldread | ||||||||||||||||||
Result | fail | ||||||||||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||||||||||
Severity | low | ||||||||||||||||||
Identifiers and References | identifiers: CCE-26981-1 references: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf | ||||||||||||||||||
Description | For each human user of the system, view the permissions of the user's home directory: # ls -ld /home/USEREnsure that the directory is not group-writable and that it is not world-readable. If necessary, repair the permissions: # chmod g-w /home/USER # chmod o-rwx /home/USER | ||||||||||||||||||
Rationale | User home directories contain many configuration files which affect the behavior of a user's account. No user should ever have write permission to another user's home directory. Group shared directories can be configured in sub-directories or elsewhere in the filesystem if they are needed. Typically, user home directories should not be world-readable, as it would disclose file names to other users. If a subset of users need read access to one another's home directories, this can be provided using groups or ACLs. | ||||||||||||||||||
Warnings | warning
This action may involve
modifying user home directories. Notify your user community, and
solicit input if appropriate, before making this type of
change. | ||||||||||||||||||
OVAL details Items found violating home directories:
|
Disable Kernel Parameter for Sending ICMP Redirects by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | medium | ||||||||||
Identifiers and References | identifiers: CCE-27001-7 | ||||||||||
Description |
To set the runtime status of the # sysctl -w net.ipv4.conf.default.send_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.send_redirects = 0 | ||||||||||
Rationale | Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers. | ||||||||||
OVAL details Items found violating kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0:
Items not found violating net.ipv4.conf.default.send_redirects static configuration:Object oval:ssg:obj:1602 of type textfilecontent54_object
| |||||||||||
Remediation script:
|
Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_ipv4_all_send_redirects | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | medium | ||||||||||
Identifiers and References | identifiers: CCE-27004-1 | ||||||||||
Description |
To set the runtime status of the # sysctl -w net.ipv4.conf.all.send_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.send_redirects = 0 | ||||||||||
Rationale | Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers. | ||||||||||
OVAL details Items found violating kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0:
Items not found violating net.ipv4.conf.all.send_redirects static configuration:Object oval:ssg:obj:1763 of type textfilecontent54_object
|
Disable Kernel Parameter for IP Forwarding
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_ipv4_ip_forward | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | medium | ||||||||||
Identifiers and References | identifiers: CCE-26866-4 | ||||||||||
Description |
To set the runtime status of the # sysctl -w net.ipv4.ip_forward=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.ip_forward = 0 | ||||||||||
Rationale | IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. | ||||||||||
OVAL details Items found violating kernel runtime parameter net.ipv4.ip_forward set to 0:
Items not found violating net.ipv4.ip_forward static configuration:Object oval:ssg:obj:1651 of type textfilecontent54_object
|
Disable Kernel Parameter for Accepting Source-Routed Packets for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | medium | ||||||||||
Identifiers and References | identifiers: CCE-27037-1 | ||||||||||
Description |
To set the runtime status of the # sysctl -w net.ipv4.conf.all.accept_source_route=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.accept_source_route = 0 | ||||||||||
Rationale | Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. | ||||||||||
OVAL details Items found violating kernel runtime parameter net.ipv4.conf.all.accept_source_route set to 0:
Items not found violating net.ipv4.conf.all.accept_source_route static configuration:Object oval:ssg:obj:1972 of type textfilecontent54_object
| |||||||||||
Remediation script:
|
Disable Kernel Parameter for Accepting ICMP Redirects for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | medium | ||||||||||
Identifiers and References | identifiers: CCE-27027-2 | ||||||||||
Description |
To set the runtime status of the # sysctl -w net.ipv4.conf.all.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.accept_redirects = 0 | ||||||||||
Rationale | Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required. | ||||||||||
