Ubuntu 12.04/14.04 SCAP Profiles

with profile Ubuntu 12.04/14.04 Server
This profile contains all of the checks available.
This SCAP file provides a GovReady security audit for Ubuntu 12.04/14.04 Server.

Evaluation Characteristics

Target machinedebian
Benchmark URLubuntu-xccdf.xml
Benchmark IDxccdf_ubuntu_benchmark_draft
Profile IDxccdf_ubuntu_profile_default
Started at2017-10-22T02:40:36
Finished at2017-10-22T02:41:00
Performed byroot

CPE Platforms

  • cpe:/o:ubuntu-trusty:linux

Addresses

  • IPv4  127.0.0.1
  • IPv4  172.42.208.129
  • IPv6  0:0:0:0:0:0:0:1
  • IPv6  fe80:0:0:0:20c:29ff:febf:153e
  • MAC  00:00:00:00:00:00
  • MAC  00:0C:29:BF:15:3E

Compliance and Scoring

The target system did not satisfy the conditions of 57 rules! Furthermore, the results of 5 rules were inconclusive. Please review rule results and consider applying remediation.

Rule results

37 passed
57 failed
6 other

Severity of failed rules

0 other
34 low
23 medium
0 high

Score

Scoring systemScoreMaximumPercent
urn:xccdf:scoring:default43.832069100.000000
43.83%
urn:xccdf:scoring:flat37.00000099.000000
37.37%
urn:xccdf:scoring:flat-unweighted37.00000099.000000
37.37%

Rule Overview

Group rules by:
TitleSeverityResult
Ubuntu 12.04/14.04 SCAP Profiles 57x fail 3x error 2x unknown 1x notchecked
Tests Imported from the Red Hat Scap Security Guide 57x fail 3x error 2x unknown 1x notchecked
System Settings 55x fail 1x unknown 1x notchecked
Installing and Maintaining Software 5x fail
Disk Partitioning 5x fail
Ensure /tmp Located On Separate Partitionlow
fail
Ensure /var Located On Separate Partitionlow
fail
Ensure /var/log Located On Separate Partitionlow
fail
Ensure /var/log/audit Located On Separate Partitionlow
fail
Ensure /home Located On Separate Partitionlow
fail
File Permissions and Masks 18x fail
Restrict Partition Mount Options 8x fail
Add nodev Option to Non-Root Local Partitionslow
pass
Add nodev Option to Removable Media Partitionslow
fail
Add noexec Option to Removable Media Partitionslow
fail
Add nosuid Option to Removable Media Partitionslow
fail
Add nodev Option to /tmplow
fail
Add noexec Option to /tmplow
fail
Add nosuid Option to /tmplow
fail
Add nodev Option to /dev/shmlow
pass
Add noexec Option to /dev/shmlow
fail
Add nosuid Option to /dev/shmlow
pass
Bind Mount /var/tmp To /tmplow
fail
Restrict Dynamic Mounting and Unmounting of Filesystems 7x fail
Disable Mounting of cramfslow
fail
Disable Mounting of freevxfslow
fail
Disable Mounting of jffs2low
fail
Disable Mounting of hfslow
fail
Disable Mounting of hfspluslow
fail
Disable Mounting of squashfslow
fail
Disable Mounting of udflow
fail
Verify Permissions on Important Files and Directories
Verify User Who Owns shadow Filemedium
pass
Verify User Who Owns group Filemedium
pass
Verify Group Who Owns group Filemedium
pass
Verify Permissions on group Filemedium
pass
Verify User Who Owns gshadow Filemedium
pass
Verify User Who Owns passwd Filemedium
pass
Verify Group Who Owns passwd Filemedium
pass
Verify Permissions on passwd Filemedium
pass
Verify File Permissions Within Some Important Directories
Verify that Shared Library Files Have Restrictive Permissionsmedium
pass
Verify that Shared Library Files Have Root Ownershipmedium
pass
Verify that System Executables Have Restrictive Permissionsmedium
pass
Verify that System Executables Have Root Ownershipmedium
pass
Verify that All World-Writable Directories Have Sticky Bits Setlow
pass
Ensure No World-Writable Files Existmedium
pass
Ensure All Files Are Owned by a Userlow
pass
Ensure All World-Writable Directories Are Owned by a System Accountlow
pass
Restrict Programs from Dangerous Execution Patterns 3x fail
Disable Core Dumps 2x fail
Disable Core Dumps for All Userslow
fail
Disable Core Dumps for SUID programslow
fail
Enable ExecShield 1x fail
Enable Randomized Layout of Virtual Address Spacemedium
fail
Account and Access Control 9x fail
Protect Accounts by Restricting Password-Based Login 4x fail
Restrict Root Logins 1x fail
Restrict Serial Port Root Loginslow
fail
Verify Only Root Has UID 0medium
pass
Verify Proper Storage and Existence of Password Hashes
Prevent Log In to Accounts With Empty Passwordhigh
pass
Verify All Account Password Hashes are Shadowedmedium
pass
Set Password Expiration Parameters 2x fail
Set Password Minimum Agemedium
fail
Set Password Maximum Agemedium
fail
Set Account Expiration Following Inactivitylow
fail
Protect Accounts by Configuring PAM 1x fail
Set Password Hashing Algorithm 1x fail
Set Password Hashing Algorithm in /etc/login.defsmedium
pass
Set Password Hashing Algorithm in /etc/libuser.confmedium
fail
Secure Session Configuration Files for Login Accounts 3x fail
Ensure that No Dangerous Directories Exist in Root's Path 1x fail
Ensure that Root's Path Does Not Include Relative Paths or Null Directorieslow
pass
Ensure that Root's Path Does Not Include World or Group-Writable Directorieslow
fail
Ensure that Users Have Sensible Umask Values 1x fail
Ensure the Default Umask is Set Correctly in login.defslow
fail
Ensure that User Home Directories are not Group-Writable or World-Readablelow
fail
Warning Banners for System Accesses 1x fail
Modify the System Login Bannermedium
fail
Network Configuration and Firewalls 22x fail
Kernel Parameters Which Affect Networking 15x fail
Network Parameters for Hosts Only 3x fail
Disable Kernel Parameter for Sending ICMP Redirects by Defaultmedium
fail
Disable Kernel Parameter for Sending ICMP Redirects for All Interfacesmedium
fail
Disable Kernel Parameter for IP Forwardingmedium
fail
Network Related Kernel Runtime Parameters for Hosts and Routers 12x fail
Disable Kernel Parameter for Accepting Source-Routed Packets for All Interfacesmedium
fail
Disable Kernel Parameter for Accepting ICMP Redirects for All Interfacesmedium
fail
Disable Kernel Parameter for Accepting Secure Redirects for All Interfacesmedium
fail
Enable Kernel Parameter to Log Martian Packetslow
fail
Disable Kernel Parameter for Accepting Source-Routed Packets By Defaultmedium
fail
Disable Kernel Parameter for Accepting ICMP Redirects By Defaultlow
fail
Disable Kernel Parameter for Accepting Secure Redirects By Defaultmedium
fail
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requestslow
fail
Enable Kernel Parameter to Ignore Bogus ICMP Error Responseslow
fail
Enable Kernel Parameter to Use TCP Syncookiesmedium
fail
Enable Kernel Parameter to Use Reverse Path Filtering for All Interfacesmedium
fail
Enable Kernel Parameter to Use Reverse Path Filtering by Defaultmedium
fail
Wireless Networking 1x fail
Disable Wireless Through Software Configuration 1x fail
Deactivate Wireless Network Interfaceslow
pass
Disable Bluetooth Kernel Modulesmedium
fail
IPv6 2x fail
Disable Support for IPv6 Unless Needed
Disable Support for RPC IPv6low
pass
Configure IPv6 Settings if Necessary 2x fail
Disable Automatic Configuration 2x fail
Disable Accepting IPv6 Router Advertisementslow
fail
Disable Accepting IPv6 Redirectsmedium
fail
Uncommon Network Protocols 4x fail
Disable DCCP Supportmedium
fail
Disable SCTP Supportmedium
fail
Disable RDS Supportlow
fail
Disable TIPC Supportmedium
fail
Configure Syslog 1x fail 1x unknown 1x notchecked
Ensure Proper Configuration of Log Files 1x unknown
Ensure Log Files Are Owned By Appropriate Usermedium
pass
Ensure System Log Files Have Correct Permissionsmedium
unknown
Rsyslog Logs Sent To Remote Host 1x fail
Ensure Logs Sent To Remote Hostlow
fail
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Serverlow
pass
Ensure All Logs are Rotated by logrotate 1x notchecked
Ensure Logrotate Runs Periodicallylow
notchecked
System Accounting with auditd
Configure auditd Rules for Comprehensive Auditing
System Audit Logs Must Have Mode 0640 or Less Permissivelow
pass
Services 2x fail 3x error 1x unknown
Obsolete Services
Rlogin, Rsh, and Rexec
Remove Rsh Trust Fileshigh
pass
SSH Server 3x error
Configure OpenSSH Server if Necessary 3x error
Allow Only SSH Protocol 2high
error
Disable SSH Support for .rhosts Filesmedium
pass
Disable Host-Based Authenticationmedium
pass
Disable SSH Root Loginmedium
error
Disable SSH Access via Empty Passwordshigh
error
Network Time Protocol 1x fail
Specify a Remote NTP Servermedium
fail
Mail Server Software 1x fail
Configure SMTP For Mail Clients 1x fail
Disable Postfix Network Listeningmedium
fail
NFS and RPC
Configure NFS Clients
Mount Remote Filesystems with Restrictive Options
Mount Remote Filesystems with nodevmedium
pass
Mount Remote Filesystems with nosuidmedium
pass
Samba(SMB) Microsoft Windows File Sharing Server 1x unknown
Configure Samba if Necessary 1x unknown
Require Client SMB Packet Signing, if using smbclientlow
unknown
Require Client SMB Packet Signing, if using mount.cifslow
pass

Result Details

Ensure /tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_tmp lowCCE-26435-8

Ensure /tmp Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_tmp
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26435-8

references:  http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf, 1208,

Description

The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

OVAL details

Items not found violating /tmp on own partition:

Object oval:ssg:obj:2106 of type partition_object
Mount point
/tmp
Ensure /var Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var lowCCE-26639-5

Ensure /var Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26639-5

references:  http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf, 1208,

Description

The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories, installed by other software packages.