OVAL details Items found violating kernel runtime parameter net.ipv4.conf.all.accept_redirects set to 0:
Items not found violating net.ipv4.conf.all.accept_redirects static configuration:Object oval:ssg:obj:1815 of type textfilecontent54_object
| |||||||||||
Remediation script:
|
Disable Kernel Parameter for Accepting Secure Redirects for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | medium | ||||||||||
Identifiers and References | identifiers: CCE-26854-0 | ||||||||||
Description |
To set the runtime status of the # sysctl -w net.ipv4.conf.all.secure_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.secure_redirects = 0 | ||||||||||
Rationale | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. | ||||||||||
OVAL details Items found violating kernel runtime parameter net.ipv4.conf.all.secure_redirects set to 0:
Items not found violating net.ipv4.conf.all.secure_redirects static configuration:Object oval:ssg:obj:1920 of type textfilecontent54_object
| |||||||||||
Remediation script:
|
Enable Kernel Parameter to Log Martian Packets
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | low | ||||||||||
Identifiers and References | identifiers: CCE-27066-0 | ||||||||||
Description |
To set the runtime status of the # sysctl -w net.ipv4.conf.all.log_martians=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.log_martians = 1 | ||||||||||
Rationale | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. | ||||||||||
OVAL details Items found violating kernel runtime parameter net.ipv4.conf.all.log_martians set to 1:
Items not found violating net.ipv4.conf.all.log_martians static configuration:Object oval:ssg:obj:1248 of type textfilecontent54_object
| |||||||||||
Remediation script:
|
Disable Kernel Parameter for Accepting Source-Routed Packets By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | medium | ||||||||||
Identifiers and References | identifiers: CCE-26983-7 | ||||||||||
Description |
To set the runtime status of the # sysctl -w net.ipv4.conf.default.accept_source_route=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.accept_source_route = 0 | ||||||||||
Rationale | Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. | ||||||||||
OVAL details Items found violating kernel runtime parameter net.ipv4.conf.default.accept_source_route set to 0:
Items not found violating net.ipv4.conf.default.accept_source_route static configuration:Object oval:ssg:obj:2039 of type textfilecontent54_object
| |||||||||||
Remediation script:
|
Disable Kernel Parameter for Accepting ICMP Redirects By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | low | ||||||||||
Identifiers and References | identifiers: CCE-27015-7 | ||||||||||
Description |
To set the runtime status of the # sysctl -w net.ipv4.conf.default.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.accept_redirects = 0 | ||||||||||
Rationale | This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. | ||||||||||
OVAL details Items found violating kernel runtime parameter net.ipv4.conf.default.accept_redirects set to 0:
Items not found violating net.ipv4.conf.default.accept_redirects static configuration:Object oval:ssg:obj:1451 of type textfilecontent54_object
| |||||||||||
Remediation script:
|
Disable Kernel Parameter for Accepting Secure Redirects By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | medium | ||||||||||
Identifiers and References | identifiers: CCE-26831-8 | ||||||||||
Description |
To set the runtime status of the # sysctl -w net.ipv4.conf.default.secure_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.secure_redirects = 0 | ||||||||||
Rationale | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. | ||||||||||
OVAL details Items found violating kernel runtime parameter net.ipv4.conf.default.secure_redirects set to 0:
Items not found violating net.ipv4.conf.default.secure_redirects static configuration:Object oval:ssg:obj:1916 of type textfilecontent54_object
| |||||||||||
Remediation script:
|
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | low | ||||||||||
Identifiers and References | identifiers: CCE-26883-9 | ||||||||||
Description |
To set the runtime status of the # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.icmp_echo_ignore_broadcasts = 1 | ||||||||||
Rationale | Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. | ||||||||||
OVAL details Items found violating kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to 1:
Items not found violating net.ipv4.icmp_echo_ignore_broadcasts static configuration:Object oval:ssg:obj:1390 of type textfilecontent54_object
| |||||||||||
Remediation script:
|
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | low | ||||||||||
Identifiers and References | identifiers: CCE-26993-6 | ||||||||||
Description |