OVAL details

Items not found violating /var on own partition:

Object oval:ssg:obj:1850 of type partition_object
Mount point
/var
Ensure /var/log Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log lowCCE-26215-4

Ensure /var/log Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_log
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26215-4

references:  AU-9, 1208,

Description

System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

Placing /var/log in its own partition enables better separation between log files and other files in /var/.

OVAL details

Items not found violating /var/log on own partition:

Object oval:ssg:obj:1556 of type partition_object
Mount point
/var/log
Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit lowCCE-26436-6

Ensure /var/log/audit Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_log_audit
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26436-6

references:  AU-4, AU-9, 137, 138, 1208,

Description

Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

Rationale

Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

OVAL details

Items not found violating check for /var/log/audit partition:

Object oval:ssg:obj:1987 of type partition_object
Mount point
/var/log/audit
Ensure /home Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_home lowCCE-26557-9

Ensure /home Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_home
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26557-9

references:  http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf, 1208,

Description

If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

Rationale

Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

OVAL details

Items not found violating /home on own partition:

Object oval:ssg:obj:1735 of type partition_object
Mount point
/home
Add nodev Option to Non-Root Local Partitionsxccdf_org.ssgproject.content_rule_mountopt_nodev_on_nonroot_partitions lowCCE-27045-4

Add nodev Option to Non-Root Local Partitions

Rule IDxccdf_org.ssgproject.content_rule_mountopt_nodev_on_nonroot_partitions
Result
pass
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-27045-4

references:  CM-7

Description

The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any non-root local partitions.

Rationale

The nodev mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set nodev on these filesystems.

OVAL details

Items not found satisfying nodev on local filesystems:

Object oval:ssg:obj:1851 of type partition_object
Mount pointFilter
^/\w.*$oval:ssg:ste:1852
State oval:ssg:ste:1852 of type partition_state
DeviceMount options
^/dev/.*$nodev
Add nodev Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mountopt_nodev_on_removable_partitions lowCCE-26860-7

Add nodev Option to Removable Media Partitions

Rule IDxccdf_org.ssgproject.content_rule_mountopt_nodev_on_removable_partitions
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26860-7

references:  AC-19(a), AC-19(d), AC-19(e), CM-7, MP-2

Description

The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. An exception to this is chroot jails, and it is not advised to set nodev on partitions which contain their root filesystems.

OVAL details

Items not found violating nodev on removable partition:

Object oval:ssg:obj:1288 of type partition_object
Mount point
There was a problem processing referenced variable (oval:ssg:var:2192).
State oval:ssg:ste:1289 of type partition_state
Mount options
nodev

Items not found violating removable partition /etc/fstab:

Object oval:ssg:obj:1290 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*([/\w]*)\s+.*,?nodev,?.*$0
State oval:ssg:ste:1291 of type textfilecontent54_state
Subexpression
Add noexec Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions lowCCE-27196-5

Add noexec Option to Removable Media Partitions

Rule IDxccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-27196-5

references:  AC-19(a), AC-19(d), AC-19(e), CM-7, MP-2, 87

Description

The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.

Rationale

Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.

OVAL details

Items not found violating noexec on removable partition:

Object oval:ssg:obj:1584 of type partition_object
Mount point
/dev/cdrom
State oval:ssg:ste:1585 of type partition_state
Mount options
noexec

Items not found violating removable partition /etc/fstab:

Object oval:ssg:obj:1586 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*([/\w]*)\s+.*,?noexec,?.*$0
State oval:ssg:ste:1587 of type textfilecontent54_state
Subexpression
/dev/cdrom
Add nosuid Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mountopt_nosuid_on_removable_partitions lowCCE-27056-1

Add nosuid Option to Removable Media Partitions

Rule IDxccdf_org.ssgproject.content_rule_mountopt_nosuid_on_removable_partitions
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-27056-1

references:  AC-19(a), AC-19(d), AC-19(e), CM-7, MP-2

Description

The nosuid mount option prevents set-user-identifier (suid) and set-group-identifier (sgid) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce suid and guid files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.

Rationale

The presence of suid and sgid executables should be tightly controlled. Allowing users to introduce suid or sgid binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs.

OVAL details

Items not found violating nosuid on removable partition:

Object oval:ssg:obj:1263 of type partition_object
Mount point
There was a problem processing referenced variable (oval:ssg:var:2189).
State oval:ssg:ste:1264 of type partition_state
Mount options
nosuid

Items not found violating removable partition /etc/fstab:

Object oval:ssg:obj:1265 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*([/\w]*)\s+.*,?nosuid,?.*$0
State oval:ssg:ste:1266 of type textfilecontent54_state
Subexpression
Add nodev Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nodev lowCCE-26499-4

Add nodev Option to /tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26499-4

references:  CM-7, MP-2

Description

The nodev mount option can be used to prevent device files from being created in /tmp. Legitimate character and block devices should not exist within temporary directories like /tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

OVAL details

Items not found violating nodev on /tmp:

Object oval:ssg:obj:1240 of type partition_object
Mount point
/tmp
State oval:ssg:ste:1241 of type partition_state
Mount options
nodev
Add noexec Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_noexec lowCCE-26720-3

Add noexec Option to /tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_tmp_noexec
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26720-3

references:  CM-7, MP-2

Description

The noexec mount option can be used to prevent binaries from being executed out of /tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.

Rationale

Allowing users to execute binaries from world-writable directories such as /tmp should never be necessary in normal operation and can expose the system to potential compromise.

OVAL details

Items not found violating noexec on /tmp:

Object oval:ssg:obj:1535 of type partition_object
Mount point
/tmp
State oval:ssg:ste:1536 of type partition_state
Mount options
noexec
Add nosuid Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid lowCCE-26762-5

Add nosuid Option to /tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26762-5

references:  CM-7, MP-2

Description

The nosuid mount option can be used to prevent execution of setuid programs in /tmp. The suid/sgid permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.

Rationale

The presence of suid and sgid executables should be tightly controlled. Users should not be able to execute suid or sgid binaries from temporary storage partitions.

OVAL details

Items not found violating nosuid on /tmp:

Object oval:ssg:obj:1870 of type partition_object
Mount point
/tmp
State oval:ssg:ste:1871 of type partition_state
Mount options
nosuid
Add nodev Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev lowCCE-26778-1

Add nodev Option to /dev/shm

Rule IDxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
Result
pass
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26778-1

references:  CM-7, MP-2

Description

The nodev mount option can be used to prevent creation of device files in /dev/shm. Legitimate character and block devices should not exist within temporary directories like /dev/shm. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

OVAL details

Items found satisfying nodev on /dev/shm:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmtmpfstmpfsrwnosuidnodev60687060687
Add noexec Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec lowCCE-26622-1

Add noexec Option to /dev/shm

Rule IDxccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26622-1

references:  CM-7, MP-2

Description

The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.

Rationale

Allowing users to execute binaries from world-writable directories such as /dev/shm can expose the system to potential compromise.

OVAL details

Items found violating noexec on /dev/shm:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmtmpfstmpfsrwnosuidnodev60687060687
Add nosuid Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid lowCCE-26486-1

Add nosuid Option to /dev/shm

Rule IDxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
Result
pass
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26486-1

references:  CM-7, MP-2

Description

The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The suid/sgid permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.

Rationale

The presence of suid and sgid executables should be tightly controlled. Users should not be able to execute suid or sgid binaries from temporary storage partitions.

OVAL details

Items found satisfying nosuid on /dev/shm:

Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmtmpfstmpfsrwnosuidnodev60687060687
Bind Mount /var/tmp To /tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind_var lowCCE-26582-7

Bind Mount /var/tmp To /tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind_var
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26582-7

references:  CM-7

Description

The /var/tmp directory is a world-writable directory. Bind-mount it to /tmp in order to consolidate temporary storage into one location protected by the same techniques as /tmp. To do so, edit /etc/fstab and add the following line:

/tmp     /var/tmp     none     rw,nodev,noexec,nosuid,bind     0 0
See the mount(8) man page for further explanation of bind mounting.

Rationale

Having multiple locations for temporary storage is not required. Unless absolutely necessary to meet requirements, the storage location /var/tmp should be bind mounted to /tmp and thus share the same protections.

OVAL details

Items not found violating Ensure /var/tmp is mounted:

Object oval:ssg:obj:2185 of type partition_object
Mount point
/var/tmp

Items not found violating Ensure bind mount option is on /var/tmp:

Object oval:ssg:obj:2186 of type textfilecontent54_object
FilepathPatternInstance
/etc/mtab^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ 1
Disable Mounting of cramfsxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled lowCCE-26340-0

Disable Mounting of cramfs

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26340-0

references:  CM-7

Description

To configure the system to prevent the cramfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install cramfs /bin/false
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

OVAL details

Items not found violating kernel module cramfs disabled:

Object oval:ssg:obj:1653 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d^.*\.conf$^\s*install\s+cramfs\s+(/bin/false|/bin/true)$1

Items not found violating kernel module cramfs disabled in /etc/modprobe.conf:

Object oval:ssg:obj:1654 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+cramfs\s+(/bin/false|/bin/true)$1
Remediation script:
echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf
Disable Mounting of freevxfsxccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled lowCCE-26544-7

Disable Mounting of freevxfs

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26544-7

references:  CM-7

Description

To configure the system to prevent the freevxfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install freevxfs /bin/false
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

OVAL details

Items not found violating kernel module freevxfs disabled:

Object oval:ssg:obj:1386 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d^.*\.conf$^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$1

Items not found violating kernel module freevxfs disabled in /etc/modprobe.conf:

Object oval:ssg:obj:1387 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$1
Remediation script:
echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf
Disable Mounting of jffs2xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled lowCCE-26670-0

Disable Mounting of jffs2

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26670-0

references:  CM-7

Description

To configure the system to prevent the jffs2 kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install jffs2 /bin/false
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

OVAL details

Items not found violating kernel module jffs2 disabled:

Object oval:ssg:obj:2131 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d^.*\.conf$^\s*install\s+jffs2\s+(/bin/false|/bin/true)$1

Items not found violating kernel module jffs2 disabled in /etc/modprobe.conf:

Object oval:ssg:obj:2132 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+jffs2\s+(/bin/false|/bin/true)$1
Remediation script:
echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf
Disable Mounting of hfsxccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled lowCCE-26800-3

Disable Mounting of hfs

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26800-3

references:  CM-7

Description

To configure the system to prevent the hfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install hfs /bin/false
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

OVAL details

Items not found violating kernel module hfs disabled:

Object oval:ssg:obj:1539 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d^.*\.conf$^\s*install\s+hfs\s+(/bin/false|/bin/true)$1

Items not found violating kernel module hfs disabled in /etc/modprobe.conf:

Object oval:ssg:obj:1540 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+hfs\s+(/bin/false|/bin/true)$1
Remediation script:
echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf
Disable Mounting of hfsplusxccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled lowCCE-26361-6

Disable Mounting of hfsplus

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26361-6

references:  CM-7

Description

To configure the system to prevent the hfsplus kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install hfsplus /bin/false
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

OVAL details

Items not found violating kernel module hfsplus disabled:

Object oval:ssg:obj:1742 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d^.*\.conf$^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$1

Items not found violating kernel module hfsplus disabled in /etc/modprobe.conf:

Object oval:ssg:obj:1743 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$1
Remediation script:
echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf
Disable Mounting of squashfsxccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled lowCCE-26404-4

Disable Mounting of squashfs

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26404-4

references:  CM-7

Description

To configure the system to prevent the squashfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install squashfs /bin/false
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

OVAL details

Items not found violating kernel module squashfs disabled:

Object oval:ssg:obj:1828 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d^.*\.conf$^\s*install\s+squashfs\s+(/bin/false|/bin/true)$1

Items not found violating kernel module squashfs disabled in /etc/modprobe.conf:

Object oval:ssg:obj:1829 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+squashfs\s+(/bin/false|/bin/true)$1
Remediation script:
echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf
Disable Mounting of udfxccdf_org.ssgproject.content_rule_kernel_module_udf_disabled lowCCE-26677-5

Disable Mounting of udf

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_udf_disabled
Result
fail
Time2017-10-22T02:40:36
Severitylow
Identifiers and References

identifiers:  CCE-26677-5

references:  CM-7

Description

To configure the system to prevent the udf kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install udf /bin/false
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

OVAL details

Items not found violating kernel module udf disabled:

Object oval:ssg:obj:1364 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d^.*\.conf$^\s*install\s+udf\s+(/bin/false|/bin/true)$1

Items not found violating kernel module udf disabled in /etc/modprobe.conf:

Object oval:ssg:obj:1365 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+udf\s+(/bin/false|/bin/true)$1
Remediation script:
echo "install udf /bin/false" > /etc/modprobe.d/udf.conf
Verify User Who Owns shadow Filexccdf_org.ssgproject.content_rule_userowner_shadow_file mediumCCE-26947-2

Verify User Who Owns shadow File

Rule IDxccdf_org.ssgproject.content_rule_userowner_shadow_file
Result
pass
Time2017-10-22T02:40:36
Severitymedium
Identifiers and References

identifiers:  CCE-26947-2

references:  AC-6, 225,

Description

To properly set the owner of /etc/shadow, run the command:

# chown root/etc/shadow

Rationale

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

OVAL details

Items found satisfying Testing user ownership of /etc/shadow:

PathTypeUIDGIDSize (B)Permissions
/etc/shadowregular0421038rw-r----- 
Verify User Who Owns group Filexccdf_org.ssgproject.content_rule_file_owner_etc_group mediumCCE-26822-7

Verify User Who Owns group File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_group
Result
pass
Time2017-10-22T02:40:36
Severitymedium
Identifiers and References

identifiers:  CCE-26822-7

references:  AC-6,

Description

To properly set the owner of /etc/group, run the command:

# chown root/etc/group

Rationale

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL details

Items found satisfying Testing user ownership:

PathTypeUIDGIDSize (B)Permissions
/etc/groupregular00781rw-r--r-- 
Verify Group Who Owns group Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_group mediumCCE-26930-8

Verify Group Who Owns group File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_group
Result
pass
Time2017-10-22T02:40:36
Severitymedium
Identifiers and References

identifiers:  CCE-26930-8

references:  AC-6, 225,

Description

To properly set the group owner of /etc/group, run the command:

# chgrp root/etc/group

Rationale

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL details

Items found satisfying Testing group ownership:

PathTypeUIDGIDSize (B)Permissions
/etc/groupregular00781rw-r--r-- 
Verify Permissions on group Filexccdf_org.ssgproject.content_rule_file_permissions_etc_group mediumCCE-26954-8

Verify Permissions on group File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_group
Result
pass
Time2017-10-22T02:40:36
Severitymedium
Identifiers and References

identifiers:  CCE-26954-8

references:  AC-6, 225,

Description

To properly set the permissions of /etc/group, run the command:

# chmod 644/etc/group

Rationale

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL details

Items found satisfying Testing /etc/group permissions:

PathTypeUIDGIDSize (B)Permissions
/etc/groupregular00781rw-r--r-- 
Verify User Who Owns gshadow Filexccdf_org.ssgproject.content_rule_file_owner_etc_gshadow mediumCCE-27026-4

Verify User Who Owns gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
Result
pass
Time2017-10-22T02:40:36
Severitymedium
Identifiers and References

identifiers:  CCE-27026-4

references:  AC-6, 225,

Description

To properly set the owner of /etc/gshadow, run the command:

# chown root/etc/gshadow

Rationale

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.

OVAL details

Items found satisfying Testing gshadow ownership:

PathTypeUIDGIDSize (B)Permissions
/etc/gshadowregular042654rw-r----- 
Verify User Who Owns passwd Filexccdf_org.ssgproject.content_rule_file_owner_etc_passwd mediumCCE-26953-0

Verify User Who Owns passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_passwd
Result
pass
Time2017-10-22T02:40:36
Severitymedium
Identifiers and References

identifiers:  CCE-26953-0

references:  AC-6, 225,

Description

To properly set the owner of /etc/passwd, run the command:

# chown root/etc/passwd

Rationale

The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.

OVAL details

Items found satisfying Testing user ownership:

PathTypeUIDGIDSize (B)Permissions
/etc/passwdregular001628rw-r--r-- 
Verify Group Who Owns passwd Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd mediumCCE-26856-5

Verify Group Who Owns passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
Result
pass
Time2017-10-22T02:40:36
Severitymedium
Identifiers and References

identifiers:  CCE-26856-5

references:  AC-6, 225,

Description

To properly set the group owner of /etc/passwd, run the command:

# chgrp root/etc/passwd

Rationale

The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.

OVAL details

Items found satisfying Testing group ownership of /etc/passwd:

PathTypeUIDGIDSize (B)Permissions
/etc/passwdregular001628rw-r--r-- 
Verify Permissions on passwd Filexccdf_org.ssgproject.content_rule_file_permissions_etc_passwd mediumCCE-26868-0

Verify Permissions on passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
Result
pass
Time2017-10-22T02:40:36
Severitymedium
Identifiers and References

identifiers:  CCE-26868-0

references:  AC-6, 225,

Description

To properly set the permissions of /etc/passwd, run the command:

# chmod 0644/etc/passwd

Rationale

If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.

OVAL details

Items found satisfying /etc/passwd mode and ownership:

PathTypeUIDGIDSize (B)Permissions
/etc/passwdregular001628rw-r--r-- 
Verify that Shared Library Files Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_file_permissions_library_dirs mediumCCE-27381-3

Verify that Shared Library Files Have Restrictive Permissions

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_library_dirs
Result
pass
Time2017-10-22T02:40:38
Severitymedium
Identifiers and References

identifiers:  CCE-27381-3

references:  AC-6, 1499,

Description

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:
# chmod go-w FILE

Rationale

Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.

OVAL details

Items not found satisfying library directories go-w:

Object oval:ssg:obj:2187 of type file_object
PathFilenameFilterFilter
^\/lib(|64)|^\/usr\/lib(|64)no valueoval:ssg:ste:2216oval:ssg:ste:2217

Items not found satisfying library files go-w:

Object oval:ssg:obj:2188 of type file_object
PathFilenameFilterFilter
^\/lib(|64)|^\/usr\/lib(|64)^.*$oval:ssg:ste:2216oval:ssg:ste:2217
Verify that Shared Library Files Have Root Ownershipxccdf_org.ssgproject.content_rule_file_ownership_library_dirs mediumCCE-27424-1

Verify that Shared Library Files Have Root Ownership

Rule IDxccdf_org.ssgproject.content_rule_file_ownership_library_dirs
Result
pass
Time2017-10-22T02:40:38
Severitymedium
Identifiers and References

identifiers:  CCE-27424-1

references:  AC-6, 1499,

Description

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command:
# chown root FILE

Rationale

Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.

OVAL details

Items not found satisfying library directories uid root:

Object oval:ssg:obj:1698 of type file_object
PathFilenameFilter
^\/lib(|64)\/|^\/usr\/lib(|64)\/no valueoval:ssg:ste:2206

Items not found satisfying library files uid root:

Object oval:ssg:obj:1699 of type file_object
PathFilenameFilter
^\/lib(|64)\/|^\/usr\/lib(|64)\/^.*$oval:ssg:ste:2206
Verify that System Executables Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_file_permissions_binary_dirs mediumCCE-27289-8

Verify that System Executables Have Restrictive Permissions

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_binary_dirs
Result
pass
Time2017-10-22T02:40:38
Severitymedium
Identifiers and References

identifiers:  CCE-27289-8

references:  AC-6, 1499

Description

System executables are stored in the following directories by default:

/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin
All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command:
# chmod go-w FILE

Rationale

System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.

OVAL details

Items not found satisfying binary files go-w:

Object oval:ssg:obj:1277 of type file_object
PathFilenameFilterFilter
^\/(|s)bin|^\/usr\/(|local\/)(|s)bin^.*$oval:ssg:ste:2190oval:ssg:ste:2191
Verify that System Executables Have Root Ownershipxccdf_org.ssgproject.content_rule_file_ownership_binary_dirs mediumCCE-27623-8

Verify that System Executables Have Root Ownership

Rule IDxccdf_org.ssgproject.content_rule_file_ownership_binary_dirs
Result
pass
Time2017-10-22T02:40:38
Severitymedium
Identifiers and References

identifiers:  CCE-27623-8

references:  AC-6, 1499

Description

System executables are stored in the following directories by default:

/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin
All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command:
# chown root FILE

Rationale

System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.

OVAL details

Items not found satisfying binary directories uid root:

Object oval:ssg:obj:1397 of type file_object
PathFilenameFilter
^\/(|s)bin|^\/usr\/(|local\/)(|s)binno valueoval:ssg:ste:2193

Items not found satisfying binary files uid root:

Object oval:ssg:obj:1398 of type file_object
PathFilenameFilter
^\/(|s)bin|^\/usr\/(|local\/)(|s)bin^.*$oval:ssg:ste:2193
Verify that All World-Writable Directories Have Sticky Bits Setxccdf_org.ssgproject.content_rule_sticky_world_writable_dirs lowCCE-26840-9

Verify that All World-Writable Directories Have Sticky Bits Set

Rule IDxccdf_org.ssgproject.content_rule_sticky_world_writable_dirs
Result
pass
Time2017-10-22T02:40:41
Severitylow
Identifiers and References

identifiers:  CCE-26840-9

references:  AC-6,

Description

When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command:

# chmod +t DIR

Rationale

Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.