To set the runtime status of the # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.icmp_ignore_bogus_error_responses = 1 | ||||||||||
Rationale | Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. | ||||||||||
OVAL details Items found violating kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to 1:
Items not found violating net.ipv4.icmp_ignore_bogus_error_responses static configuration:Object oval:ssg:obj:1337 of type textfilecontent54_object
| |||||||||||
Remediation script:
|
Enable Kernel Parameter to Use Reverse Path Filtering for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | medium | ||||||||||
Identifiers and References | identifiers: CCE-26979-5 | ||||||||||
Description |
To set the runtime status of the # sysctl -w net.ipv4.conf.all.rp_filter=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.rp_filter = 1 | ||||||||||
Rationale | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. | ||||||||||
OVAL details Items found violating kernel runtime parameter net.ipv4.conf.all.rp_filter set to 1:
Items not found violating net.ipv4.conf.all.rp_filter static configuration:Object oval:ssg:obj:1511 of type textfilecontent54_object
| |||||||||||
Remediation script:
|
Enable Kernel Parameter to Use Reverse Path Filtering by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | medium | ||||||||||
Identifiers and References | identifiers: CCE-26915-9 | ||||||||||
Description |
To set the runtime status of the # sysctl -w net.ipv4.conf.default.rp_filter=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.rp_filter = 1 | ||||||||||
Rationale | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. | ||||||||||
OVAL details Items found violating kernel runtime parameter net.ipv4.conf.default.rp_filter set to 1:
Items not found violating net.ipv4.conf.default.rp_filter static configuration:Object oval:ssg:obj:1534 of type textfilecontent54_object
| |||||||||||
Remediation script:
|
Deactivate Wireless Network Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_deactivate_wireless_interfaces | ||||||
Result | pass | ||||||
Time | 2017-10-22T02:40:59 | ||||||
Severity | low | ||||||
Identifiers and References | identifiers: CCE-27057-9 references: AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, 85, | ||||||
Description | Deactivating wireless network interfaces should prevent
normal usage of the wireless capability.
# ifconfig -aAdditionally,the following command may also be used to determine whether wireless support ('extensions') is included for a particular interface, though this may not always be a clear indicator: # iwconfigAfter identifying any wireless interfaces (which may have names like wlan0 , ath0 , wifi0 , em1 or
eth0 ), deactivate the interface with the command:
# ifdown interfaceThese changes will only last until the next reboot. To disable the interface for future boots, remove the appropriate interface file from /etc/sysconfig/network-scripts :
# rm /etc/sysconfig/network-scripts/ifcfg-interface | ||||||
Rationale | Wireless networking allows attackers within physical proximity to launch network-based attacks against systems, including those against local LAN protocols which were not designed with security in mind. | ||||||
OVAL details Items not found satisfying query /proc/net/wireless:Object oval:ssg:obj:1321 of type textfilecontent54_object
|
Disable Bluetooth Kernel Modules
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled | ||||||||||||||||
Result | fail | ||||||||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | identifiers: CCE-26763-3 references: AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, 85, 1551, | ||||||||||||||||
Description | The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate install net-pf-31 /bin/false install bluetooth /bin/false | ||||||||||||||||
Rationale | If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. | ||||||||||||||||
OVAL details Items not found violating kernel module bluetooth disabled:Object oval:ssg:obj:1257 of type textfilecontent54_object
Items not found violating kernel module net-pf-31 disabled:Object oval:ssg:obj:1258 of type textfilecontent54_object
|
Disable Support for RPC IPv6
Rule ID | xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||||||||
Severity | low | ||||||||||||||||
Identifiers and References | identifiers: CCE-27232-8 references: CM-7 | ||||||||||||||||
Description | RPC services for NFSv4 try to load transport modules for
udp6 tpi_clts v inet6 udp - - tcp6 tpi_cots_ord v inet6 tcp - - | ||||||||||||||||
OVAL details Items not found satisfying Test for udp6 based rpc services:Object oval:ssg:obj:1432 of type textfilecontent54_object
Items not found satisfying Test for tcp6 based rpc services:Object oval:ssg:obj:1433 of type textfilecontent54_object