The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access.

OVAL details

Items not found satisfying all local world-writable directories have sticky bit set:

Object oval:ssg:obj:1319 of type file_object
BehaviorsPathFilenameFilter
no value/no valueoval:ssg:ste:1320
State oval:ssg:ste:1320 of type file_state
StickyOwrite
falsetrue
Ensure No World-Writable Files Existxccdf_org.ssgproject.content_rule_world_writeable_files mediumCCE-26910-0

Ensure No World-Writable Files Exist

Rule IDxccdf_org.ssgproject.content_rule_world_writeable_files
Result
pass
Time2017-10-22T02:40:49
Severitymedium
Identifiers and References

identifiers:  CCE-26910-0

references:  AC-6

Description

It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account.

Rationale

Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.

OVAL details

Items not found satisfying world writable files:

Object oval:ssg:obj:1652 of type file_object
BehaviorsPathFilenameFilterFilterFilterFilter
no value/^.*$oval:ssg:ste:2202oval:ssg:ste:2203oval:ssg:ste:2204oval:ssg:ste:2205
Ensure All Files Are Owned by a Userxccdf_org.ssgproject.content_rule_no_files_unowned_by_user lowCCE-27032-2

Ensure All Files Are Owned by a User

Rule IDxccdf_org.ssgproject.content_rule_no_files_unowned_by_user
Result
pass
Time2017-10-22T02:40:58
Severitylow
Identifiers and References

identifiers:  CCE-27032-2

references:  AC-6, 224

Description

If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user.

Rationale

Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.

OVAL details

Items not found satisfying Check user ids on all files on the system:

Object oval:ssg:obj:1849 of type file_object
BehaviorsPathFilenameFilter
no value/.*oval:ssg:ste:2212
Ensure All World-Writable Directories Are Owned by a System Accountxccdf_org.ssgproject.content_rule_world_writable_files_system_ownership lowCCE-26642-9

Ensure All World-Writable Directories Are Owned by a System Account

Rule IDxccdf_org.ssgproject.content_rule_world_writable_files_system_ownership
Result
pass
Time2017-10-22T02:40:59
Severitylow
Identifiers and References

identifiers:  CCE-26642-9

references:  AC-6,

Description

All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.

Rationale

Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.

OVAL details

Items not found satisfying check for local directories that are world writable and have uid greater than or equal to 500:

Object oval:ssg:obj:1789 of type file_object
BehaviorsPathFilenameFilter
no value/no valueoval:ssg:ste:1790
State oval:ssg:ste:1790 of type file_state
User idOwrite
500true
Disable Core Dumps for All Usersxccdf_org.ssgproject.content_rule_disable_users_coredumps lowCCE-27033-0

Disable Core Dumps for All Users

Rule IDxccdf_org.ssgproject.content_rule_disable_users_coredumps
Result
fail
Time2017-10-22T02:40:59
Severitylow
Identifiers and References

identifiers:  CCE-27033-0

references:  SC-5

Description

To disable core dumps for all users, add the following line to /etc/security/limits.conf:

*     hard   core    0

Rationale

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.

OVAL details

Items not found violating Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file:

Object oval:ssg:obj:2041 of type textfilecontent54_object
FilepathPatternInstance
/etc/security/limits.conf^[\s]*\*[\s]+hard[\s]+core[\s]+([\d]+)1
State oval:ssg:ste:2042 of type textfilecontent54_state
Subexpression
0
Remediation script:
echo "*     hard   core    0" >> /etc/security/limits.conf
Disable Core Dumps for SUID programsxccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable lowCCE-27044-7

Disable Core Dumps for SUID programs

Rule IDxccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable
Result
fail
Time2017-10-22T02:40:59
Severitylow
Identifiers and References

identifiers:  CCE-27044-7

references:  SI-11

Description

To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command:

# sysctl -w fs.suid_dumpable=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
fs.suid_dumpable = 0

Rationale

The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.

OVAL details

Items found violating kernel runtime parameter fs.suid_dumpable set to 0:

NameValue
fs.suid_dumpable0

Items not found violating fs.suid_dumpable static configuration:

Object oval:ssg:obj:1674 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*fs.suid_dumpable[\s]*=[\s]*0*$1
Remediation script:
#
# Set runtime for fs.suid_dumpable
#
sysctl -q -n -w fs.suid_dumpable=0

#
# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0"
#	else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf
#
if grep --silent ^fs.suid_dumpable /etc/sysctl.conf ; then
	sed -i 's/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set fs.suid_dumpable to 0 per security requirements" >> /etc/sysctl.conf
	echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
fi
Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space mediumCCE-26999-3

Enable Randomized Layout of Virtual Address Space

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-26999-3

references:  http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf,

Description

To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:

# sysctl -w kernel.randomize_va_space=2
If this is not the system's default value, add the following line to /etc/sysctl.conf:
kernel.randomize_va_space = 2

Rationale

Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.

OVAL details

Items found violating kernel runtime parameter kernel.randomize_va_space set to 2:

NameValue
kernel.randomize_va_space2

Items not found violating kernel.randomize_va_space static configuration:

Object oval:ssg:obj:1238 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*kernel.randomize_va_space[\s]*=[\s]*2*$1
Remediation script:
#
# Set runtime for kernel.randomize_va_space
#
sysctl -q -n -w kernel.randomize_va_space=2

#
# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2"
#	else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf
#
if grep --silent ^kernel.randomize_va_space /etc/sysctl.conf ; then
	sed -i 's/^kernel.randomize_va_space.*/kernel.randomize_va_space = 2/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set kernel.randomize_va_space to 2 per security requirements" >> /etc/sysctl.conf
	echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf
fi
Restrict Serial Port Root Loginsxccdf_org.ssgproject.content_rule_restrict_serial_port_logins lowCCE-27047-0

Restrict Serial Port Root Logins

Rule IDxccdf_org.ssgproject.content_rule_restrict_serial_port_logins
Result
fail
Time2017-10-22T02:40:59
Severitylow
Identifiers and References

identifiers:  CCE-27047-0

references:  AC-6(2), 770,

Description

To restrict root logins on serial ports, ensure lines of this form do not appear in /etc/securetty:

ttyS0
ttyS1

Rationale

Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.

OVAL details

Items found violating serial ports /etc/securetty:

PathContent
/etc/securettyttyS0
/etc/securettyttyS1
/etc/securettyttyS2
/etc/securettyttyS3
/etc/securettyttyS4
/etc/securettyttyS5
Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero mediumCCE-26971-2

Verify Only Root Has UID 0

Rule IDxccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
Result
pass
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-26971-2

references:  AC-6, IA-2(1), 366,

Description

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.

Rationale

An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

OVAL details

Items not found satisfying test that there are no accounts with UID 0 except root in the /etc/passwd file:

Object oval:ssg:obj:1744 of type textfilecontent54_object
FilepathPatternInstance
/etc/passwd^(?!root:)[^:]*:[^:]*:01
Prevent Log In to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-27038-9

Prevent Log In to Accounts With Empty Password

Rule IDxccdf_org.ssgproject.content_rule_no_empty_passwords
Result
pass
Time2017-10-22T02:40:59
Severityhigh
Identifiers and References

identifiers:  CCE-27038-9

references:  IA-5(b), IA-5(c), IA-5(1)(a),

Description

If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.

Rationale

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

OVAL details

Items not found satisfying make sure nullok is not used in /etc/pam.d/system-auth:

Object oval:ssg:obj:1664 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/system-auth\s*nullok\s*1
Verify All Account Password Hashes are Shadowedxccdf_org.ssgproject.content_rule_accounts_password_all_shadowed mediumCCE-26476-2

Verify All Account Password Hashes are Shadowed

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_all_shadowed
Result
pass
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-26476-2

references:  IA-5(h), 201,

Description

If any password hashes are stored in /etc/passwd (in the second field, instead of an x), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

Rationale

The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users.

OVAL details

Items found satisfying password hashes are shadowed:

UsernamePasswordUser idGroup idGcosHome dirLogin shellLast login
rootx00root/root/bin/bash1508632542
daemonx11daemon/usr/sbin/usr/sbin/nologin0
binx22bin/bin/usr/sbin/nologin0
sysx33sys/dev/usr/sbin/nologin0
syncx465534sync/bin/bin/sync0
gamesx560games/usr/games/usr/sbin/nologin0
manx612man/var/cache/man/usr/sbin/nologin0
lpx77lp/var/spool/lpd/usr/sbin/nologin0
mailx88mail/var/mail/usr/sbin/nologin0
newsx99news/var/spool/news/usr/sbin/nologin0
uucpx1010uucp/var/spool/uucp/usr/sbin/nologin0
proxyx1313proxy/bin/usr/sbin/nologin0
www-datax3333www-data/var/www/usr/sbin/nologin0
backupx3434backup/var/backups/usr/sbin/nologin0
listx3838Mailing List Manager/var/list/usr/sbin/nologin0
ircx3939ircd/var/run/ircd/usr/sbin/nologin0
gnatsx4141Gnats Bug-Reporting System (admin)/var/lib/gnats/usr/sbin/nologin0
nobodyx6553465534nobody/nonexistent/usr/sbin/nologin-1
systemd-timesyncx100102systemd Time Synchronization,,,/run/systemd/bin/false0
systemd-networkx101103systemd Network Management,,,/run/systemd/netif/bin/false0
systemd-resolvex102104systemd Resolver,,,/run/systemd/resolve/bin/false0
systemd-bus-proxyx103105systemd Bus Proxy,,,/run/systemd/bin/false0
_aptx10465534/nonexistent/bin/false0
messagebusx105110/var/run/dbus/bin/false0
avahix106114Avahi mDNS daemon,,,/var/run/avahi-daemon/bin/false0
sshdx10765534/run/sshd/usr/sbin/nologin0
colordx108115colord colour management daemon,,,/var/lib/colord/bin/false0
sanedx109116/var/lib/saned/bin/false0
hplipx1107HPLIP system user,,,/var/run/hplip/bin/false0
oprx10001000opr,,,/home/opr/bin/bash0
Set Password Hashing Algorithm in /etc/login.defsxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs mediumCCE-27228-6

Set Password Hashing Algorithm in /etc/login.defs

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
Result
pass
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-27228-6

references:  IA-5(b), IA-5(c), IA-5(1)(c), IA-7, 803,

Description

In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:

ENCRYPT_METHOD SHA512

Rationale

Using a stronger hashing algorithm makes password cracking attacks more difficult.

OVAL details

Items found satisfying check ENCRYPT_METHOD in /etc/login.defs:

PathContent
/etc/login.defsENCRYPT_METHOD SHA512
Set Password Hashing Algorithm in /etc/libuser.confxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf mediumCCE-27229-4

Set Password Hashing Algorithm in /etc/libuser.conf

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-27229-4

references:  IA-5(b), IA-5(c), IA-5(1)(c), IA-7, 803,

Description

In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the SHA-512 algorithm for password hashing:

crypt_style = sha512

Rationale

Using a stronger hashing algorithm makes password cracking attacks more difficult.

OVAL details

Items not found violating The password hashing algorithm should be set correctly in /etc/libuser.conf:

Object oval:ssg:obj:1243 of type textfilecontent54_object
FilepathPatternInstance
/etc/libuser.conf^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$1
Ensure that Root's Path Does Not Include Relative Paths or Null Directoriesxccdf_org.ssgproject.content_rule_root_path_no_dot lowCCE-26826-8

Ensure that Root's Path Does Not Include Relative Paths or Null Directories

Rule IDxccdf_org.ssgproject.content_rule_root_path_no_dot
Result
pass
Time2017-10-22T02:40:59
Severitylow
Identifiers and References

identifiers:  CCE-26826-8

references:  http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf

Description

Ensure that none of the directories in root's path is equal to a single . character, or that it contains any instances that lead to relative path traversal, such as .. or beginning a path without the slash (/) character. Also ensure that there are no "empty" elements in the path, such as in these examples:

PATH=:/bin
PATH=/bin:
PATH=/bin::/sbin
These empty elements have the same effect as a single . character.

Rationale

Including these entries increases the risk that root could execute code from an untrusted location.

OVAL details

Items found satisfying environment variable PATH starts with : or .:

PidNameValue
31383PATH/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Items found satisfying environment variable PATH doesn't contain : twice in a row:

PidNameValue
31383PATH/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Items found satisfying environment variable PATH doesn't contain . twice in a row:

PidNameValue
31383PATH/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Items found satisfying environment variable PATH ends with : or .:

PidNameValue
31383PATH/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Items found satisfying environment variable PATH starts with an absolute path /:

PidNameValue
31383PATH/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Items found satisfying environment variable PATH contains relative paths:

PidNameValue
31383PATH/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Ensure that Root's Path Does Not Include World or Group-Writable Directoriesxccdf_org.ssgproject.content_rule_root_path_no_groupother_writable lowCCE-26768-2

Ensure that Root's Path Does Not Include World or Group-Writable Directories

Rule IDxccdf_org.ssgproject.content_rule_root_path_no_groupother_writable
Result
fail
Time2017-10-22T02:40:59
Severitylow
Identifiers and References

identifiers:  CCE-26768-2

references:  http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf

Description

For each element in root's path, run:

# ls -ld DIR
and ensure that write permissions are disabled for group and other.

Rationale

Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code.

OVAL details

Items found violating Check that write permission to group in root's path is denied:

PathTypeUIDGIDSize (B)Permissions
/usr/local/bin/directory0504096rwxrwsr-x 
/usr/local/sbin/directory0504096rwxrwsr-x 

Items not found violating Check that write permission to other in root's path is denied:

Object oval:ssg:obj:1448 of type file_object
PathFilenameFilter
/usr/local/sbin
/usr/local/bin
/usr/sbin
/usr/bin
/sbin
/bin
no valueoval:ssg:ste:2200
Ensure that User Home Directories are not Group-Writable or World-Readablexccdf_org.ssgproject.content_rule_homedir_perms_no_groupwrite_worldread lowCCE-26981-1

Ensure that User Home Directories are not Group-Writable or World-Readable

Rule IDxccdf_org.ssgproject.content_rule_homedir_perms_no_groupwrite_worldread
Result
fail
Time2017-10-22T02:40:59
Severitylow
Identifiers and References

identifiers:  CCE-26981-1

references:  http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf

Description

For each human user of the system, view the permissions of the user's home directory:

# ls -ld /home/USER
Ensure that the directory is not group-writable and that it is not world-readable. If necessary, repair the permissions:
# chmod g-w /home/USER
# chmod o-rwx /home/USER

Rationale

User home directories contain many configuration files which affect the behavior of a user's account. No user should ever have write permission to another user's home directory. Group shared directories can be configured in sub-directories or elsewhere in the filesystem if they are needed. Typically, user home directories should not be world-readable, as it would disclose file names to other users. If a subset of users need read access to one another's home directories, this can be provided using groups or ACLs.

Warnings
warning  This action may involve modifying user home directories. Notify your user community, and solicit input if appropriate, before making this type of change.
OVAL details

Items found violating home directories:

PathTypeUIDGIDSize (B)Permissions
/home/opr/directory100010004096rwxr-xr-x 
/home/directory004096rwxr-xr-x 
Disable Kernel Parameter for Sending ICMP Redirects by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects mediumCCE-27001-7

Disable Kernel Parameter for Sending ICMP Redirects by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-27001-7

references:  AC-4, CM-7, SC-5, SC-7, 1551,

Description

To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.default.send_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.default.send_redirects = 0

Rationale

Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.

OVAL details

Items found violating kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0:

NameValue
net.ipv4.conf.default.send_redirects1

Items not found violating net.ipv4.conf.default.send_redirects static configuration:

Object oval:ssg:obj:1602 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0*$1
Remediation script:
#
# Set runtime for net.ipv4.conf.default.send_redirects
#
sysctl -q -n -w net.ipv4.conf.default.send_redirects=0

#
# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.send_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.send_redirects.*/net.ipv4.conf.default.send_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.send_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
fi
Disable Kernel Parameter for Sending ICMP Redirects for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_ipv4_all_send_redirects mediumCCE-27004-1

Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_ipv4_all_send_redirects
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-27004-1

references:  CM-7, 1551,

Description

To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.send_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.all.send_redirects = 0

Rationale

Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.

OVAL details

Items found violating kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0:

NameValue
net.ipv4.conf.all.send_redirects1

Items not found violating net.ipv4.conf.all.send_redirects static configuration:

Object oval:ssg:obj:1763 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0*$1
Disable Kernel Parameter for IP Forwardingxccdf_org.ssgproject.content_rule_sysctl_ipv4_ip_forward mediumCCE-26866-4

Disable Kernel Parameter for IP Forwarding

Rule IDxccdf_org.ssgproject.content_rule_sysctl_ipv4_ip_forward
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-26866-4

references:  CM-7, SC-5, 366,

Description

To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command:

# sysctl -w net.ipv4.ip_forward=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.ip_forward = 0

Rationale

IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

OVAL details

Items found violating kernel runtime parameter net.ipv4.ip_forward set to 0:

NameValue
net.ipv4.ip_forward0

Items not found violating net.ipv4.ip_forward static configuration:

Object oval:ssg:obj:1651 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0*$1
Disable Kernel Parameter for Accepting Source-Routed Packets for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route mediumCCE-27037-1

Disable Kernel Parameter for Accepting Source-Routed Packets for All Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-27037-1

references:  CM-7, 1551,

Description

To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.accept_source_route=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.all.accept_source_route = 0

Rationale

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

OVAL details

Items found violating kernel runtime parameter net.ipv4.conf.all.accept_source_route set to 0:

NameValue
net.ipv4.conf.all.accept_source_route0

Items not found violating net.ipv4.conf.all.accept_source_route static configuration:

Object oval:ssg:obj:1972 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*0*$1
Remediation script:
#
# Set runtime for net.ipv4.conf.all.accept_source_route
#
sysctl -q -n -w net.ipv4.conf.all.accept_source_route=0

#
# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.all.accept_source_route = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.accept_source_route /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.accept_source_route to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
fi
Disable Kernel Parameter for Accepting ICMP Redirects for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects mediumCCE-27027-2

Disable Kernel Parameter for Accepting ICMP Redirects for All Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-27027-2

references:  CM-7, 1503, 1551,

Description

To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.all.accept_redirects = 0

Rationale

Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.

OVAL details

Items found violating kernel runtime parameter net.ipv4.conf.all.accept_redirects set to 0:

NameValue
net.ipv4.conf.all.accept_redirects1

Items not found violating net.ipv4.conf.all.accept_redirects static configuration:

Object oval:ssg:obj:1815 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*0*$1
Remediation script:
#
# Set runtime for net.ipv4.conf.all.accept_redirects
#
sysctl -q -n -w net.ipv4.conf.all.accept_redirects=0

#
# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.all.accept_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.accept_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.accept_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
fi
Disable Kernel Parameter for Accepting Secure Redirects for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects mediumCCE-26854-0

Disable Kernel Parameter for Accepting Secure Redirects for All Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-26854-0

references:  AC-4, CM-7, 1503, 1551,

Description

To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.secure_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.all.secure_redirects = 0

Rationale

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

OVAL details

Items found violating kernel runtime parameter net.ipv4.conf.all.secure_redirects set to 0:

NameValue
net.ipv4.conf.all.secure_redirects1

Items not found violating net.ipv4.conf.all.secure_redirects static configuration:

Object oval:ssg:obj:1920 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*0*$1
Remediation script:
#
# Set runtime for net.ipv4.conf.all.secure_redirects
#
sysctl -q -n -w net.ipv4.conf.all.secure_redirects=0

#
# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.all.secure_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.secure_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.secure_redirects.*/net.ipv4.conf.all.secure_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.secure_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
fi
Enable Kernel Parameter to Log Martian Packetsxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians lowCCE-27066-0

Enable Kernel Parameter to Log Martian Packets

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians
Result
fail
Time2017-10-22T02:40:59
Severitylow
Identifiers and References

identifiers:  CCE-27066-0

references:  AC-17(7), CM-7, 126,

Description

To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.log_martians=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.all.log_martians = 1

Rationale

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

OVAL details

Items found violating kernel runtime parameter net.ipv4.conf.all.log_martians set to 1:

NameValue
net.ipv4.conf.all.log_martians0

Items not found violating net.ipv4.conf.all.log_martians static configuration:

Object oval:ssg:obj:1248 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*1*$1
Remediation script:
#
# Set runtime for net.ipv4.conf.all.log_martians
#
sysctl -q -n -w net.ipv4.conf.all.log_martians=1