|
Disable Accepting IPv6 Router Advertisements
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | low | ||||||||||
Identifiers and References | identifiers: CCE-27164-3 references: CM-7 | ||||||||||
Description |
To set the runtime status of the # sysctl -w net.ipv6.conf.default.accept_ra=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.default.accept_ra = 0 | ||||||||||
Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. | ||||||||||
OVAL details Items found violating kernel runtime parameter net.ipv6.conf.default.accept_ra set to 0:
Items not found violating net.ipv6.conf.default.accept_ra static configuration:Object oval:ssg:obj:1280 of type textfilecontent54_object
| |||||||||||
Remediation script:
|
Disable Accepting IPv6 Redirects
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_ipv6_default_accept_redirects | ||||||||||
Result | fail | ||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||
Severity | medium | ||||||||||
Identifiers and References | identifiers: CCE-27166-8 | ||||||||||
Description |
To set the runtime status of the # sysctl -w net.ipv6.conf.default.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.default.accept_redirects = 0 | ||||||||||
Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. | ||||||||||
OVAL details Items found violating kernel runtime parameter net.ipv6.conf.default.accept_redirects set to 0:
Items not found violating net.ipv6.conf.default.accept_redirects static configuration:Object oval:ssg:obj:1726 of type textfilecontent54_object
|
Disable DCCP Support
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled | ||||||||||||||
Result | fail | ||||||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | identifiers: CCE-26448-1 | ||||||||||||||
Description |
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the install dccp /bin/false | ||||||||||||||
Rationale | Disabling DCCP protects the system against exploitation of any flaws in its implementation. | ||||||||||||||
OVAL details Items not found violating kernel module dccp disabled:Object oval:ssg:obj:1953 of type textfilecontent54_object
Items not found violating kernel module dccp disabled in /etc/modprobe.conf:Object oval:ssg:obj:1954 of type textfilecontent54_object
| |||||||||||||||
Remediation script:
|
Disable SCTP Support
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled | ||||||||||||||
Result | fail | ||||||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | identifiers: CCE-26410-1 | ||||||||||||||
Description |
The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the install sctp /bin/false | ||||||||||||||
Rationale | Disabling SCTP protects the system against exploitation of any flaws in its implementation. | ||||||||||||||
OVAL details Items not found violating kernel module sctp disabled:Object oval:ssg:obj:1779 of type textfilecontent54_object
Items not found violating kernel module sctp disabled in /etc/modprobe.conf:Object oval:ssg:obj:1780 of type textfilecontent54_object
| |||||||||||||||
Remediation script:
|
Disable RDS Support
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled | ||||||||||||||
Result | fail | ||||||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||||||
Severity | low | ||||||||||||||
Identifiers and References | identifiers: CCE-26239-4 | ||||||||||||||
Description |
The Reliable Datagram Sockets (RDS) protocol is a transport
layer protocol designed to provide reliable high- bandwidth,
low-latency communications between nodes in a cluster.
To configure the system to prevent the install rds /bin/false | ||||||||||||||
Rationale | Disabling RDS protects the system against exploitation of any flaws in its implementation. | ||||||||||||||
OVAL details Items not found violating kernel module rds disabled:Object oval:ssg:obj:1612 of type textfilecontent54_object
Items not found violating kernel module rds disabled in /etc/modprobe.conf:Object oval:ssg:obj:1613 of type textfilecontent54_object
| |||||||||||||||
Remediation script:
|
Disable TIPC Support
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled | ||||||||||||||
Result | fail | ||||||||||||||
Time | 2017-10-22T02:40:59 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | identifiers: CCE-26696-5 | ||||||||||||||
Description |
The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the install tipc /bin/false | ||||||||||||||
Rationale | Disabling TIPC protects the system against exploitation of any flaws in its implementation. | ||||||||||||||
OVAL details Items not found violating kernel module tipc disabled:Object oval:ssg:obj:1512 of type textfilecontent54_object
Items not found violating kernel module tipc disabled in /etc/modprobe.conf:Object oval:ssg:obj:1513 of type textfilecontent54_object
| |||||||||||||||