#
# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to "1"
#	else, add "net.ipv4.conf.all.log_martians = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.log_martians /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.log_martians.*/net.ipv4.conf.all.log_martians = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.log_martians to 1 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
fi
Disable Kernel Parameter for Accepting Source-Routed Packets By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route mediumCCE-26983-7

Disable Kernel Parameter for Accepting Source-Routed Packets By Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-26983-7

references:  AC-4, CM-7, SC-5, SC-7, 1551,

Description

To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.default.accept_source_route=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.default.accept_source_route = 0

Rationale

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

OVAL details

Items found violating kernel runtime parameter net.ipv4.conf.default.accept_source_route set to 0:

NameValue
net.ipv4.conf.default.accept_source_route1

Items not found violating net.ipv4.conf.default.accept_source_route static configuration:

Object oval:ssg:obj:2039 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*0*$1
Remediation script:
#
# Set runtime for net.ipv4.conf.default.accept_source_route
#
sysctl -q -n -w net.ipv4.conf.default.accept_source_route=0

#
# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.default.accept_source_route = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.accept_source_route /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.accept_source_route.*/net.ipv4.conf.default.accept_source_route = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.accept_source_route to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
fi
Disable Kernel Parameter for Accepting ICMP Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects lowCCE-27015-7

Disable Kernel Parameter for Accepting ICMP Redirects By Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects
Result
fail
Time2017-10-22T02:40:59
Severitylow
Identifiers and References

identifiers:  CCE-27015-7

references:  AC-4, CM-7, SC-5, SC-7, 1551,

Description

To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.default.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.default.accept_redirects = 0

Rationale

This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

OVAL details

Items found violating kernel runtime parameter net.ipv4.conf.default.accept_redirects set to 0:

NameValue
net.ipv4.conf.default.accept_redirects1

Items not found violating net.ipv4.conf.default.accept_redirects static configuration:

Object oval:ssg:obj:1451 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*0*$1
Remediation script:
#
# Set runtime for net.ipv4.conf.default.accept_redirects
#
sysctl -q -n -w net.ipv4.conf.default.accept_redirects=0

#
# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.default.accept_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.accept_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.accept_redirects.*/net.ipv4.conf.default.accept_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.accept_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
fi
Disable Kernel Parameter for Accepting Secure Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects mediumCCE-26831-8

Disable Kernel Parameter for Accepting Secure Redirects By Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-26831-8

references:  AC-4, CM-7, SC-5, SC-7, 1551,

Description

To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.default.secure_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.default.secure_redirects = 0

Rationale

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

OVAL details

Items found violating kernel runtime parameter net.ipv4.conf.default.secure_redirects set to 0:

NameValue
net.ipv4.conf.default.secure_redirects1

Items not found violating net.ipv4.conf.default.secure_redirects static configuration:

Object oval:ssg:obj:1916 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*0*$1
Remediation script:
#
# Set runtime for net.ipv4.conf.default.secure_redirects
#
sysctl -q -n -w net.ipv4.conf.default.secure_redirects=0

#
# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.conf.default.secure_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.secure_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.secure_redirects.*/net.ipv4.conf.default.secure_redirects = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.secure_redirects to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
fi
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requestsxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts lowCCE-26883-9

Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts
Result
fail
Time2017-10-22T02:40:59
Severitylow
Identifiers and References

identifiers:  CCE-26883-9

references:  CM-7, SC-5, 1551,

Description

To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:

# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.icmp_echo_ignore_broadcasts = 1

Rationale

Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.

OVAL details

Items found violating kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to 1:

NameValue
net.ipv4.icmp_echo_ignore_broadcasts1

Items not found violating net.ipv4.icmp_echo_ignore_broadcasts static configuration:

Object oval:ssg:obj:1390 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*1*$1
Remediation script:
#
# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts
#
sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts=1

#
# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to "1"
#	else, add "net.ipv4.icmp_echo_ignore_broadcasts = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.icmp_echo_ignore_broadcasts.*/net.ipv4.icmp_echo_ignore_broadcasts = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.icmp_echo_ignore_broadcasts to 1 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
fi
Enable Kernel Parameter to Ignore Bogus ICMP Error Responsesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses lowCCE-26993-6

Enable Kernel Parameter to Ignore Bogus ICMP Error Responses

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses
Result
fail
Time2017-10-22T02:40:59
Severitylow
Identifiers and References

identifiers:  CCE-26993-6

references:  CM-7, SC-5,

Description

To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command:

# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.icmp_ignore_bogus_error_responses = 1

Rationale

Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

OVAL details

Items found violating kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to 1:

NameValue
net.ipv4.icmp_ignore_bogus_error_responses1

Items not found violating net.ipv4.icmp_ignore_bogus_error_responses static configuration:

Object oval:ssg:obj:1337 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*1*$1
Remediation script:
#
# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses
#
sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses=1

#
# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to "1"
#	else, add "net.ipv4.icmp_ignore_bogus_error_responses = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.icmp_ignore_bogus_error_responses.*/net.ipv4.icmp_ignore_bogus_error_responses = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.icmp_ignore_bogus_error_responses to 1 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf
fi
Enable Kernel Parameter to Use TCP Syncookiesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies mediumCCE-27053-8

Enable Kernel Parameter to Use TCP Syncookies

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-27053-8

references:  AC-4, 1092, 1095,

Description

To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:

# sysctl -w net.ipv4.tcp_syncookies=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.tcp_syncookies = 1

Rationale

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

OVAL details

Items found violating kernel runtime parameter net.ipv4.tcp_syncookies set to 1:

NameValue
net.ipv4.tcp_syncookies1

Items not found violating net.ipv4.tcp_syncookies static configuration:

Object oval:ssg:obj:1827 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*1*$1
Remediation script:
#
# Set runtime for net.ipv4.tcp_syncookies
#
sysctl -q -n -w net.ipv4.tcp_syncookies=1

#
# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to "1"
#	else, add "net.ipv4.tcp_syncookies = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.tcp_syncookies /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.tcp_syncookies to 1 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
fi
Enable Kernel Parameter to Use Reverse Path Filtering for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter mediumCCE-26979-5

Enable Kernel Parameter to Use Reverse Path Filtering for All Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-26979-5

references:  AC-4, SC-5, SC-7, 1551,

Description

To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.all.rp_filter=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.all.rp_filter = 1

Rationale

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

OVAL details

Items found violating kernel runtime parameter net.ipv4.conf.all.rp_filter set to 1:

NameValue
net.ipv4.conf.all.rp_filter0

Items not found violating net.ipv4.conf.all.rp_filter static configuration:

Object oval:ssg:obj:1511 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*1*$1
Remediation script:
#
# Set runtime for net.ipv4.conf.all.rp_filter
#
sysctl -q -n -w net.ipv4.conf.all.rp_filter=1

#
# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to "1"
#	else, add "net.ipv4.conf.all.rp_filter = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.rp_filter /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.rp_filter to 1 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
fi
Enable Kernel Parameter to Use Reverse Path Filtering by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter mediumCCE-26915-9

Enable Kernel Parameter to Use Reverse Path Filtering by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-26915-9

references:  AC-4, SC-5, SC-7,

Description

To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command:

# sysctl -w net.ipv4.conf.default.rp_filter=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.default.rp_filter = 1

Rationale

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

OVAL details

Items found violating kernel runtime parameter net.ipv4.conf.default.rp_filter set to 1:

NameValue
net.ipv4.conf.default.rp_filter0

Items not found violating net.ipv4.conf.default.rp_filter static configuration:

Object oval:ssg:obj:1534 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*1*$1
Remediation script:
#
# Set runtime for net.ipv4.conf.default.rp_filter
#
sysctl -q -n -w net.ipv4.conf.default.rp_filter=1

#
# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to "1"
#	else, add "net.ipv4.conf.default.rp_filter = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.rp_filter /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter = 1/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.rp_filter to 1 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
fi
Deactivate Wireless Network Interfacesxccdf_org.ssgproject.content_rule_deactivate_wireless_interfaces lowCCE-27057-9

Deactivate Wireless Network Interfaces

Rule IDxccdf_org.ssgproject.content_rule_deactivate_wireless_interfaces
Result
pass
Time2017-10-22T02:40:59
Severitylow
Identifiers and References

identifiers:  CCE-27057-9

references:  AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, 85,

Description

Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

First, identify the interfaces available with the command:

# ifconfig -a
Additionally,the following command may also be used to determine whether wireless support ('extensions') is included for a particular interface, though this may not always be a clear indicator:
# iwconfig
After identifying any wireless interfaces (which may have names like wlan0, ath0, wifi0, em1 or eth0), deactivate the interface with the command:
# ifdown interface
These changes will only last until the next reboot. To disable the interface for future boots, remove the appropriate interface file from /etc/sysconfig/network-scripts:
# rm /etc/sysconfig/network-scripts/ifcfg-interface

Rationale

Wireless networking allows attackers within physical proximity to launch network-based attacks against systems, including those against local LAN protocols which were not designed with security in mind.

OVAL details

Items not found satisfying query /proc/net/wireless:

Object oval:ssg:obj:1321 of type textfilecontent54_object
FilepathPatternInstance
/proc/net/wireless^\s*[-\w]+:1
Disable Bluetooth Kernel Modulesxccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled mediumCCE-26763-3

Disable Bluetooth Kernel Modules

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-26763-3

references:  AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, 85, 1551,

Description

The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module:

install net-pf-31 /bin/false
install bluetooth /bin/false

Rationale

If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

OVAL details

Items not found violating kernel module bluetooth disabled:

Object oval:ssg:obj:1257 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d^.*\.conf$^\s*install\s+bluetooth\s+/bin/false$1

Items not found violating kernel module net-pf-31 disabled:

Object oval:ssg:obj:1258 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d^.*\.conf$^\s*install\s+net-pf-31\s+/bin/false$1
Disable Support for RPC IPv6xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc lowCCE-27232-8

Disable Support for RPC IPv6

Rule IDxccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc
Result
pass
Time2017-10-22T02:40:59
Severitylow
Identifiers and References

identifiers:  CCE-27232-8

references:  CM-7

Description

RPC services for NFSv4 try to load transport modules for udp6 and tcp6 by default, even if IPv6 has been disabled in /etc/modprobe.d. To prevent RPC services such as rpc.mountd from attempting to start IPv6 network listeners, remove or comment out the following two lines in /etc/netconfig:

udp6       tpi_clts      v     inet6    udp     -       -
tcp6       tpi_cots_ord  v     inet6    tcp     -       -

OVAL details

Items not found satisfying Test for udp6 based rpc services:

Object oval:ssg:obj:1432 of type textfilecontent54_object
PathFilenamePatternInstance
/etcnetconfig^udp6\s+tpi_clts\s+v\s+inet6\s+udp\s+-\s+-$1

Items not found satisfying Test for tcp6 based rpc services:

Object oval:ssg:obj:1433 of type textfilecontent54_object
PathFilenamePatternInstance
/etcnetconfig^tcp6\s+tpi_cots_ord\s+v\s+inet6\s+tcp\s+-\s+-$1
Disable Accepting IPv6 Router Advertisementsxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra lowCCE-27164-3

Disable Accepting IPv6 Router Advertisements

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra
Result
fail
Time2017-10-22T02:40:59
Severitylow
Identifiers and References

identifiers:  CCE-27164-3

references:  CM-7

Description

To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command:

# sysctl -w net.ipv6.conf.default.accept_ra=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv6.conf.default.accept_ra = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

OVAL details

Items found violating kernel runtime parameter net.ipv6.conf.default.accept_ra set to 0:

NameValue
net.ipv6.conf.default.accept_ra1

Items not found violating net.ipv6.conf.default.accept_ra static configuration:

Object oval:ssg:obj:1280 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*0*$1
Remediation script:
#
# Set runtime for net.ipv6.conf.default.accept_ra
#
sysctl -q -n -w net.ipv6.conf.default.accept_ra=0

#
# If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv6.conf.default.accept_ra = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv6.conf.default.accept_ra /etc/sysctl.conf ; then
	sed -i 's/^net.ipv6.conf.default.accept_ra.*/net.ipv6.conf.default.accept_ra = 0/g' /etc/sysctl.conf
else
	echo "" >> /etc/sysctl.conf
	echo "# Set net.ipv6.conf.default.accept_ra to 0 per security requirements" >> /etc/sysctl.conf
	echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf
fi
Disable Accepting IPv6 Redirectsxccdf_org.ssgproject.content_rule_sysctl_ipv6_default_accept_redirects mediumCCE-27166-8

Disable Accepting IPv6 Redirects

Rule IDxccdf_org.ssgproject.content_rule_sysctl_ipv6_default_accept_redirects
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-27166-8

references:  CM-7, 1551

Description

To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command:

# sysctl -w net.ipv6.conf.default.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv6.conf.default.accept_redirects = 0

Rationale

An illicit ICMP redirect message could result in a man-in-the-middle attack.

OVAL details

Items found violating kernel runtime parameter net.ipv6.conf.default.accept_redirects set to 0:

NameValue
net.ipv6.conf.default.accept_redirects1

Items not found violating net.ipv6.conf.default.accept_redirects static configuration:

Object oval:ssg:obj:1726 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*0*$1
Disable DCCP Supportxccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled mediumCCE-26448-1

Disable DCCP Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-26448-1

references:  CM-7, 382,

Description

The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the dccp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install dccp /bin/false

Rationale

Disabling DCCP protects the system against exploitation of any flaws in its implementation.

OVAL details

Items not found violating kernel module dccp disabled:

Object oval:ssg:obj:1953 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d^.*\.conf$^\s*install\s+dccp\s+(/bin/false|/bin/true)$1

Items not found violating kernel module dccp disabled in /etc/modprobe.conf:

Object oval:ssg:obj:1954 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+dccp\s+(/bin/false|/bin/true)$1
Remediation script:
echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf
Disable SCTP Supportxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled mediumCCE-26410-1

Disable SCTP Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-26410-1

references:  CM-7, 382,

Description

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install sctp /bin/false

Rationale

Disabling SCTP protects the system against exploitation of any flaws in its implementation.

OVAL details

Items not found violating kernel module sctp disabled:

Object oval:ssg:obj:1779 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d^.*\.conf$^\s*install\s+sctp\s+(/bin/false|/bin/true)$1

Items not found violating kernel module sctp disabled in /etc/modprobe.conf:

Object oval:ssg:obj:1780 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+sctp\s+(/bin/false|/bin/true)$1
Remediation script:
echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf
Disable RDS Supportxccdf_org.ssgproject.content_rule_kernel_module_rds_disabled lowCCE-26239-4

Disable RDS Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_rds_disabled
Result
fail
Time2017-10-22T02:40:59
Severitylow
Identifiers and References

identifiers:  CCE-26239-4

references:  CM-7, 382,

Description

The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the rds kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install rds /bin/false

Rationale

Disabling RDS protects the system against exploitation of any flaws in its implementation.

OVAL details

Items not found violating kernel module rds disabled:

Object oval:ssg:obj:1612 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d^.*\.conf$^\s*install\s+rds\s+(/bin/false|/bin/true)$1

Items not found violating kernel module rds disabled in /etc/modprobe.conf:

Object oval:ssg:obj:1613 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+rds\s+(/bin/false|/bin/true)$1
Remediation script:
echo "install rds /bin/false" > /etc/modprobe.d/rds.conf
Disable TIPC Supportxccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled mediumCCE-26696-5

Disable TIPC Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled
Result
fail
Time2017-10-22T02:40:59
Severitymedium
Identifiers and References

identifiers:  CCE-26696-5

references:  CM-7, 382,

Description

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install tipc /bin/false

Rationale

Disabling TIPC protects the system against exploitation of any flaws in its implementation.

OVAL details

Items not found violating kernel module tipc disabled:

Object oval:ssg:obj:1512 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/modprobe.d^.*\.conf$^\s*install\s+tipc\s+(/bin/false|/bin/true)$1

Items not found violating kernel module tipc disabled in /etc/modprobe.conf:

Object oval:ssg:obj:1513 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+tipc\s+(/bin/false|/bin/true)$1
Remediation script:
echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf
Ensure Log Files Are Owned By Appropriate Userxccdf_org.ssgproject.content_rule_userowner_rsyslog_files mediumCCE-26812-8

Ensure Log Files Are Owned By Appropriate User

Rule IDxccdf_org.ssgproject.content_rule_userowner_rsyslog_files
Result
pass
Time2017-10-22T02:41:00
Severitymedium
Identifiers and References

identifiers:  CCE-26812-8

references:  AC-6, 1314,

Description

The owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner:

$ ls -l LOGFILE
If the owner is not root, run the following command to correct this:
# chown root LOGFILE

Rationale

The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

OVAL details

Items found satisfying Files that end in .log in /var/log owned by root:

PathTypeUIDGIDSize (B)Permissions
/var/log/user.logregular043794rw-r----- 
/var/log/alternatives.logregular0025240rw-r--r-- 
/var/log/kern.logregular04157944rw-r----- 
/var/log/auth.logregular048832rw-r----- 
/var/log/syslogregular04194318rw-r----- 
/var/log/fontconfig.logregular001651rw-r--r-- 
/var/log/daemon.logregular0431036rw-r----- 
/var/log/dpkg.logregular00369676rw-r--r-- 
/var/log/lastlogregular043292292rw-rw-r-- 
/var/log/faillogregular0032032rw-r--r-- 
Ensure System Log Files Have Correct Permissionsxccdf_org.ssgproject.content_rule_rsyslog_file_permissions mediumCCE-27190-8

Ensure System Log Files Have Correct Permissions

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_file_permissions
Result
unknown
Time2017-10-22T02:41:00
Severitymedium
Identifiers and References

identifiers:  CCE-27190-8

references:  http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf, 1314,

Description

The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's permissions:

$ ls -l LOGFILE
If the permissions are not 600 or more restrictive, run the following command to correct this:
# chmod 0600 LOGFILE

Rationale

Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value.

Ensure Logs Sent To Remote Hostxccdf_org.ssgproject.content_rule_rsyslog_send_messages_to_logserver lowCCE-26801-1

Ensure Logs Sent To Remote Host

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_send_messages_to_logserver
Result
fail
Time2017-10-22T02:41:00
Severitylow
Identifiers and References

identifiers:  CCE-26801-1

references:  AU-3(2), AU-9, 1348, 136

Description

To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting loghost.example.com appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery:

*.* @loghost.example.com

To use TCP for log message delivery:
*.* @@loghost.example.com

To use RELP for log message delivery:
*.* :omrelp:loghost.example.com

Rationale

A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.

OVAL details

Items not found violating Ensures system configured to export logs to remote host:

Object oval:ssg:obj:1747 of type textfilecontent54_object
FilepathPatternInstance
/etc/rsyslog.conf^\*\.\*[\s]+(?:@|\:omrelp\:)1

Items not found violating Ensures system configured to export logs to remote host:

Object oval:ssg:obj:1748 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/rsyslog.d.*^\*\.\*[\s]+(?:@|\:omrelp\:)1
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Serverxccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_none lowCCE-26803-7

Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_none
Result
pass
Time2017-10-22T02:41:00
Severitylow
Identifiers and References

identifiers:  CCE-26803-7

references:  AU-9(2)

Description

The rsyslog daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are not found in /etc/rsyslog.conf:

$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port

Rationale

Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network.

OVAL details

Items not found satisfying Ensure that the /etc/rsyslog.conf does not contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun:

Object oval:ssg:obj:2156 of type textfilecontent54_object
PathFilenamePatternInstance
/etcrsyslog.conf^[\s]*\$(?:Input(?:TCP|RELP)|UDP)ServerRun1
Ensure Logrotate Runs Periodicallyxccdf_org.ssgproject.content_rule_ensure_logrotate_activated lowCCE-27014-0

Ensure Logrotate Runs Periodically

Rule IDxccdf_org.ssgproject.content_rule_ensure_logrotate_activated
Result
notchecked
Time2017-10-22T02:41:00
Severitylow
Identifiers and References

identifiers:  CCE-27014-0

references:  AU-9, 366

Description

The logrotate utility allows for the automatic rotation of log files. The frequency of rotation is specified in /etc/logrotate.conf, which triggers a cron task. To configure logrotate to run daily, add or correct the following line in /etc/logrotate.conf:

# rotate log files frequency
daily

Rationale

Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.

Evaluation messages
info 
None of the check-content-ref elements was resolvable.
System Audit Logs Must Have Mode 0640 or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_var_log_audit lowCCE-27243-5

System Audit Logs Must Have Mode 0640 or Less Permissive

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
Result
pass
Time2017-10-22T02:41:00
Severitylow
Identifiers and References

identifiers:  CCE-27243-5

references:  AC-6, AU-1(b), AU-9, IR-5, 166,

Description

Change the mode of the audit log files with the following command:

# chmod 0640 audit_file

Rationale

If users can write to audit logs, audit trails can be modified or destroyed.