Remediation script:
|
Ensure Log Files Are Owned By Appropriate User
Rule ID | xccdf_org.ssgproject.content_rule_userowner_rsyslog_files | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2017-10-22T02:41:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | identifiers: CCE-26812-8 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description | The owner of all log files written by
$ ls -l LOGFILEIf the owner is not root , run the following command to
correct this:
# chown root LOGFILE | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Items found satisfying Files that end in .log in /var/log owned by root:
|
Ensure Logrotate Runs Periodically
Rule ID | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated |
Result | notchecked |
Time | 2017-10-22T02:41:00 |
Severity | low |
Identifiers and References | identifiers: CCE-27014-0 |
Description | The # rotate log files frequency daily |
Rationale | Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full. |
Remove Rsh Trust Files
Rule ID | xccdf_org.ssgproject.content_rule_no_rsh_trust_files | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2017-10-22T02:41:00 | ||||||||||||||
Severity | high | ||||||||||||||
Identifiers and References | identifiers: CCE-27270-8 | ||||||||||||||
Description | The files # rm /etc/hosts.equiv $ rm ~/.rhosts | ||||||||||||||
Rationale | Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. | ||||||||||||||
OVAL details Items not found satisfying look for .rhosts or .shosts in /root:Object oval:ssg:obj:1312 of type file_object
Items not found satisfying look for .rhosts or .shosts in /home:Object oval:ssg:obj:1313 of type file_object
Items not found satisfying look for /etc/hosts.equiv or /etc/shosts.equiv:Object oval:ssg:obj:1314 of type file_object
|
Allow Only SSH Protocol 2
Rule ID | xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 | ||||||
Result | error | ||||||
Time | 2017-10-22T02:41:00 | ||||||
Severity | high | ||||||
Identifiers and References | identifiers: CCE-27072-8 references: AC-17(7), IA-5(1)(c), 776, 774, 1436, | ||||||
Description | Only SSH protocol version 2 connections should be
permitted. The default setting in
Protocol 2 | ||||||
Rationale | SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used. | ||||||
OVAL details Items not found violating sshd uses protocol 2:Object oval:ssg:obj:2034 of type textfilecontent54_object
|
Disable SSH Support for .rhosts Files
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_rhosts | ||||||
Result | pass | ||||||
Time | 2017-10-22T02:41:00 | ||||||
Severity | medium | ||||||
Identifiers and References | identifiers: CCE-27124-7 | ||||||
Description | SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via IgnoreRhosts yes | ||||||
Rationale | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | ||||||
OVAL details Items not found satisfying Tests the value of the IgnoreRhosts[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file:Object oval:ssg:obj:2051 of type textfilecontent54_object
|
Disable Host-Based Authentication
Rule ID | xccdf_org.ssgproject.content_rule_disable_host_auth | ||||||
Result | pass | ||||||
Time | 2017-10-22T02:41:00 | ||||||
Severity | medium | ||||||
Identifiers and References | identifiers: CCE-27091-8 | ||||||
Description | SSH's cryptographic host-based authentication is
more secure than HostbasedAuthentication no | ||||||
Rationale | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | ||||||
OVAL details Items not found satisfying sshd HostbasedAuthentication:Object oval:ssg:obj:2015 of type textfilecontent54_object
|
Disable SSH Root Login
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_root_login | ||||
Result | error | ||||
Time | 2017-10-22T02:41:00 | ||||
Severity | medium | ||||
Identifiers and References | identifiers: CCE-27100-7 | ||||
Description | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in PermitRootLogin no | ||||
Rationale | Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password. | ||||
OVAL details Items found violating Tests the value of the PermitRootLogin[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file:
| |||||
Remediation script:
|
Disable SSH Access via Empty Passwords
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords | ||||||
Result | error | ||||||
Time | 2017-10-22T02:41:00 | ||||||
Severity | high | ||||||
Identifiers and References | identifiers: CCE-26887-0 | ||||||
Description | To explicitly disallow remote login from accounts with
empty passwords, add or correct the following line in
PermitEmptyPasswords noAny accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. | ||||||
Rationale | Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. | ||||||