OVAL details

Items not found satisfying /var/log/audit files mode 0640:

Object oval:ssg:obj:1467 of type file_object
BehaviorsPathFilenameFilter
no value/var/log/audit^.*$oval:ssg:ste:1468
State oval:ssg:ste:1468 of type file_state
SuidSgidStickyUexecGwriteGexecOreadOwriteOexec
truetruetruetruetruetruetruetruetrue
Remove Rsh Trust Filesxccdf_org.ssgproject.content_rule_no_rsh_trust_files highCCE-27270-8

Remove Rsh Trust Files

Rule IDxccdf_org.ssgproject.content_rule_no_rsh_trust_files
Result
pass
Time2017-10-22T02:41:00
Severityhigh
Identifiers and References

identifiers:  CCE-27270-8

references:  AC-17(8), CM-7, 1436,

Description

The files /etc/hosts.equiv and ~/.rhosts (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location:

# rm /etc/hosts.equiv
$ rm ~/.rhosts

Rationale

Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.

OVAL details

Items not found satisfying look for .rhosts or .shosts in /root:

Object oval:ssg:obj:1312 of type file_object
PathFilename
/root^\.(r|s)hosts$

Items not found satisfying look for .rhosts or .shosts in /home:

Object oval:ssg:obj:1313 of type file_object
BehaviorsPathFilename
no value/home^\.(r|s)hosts$

Items not found satisfying look for /etc/hosts.equiv or /etc/shosts.equiv:

Object oval:ssg:obj:1314 of type file_object
PathFilename
/etc^s?hosts\.equiv$
Allow Only SSH Protocol 2xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 highCCE-27072-8

Allow Only SSH Protocol 2

Rule IDxccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
Result
error
Time2017-10-22T02:41:00
Severityhigh
Identifiers and References

identifiers:  CCE-27072-8

references:  AC-17(7), IA-5(1)(c), 776, 774, 1436,

Description

Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears:

Protocol 2

Rationale

SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.

OVAL details

Items not found violating sshd uses protocol 2:

Object oval:ssg:obj:2034 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$1
Disable SSH Support for .rhosts Filesxccdf_org.ssgproject.content_rule_sshd_disable_rhosts mediumCCE-27124-7

Disable SSH Support for .rhosts Files

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_rhosts
Result
pass
Time2017-10-22T02:41:00
Severitymedium
Identifiers and References

identifiers:  CCE-27124-7

references:  765, 766

Description

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:

IgnoreRhosts yes

Rationale

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

OVAL details

Items not found satisfying Tests the value of the IgnoreRhosts[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file:

Object oval:ssg:obj:2051 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[\s]*(?i)IgnoreRhosts(?-i)[\s]+no[\s]*(?:|(?:#.*))?$1
Disable Host-Based Authenticationxccdf_org.ssgproject.content_rule_disable_host_auth mediumCCE-27091-8

Disable Host-Based Authentication

Rule IDxccdf_org.ssgproject.content_rule_disable_host_auth
Result
pass
Time2017-10-22T02:41:00
Severitymedium
Identifiers and References

identifiers:  CCE-27091-8

references:  765, 766,

Description

SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config:

HostbasedAuthentication no

Rationale

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

OVAL details

Items not found satisfying sshd HostbasedAuthentication:

Object oval:ssg:obj:2015 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$1
Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords highCCE-26887-0

Disable SSH Access via Empty Passwords

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
Result
error
Time2017-10-22T02:41:00
Severityhigh
Identifiers and References

identifiers:  CCE-26887-0

references:  765, 766,

Description

To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config:

PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.

Rationale

Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

OVAL details

Items not found violating Tests the value of the PermitEmptyPasswords[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file:

Object oval:ssg:obj:1667 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[\s]*(?i)PermitEmptyPasswords(?-i)[\s]+no[\s]*(?:|(?:#.*))?$1
Remediation script:
grep -q ^PermitEmptyPasswords /etc/ssh/sshd_config && \
  sed -i "s/PermitEmptyPasswords.*/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config
fi
Specify a Remote NTP Serverxccdf_org.ssgproject.content_rule_ntpd_specify_remote_server mediumCCE-27098-3

Specify a Remote NTP Server

Rule IDxccdf_org.ssgproject.content_rule_ntpd_specify_remote_server
Result
fail
Time2017-10-22T02:41:00
Severitymedium
Identifiers and References

identifiers:  CCE-27098-3

references:  AU-8(1), 160,

Description

To specify a remote NTP server for time synchronization, edit the file /etc/ntp.conf. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver:

server ntpserver
This instructs the NTP software to contact that remote server to obtain time data.

Rationale

Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events.

OVAL details

Items not found violating Ensure at least one NTP server is set:

Object oval:ssg:obj:1362 of type textfilecontent54_object
PathFilenamePatternInstance
/etcntp.conf^[\s]*server[\s]+.+$1
Disable Postfix Network Listeningxccdf_org.ssgproject.content_rule_postfix_network_listening mediumCCE-26780-7

Disable Postfix Network Listening

Rule IDxccdf_org.ssgproject.content_rule_postfix_network_listening
Result
fail
Time2017-10-22T02:41:00
Severitymedium
Identifiers and References

identifiers:  CCE-26780-7

references:  CM-7, 382,

Description

Edit the file /etc/postfix/main.cf to ensure that only the following inet_interfaces line appears:

inet_interfaces = localhost

Rationale

This ensures postfix accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.

OVAL details

Items not found violating inet_interfaces in /etc/postfix/main.cf should be set correctly:

Object oval:ssg:obj:1986 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/postfixmain.cf^[\s]*inet_interfaces[\s]*=[\s]*localhost[\s]*$1
Mount Remote Filesystems with nodevxccdf_org.ssgproject.content_rule_use_nodev_option_on_nfs_mounts mediumCCE-27090-0

Mount Remote Filesystems with nodev

Rule IDxccdf_org.ssgproject.content_rule_use_nodev_option_on_nfs_mounts
Result
pass
Time2017-10-22T02:41:00
Severitymedium
Identifiers and References

identifiers:  CCE-27090-0

references: 

Description

Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.

OVAL details

Items not found satisfying no nfs:

Object oval:ssg:obj:1810 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*[\.\w]+:[/\w]+\s+[/\w]+\s+nfs[4]?\s+.*$0

Items not found satisfying all nfs has nodev:

Object oval:ssg:obj:1808 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*[\.\w]+:[/\w]+\s+[/\w]+\s+nfs[4]?\s+(.*)$0
State oval:ssg:ste:1809 of type textfilecontent54_state
Subexpression
^.*nodev.*$
Mount Remote Filesystems with nosuidxccdf_org.ssgproject.content_rule_use_nosuid_option_on_nfs_mounts mediumCCE-26972-0

Mount Remote Filesystems with nosuid

Rule IDxccdf_org.ssgproject.content_rule_use_nosuid_option_on_nfs_mounts
Result
pass
Time2017-10-22T02:41:00
Severitymedium
Identifiers and References

identifiers:  CCE-26972-0

references: 

Description

Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.

OVAL details

Items not found satisfying no nfs:

Object oval:ssg:obj:1679 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*[\.\w]+:[/\w]+\s+[/\w]+\s+nfs[4]?\s+.*$0

Items not found satisfying all nfs has nosuid:

Object oval:ssg:obj:1677 of type textfilecontent54_object
FilepathPatternInstance
/etc/fstab^\s*[\.\w]+:[/\w]+\s+[/\w]+\s+nfs[4]?\s+(.*)$0
State oval:ssg:ste:1678 of type textfilecontent54_state
Subexpression
^.*nosuid.*$
Require Client SMB Packet Signing, if using smbclientxccdf_org.ssgproject.content_rule_require_smb_client_signing lowCCE-26328-5

Require Client SMB Packet Signing, if using smbclient

Rule IDxccdf_org.ssgproject.content_rule_require_smb_client_signing
Result
unknown
Time2017-10-22T02:41:00
Severitylow
Identifiers and References

identifiers:  CCE-26328-5

Description

To require samba clients running smbclient to use packet signing, add the following to the [global] section of the Samba configuration file, /etc/samba/smb.conf:

client signing = mandatory
Requiring samba clients such as smbclient to use packet signing ensures they can only communicate with servers that support packet signing.

Rationale

Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.

OVAL details

Items not found violating check for client signing = mandatory in /etc/samba/smb.conf:

Object oval:ssg:obj:2010 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sambasmb.conf^[\s]*client[\s]+signing[\s]*=[\s]*mandatory1
Require Client SMB Packet Signing, if using mount.cifsxccdf_org.ssgproject.content_rule_require_smb_client_signing_mount.cifs lowCCE-26792-2

Require Client SMB Packet Signing, if using mount.cifs

Rule IDxccdf_org.ssgproject.content_rule_require_smb_client_signing_mount.cifs
Result
pass
Time2017-10-22T02:41:00
Severitylow
Identifiers and References

identifiers:  CCE-26792-2

Description

Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure signing options (either sec=krb5i or sec=ntlmv2i) are used.

See the mount.cifs(8) man page for more information. A Samba client should only communicate with servers who can support SMB packet signing.

Rationale

Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.

OVAL details

Items not found satisfying check for no cifs in /etc/fstab:

Object oval:ssg:obj:1596 of type textfilecontent54_object
PathFilenamePatternInstance
/etcfstab^[\s]*[\S]+[\s]+[\S]+[\s]+cifs[\s]+([\S]+)1

Items not found satisfying check for sec=krb5i or sec=ntlmv2i in /etc/fstab:

Object oval:ssg:obj:1596 of type textfilecontent54_object
PathFilenamePatternInstance
/etcfstab^[\s]*[\S]+[\s]+[\S]+[\s]+cifs[\s]+([\S]+)1
State oval:ssg:ste:1597 of type textfilecontent54_state
InstanceSubexpression
2sec=(krb5i|ntlmv2i)

Items not found satisfying check for no cifs in /etc/mtab:

Object oval:ssg:obj:1598 of type textfilecontent54_object
PathFilenamePatternInstance
/etcmtab^[\s]*[\S]+[\s]+[\S]+[\s]+cifs[\s]+([\S]+)1

Items not found satisfying check for sec=krb5i or sec=ntlmv2i in /etc/mtab:

Object oval:ssg:obj:1598 of type textfilecontent54_object
PathFilenamePatternInstance
/etcmtab^[\s]*[\S]+[\s]+[\S]+[\s]+cifs[\s]+([\S]+)1
State oval:ssg:ste:1597 of type textfilecontent54_state
InstanceSubexpression
2sec=(krb5i|ntlmv2i)