OVAL details Items not found violating Tests the value of the PermitEmptyPasswords[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file:Object oval:ssg:obj:1667 of type textfilecontent54_object
| |||||||
Remediation script:
|
Specify a Remote NTP Server
Rule ID | xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server | ||||||||
Result | fail | ||||||||
Time | 2017-10-22T02:41:00 | ||||||||
Severity | medium | ||||||||
Identifiers and References | identifiers: CCE-27098-3 | ||||||||
Description | To specify a remote NTP server for time synchronization, edit
the file server ntpserverThis instructs the NTP software to contact that remote server to obtain time data. | ||||||||
Rationale | Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. | ||||||||
OVAL details Items not found violating Ensure at least one NTP server is set:Object oval:ssg:obj:1362 of type textfilecontent54_object
|
Disable Postfix Network Listening
Rule ID | xccdf_org.ssgproject.content_rule_postfix_network_listening | ||||||||
Result | fail | ||||||||
Time | 2017-10-22T02:41:00 | ||||||||
Severity | medium | ||||||||
Identifiers and References | identifiers: CCE-26780-7 | ||||||||
Description |
Edit the file inet_interfaces = localhost | ||||||||
Rationale |
This ensures | ||||||||
OVAL details Items not found violating inet_interfaces in /etc/postfix/main.cf should be set correctly:Object oval:ssg:obj:1986 of type textfilecontent54_object
|
Mount Remote Filesystems with nodev
Rule ID | xccdf_org.ssgproject.content_rule_use_nodev_option_on_nfs_mounts | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2017-10-22T02:41:00 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | identifiers: CCE-27090-0 | ||||||||||||||
Description |
Add the | ||||||||||||||
Rationale | Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. | ||||||||||||||
OVAL details Items not found satisfying no nfs:Object oval:ssg:obj:1810 of type textfilecontent54_object
Items not found satisfying all nfs has nodev:Object oval:ssg:obj:1808 of type textfilecontent54_object
State oval:ssg:ste:1809 of type textfilecontent54_state
|
Mount Remote Filesystems with nosuid
Rule ID | xccdf_org.ssgproject.content_rule_use_nosuid_option_on_nfs_mounts | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2017-10-22T02:41:00 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | identifiers: CCE-26972-0 | ||||||||||||||
Description |
Add the | ||||||||||||||
Rationale | NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. | ||||||||||||||
OVAL details Items not found satisfying no nfs:Object oval:ssg:obj:1679 of type textfilecontent54_object
Items not found satisfying all nfs has nosuid:Object oval:ssg:obj:1677 of type textfilecontent54_object
State oval:ssg:ste:1678 of type textfilecontent54_state
|
Require Client SMB Packet Signing, if using smbclient
Rule ID | xccdf_org.ssgproject.content_rule_require_smb_client_signing | ||||||||
Result | unknown | ||||||||
Time | 2017-10-22T02:41:00 | ||||||||
Severity | low | ||||||||
Identifiers and References | identifiers: CCE-26328-5 | ||||||||
Description |
To require samba clients running client signing = mandatoryRequiring samba clients such as smbclient to use packet
signing ensures they can
only communicate with servers that support packet signing.
| ||||||||
Rationale | Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. | ||||||||
OVAL details Items not found violating check for client signing = mandatory in /etc/samba/smb.conf:Object oval:ssg:obj:2010 of type textfilecontent54_object
|
Require Client SMB Packet Signing, if using mount.cifs
Rule ID | xccdf_org.ssgproject.content_rule_require_smb_client_signing_mount.cifs | ||||||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||||||
Time | 2017-10-22T02:41:00 | ||||||||||||||||||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||||||||||||||||||
Identifiers and References | identifiers: CCE-26792-2 | ||||||||||||||||||||||||||||||||||||||||
Description | Require packet signing of clients who mount Samba
shares using the | ||||||||||||||||||||||||||||||||||||||||
Rationale | Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. | ||||||||||||||||||||||||||||||||||||||||
OVAL details Items not found satisfying check for no cifs in /etc/fstab:Object oval:ssg:obj:1596 of type textfilecontent54_object
Items not found satisfying check for sec=krb5i or sec=ntlmv2i in /etc/fstab:Object oval:ssg:obj:1596 of type textfilecontent54_object
State oval:ssg:ste:1597 of type textfilecontent54_state
Items not found satisfying check for no cifs in /etc/mtab:Object oval:ssg:obj:1598 of type textfilecontent54_object
Items not found satisfying check for sec=krb5i or sec=ntlmv2i in /etc/mtab:Object oval:ssg:obj:1598 of type textfilecontent54_object
State oval:ssg:ste:1597 of type textfilecontent54_state
|