Rules In DISA STIG for Red Hat Enterprise Linux 6


V-ID CCI CAT Title Description Check Procedures Fixtext Version
RHEL-06-000001 CCI-000366 low The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. Run the following command to determine if /tmp is on its own partition or logical volume: $ mount | grep "on /tmp" If /tmp has its own partition or volume group, a line will be returned. Is it the case that no line is returned? The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. RHEL-06-000001
RHEL-06-000002 CCI-000366 low Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages. Run the following command to determine if /var is on its own partition or logical volume: $ mount | grep "on /var" If /var has its own partition or volume group, a line will be returned. Is it the case that no line is returned? The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. RHEL-06-000002
RHEL-06-000003 CCI-000366 low Placing /var/log in its own partition enables better separation between log files and other files in /var/. Run the following command to determine if /var/log is on its own partition or logical volume: $ mount | grep "on /var/log" If /var/log has its own partition or volume group, a line will be returned. Is it the case that no line is returned? System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM. RHEL-06-000003
RHEL-06-000004 CCI-000137 low Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. Run the following command to determine if /var/log/audit is on its own partition or logical volume: $ mount | grep "on /var/log/audit" If /var/log/audit has its own partition or volume group, a line will be returned. Is it the case that no line is returned? Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. RHEL-06-000004
RHEL-06-000005 CCI-000138 medium Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: $ sudo grep space_left_action /etc/audit/auditd.conf space_left_action Acceptable values are email, suspend, single, and halt. Is it the case that the system is not configured to send an email to the system administrator when disk space is starting to run low? The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • syslog
  • email
  • exec
  • suspend
  • single
  • halt
Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.
RHEL-06-000005
RHEL-06-000007 CCI-000366 low Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. Run the following command to determine if /home is on its own partition or logical volume: $ mount | grep "on /home" If /home has its own partition or volume group, a line will be returned. Is it the case that no line is returned? If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. RHEL-06-000007
RHEL-06-000008 CCI-000352 high Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. To ensure that the GPG key is installed, run: $ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey The command should return the string below: gpg(Red Hat, Inc. (release key 2) <security@redhat.com> Is it the case that the Red Hat GPG Key is not installed? To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run:
$ sudo subscription-manager register
If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
Alternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command:
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
RHEL-06-000008
RHEL-06-000009 CCI-000382 low Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the rhnsd daemon can remain on. To check that the rhnsd service is disabled in system boot configuration, run the following command: $ sudo chkconfig rhnsd --list Output should indicate the rhnsd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo chkconfig rhnsd --list rhnsd 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify rhnsd is disabled through current runtime configuration: $ sudo service rhnsd status If the service is disabled the command will return the following output: rhnsd is stopped Is it the case that ? The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. The rhnsd service can be disabled with the following command:
$ sudo chkconfig rhnsd off
RHEL-06-000009
RHEL-06-000011 CCI-001233 medium Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates:
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm.

NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.
RHEL-06-000011
RHEL-06-000013 CCI-000663 medium Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).
To determine whether yum is configured to use gpgcheck, inspect /etc/yum.conf and ensure the following appears in the [main] section: gpgcheck=1 A value of 1 indicates that gpgcheck is enabled. Absence of a gpgcheck line or a setting of 0 indicates that it is disabled. Is it the case that GPG checking is not enabled? The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section:
gpgcheck=1
RHEL-06-000013
RHEL-06-000015 CCI-000663 low Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)." To determine whether yum has been configured to disable gpgcheck for any repos, inspect all files in /etc/yum.repos.d and ensure the following does not appear in any sections: gpgcheck=0 A value of 0 indicates that gpgcheck has been disabled for that repo. Is it the case that GPG checking is disabled? To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0
RHEL-06-000015
RHEL-06-000016 CCI-001069 medium The AIDE package must be installed if it is to be available for integrity checking. Run the following command to determine if the aide package is installed: $ rpm -q aide Is it the case that the package is not installed? The aide package can be installed with the following command:
$ sudo yum install aide
RHEL-06-000016
RHEL-06-000017 CCI-000366 medium Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. Inspect /etc/grub.conf for any instances of selinux=0 in the kernel boot arguments. Presence of selinux=0 indicates that SELinux is disabled at boot time. Is it the case that SELinux is disabled at boot time? SELinux can be disabled at boot time by an argument in /etc/grub.conf. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot. RHEL-06-000017
RHEL-06-000018 CCI-000366 medium For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. To find the location of the AIDE databse file, run the following command: $ sudo ls -l DBDIR/database_file_name Is it the case that there is no database file? Run the following command to generate a new database:
$ sudo /usr/sbin/aide --init
By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command:
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate.
RHEL-06-000018
RHEL-06-000019 CCI-001436 high This action is only meaningful if .rhosts support is permitted through PAM. Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. The existence of the file /etc/hosts.equiv or a file named .rhosts inside a user home directory indicates the presence of an Rsh trust relationship. Is it the case that these files exist? The files /etc/hosts.equiv and ~/.rhosts (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location:
$ sudo rm /etc/hosts.equiv
$ rm ~/.rhosts
RHEL-06-000019
RHEL-06-000020 CCI-000366 medium Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. Check the file /etc/selinux/config and ensure the following line appears: SELINUX= Is it the case that SELINUX is not set to enforcing? The SELinux state should be set to at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode:
SELINUX=
RHEL-06-000020
RHEL-06-000023 CCI-000366 low Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to .
Check the file /etc/selinux/config and ensure the following line appears: SELINUXTYPE= Is it the case that it does not? The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:
SELINUXTYPE=
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
RHEL-06-000023
RHEL-06-000025 CCI-000366 low If a device file carries the SELinux type device_t or unlabeled_t, then SELinux cannot properly restrict access to the device file. To check for incorrectly labeled device files, run following commands: $ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" $ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n" It should produce no output in a well-configured system. Is it the case that there is output? Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type device_t or unlabeled_t, report the bug so that policy can be corrected. Supply information about what the device is and what programs use it.

To check for incorrectly labeled device files, run following commands:
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system.
RHEL-06-000025
RHEL-06-000027 CCI-000770 medium Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. To check for virtual console entries which permit root login, run the following command: $ sudo grep ^vc/[0-9] /etc/securetty If any output is returned, then root logins over virtual console devices is permitted. Is it the case that root login over virtual console devices is permitted? To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in /etc/securetty:
vc/1
vc/2
vc/3
vc/4
RHEL-06-000027
RHEL-06-000028 CCI-000770 low Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. To check for serial port entries which permit root login, run the following command: $ sudo grep ^ttyS/[0-9] /etc/securetty If any output is returned, then root login over serial ports is permitted. Is it the case that root login over serial ports is permitted? To restrict root logins on serial ports, ensure lines of this form do not appear in /etc/securetty:
ttyS0
ttyS1
RHEL-06-000028
RHEL-06-000030 CCI-000366 high If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. To verify that null passwords cannot be used, run the following command: $ grep nullok /etc/pam.d/system-auth If this produces any output, it may be possible to log into accounts with empty passwords. Remove any instances of the nullok option to prevent logins with empty passwords. Is it the case that NULL passwords can be used? If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords. RHEL-06-000030
RHEL-06-000031 CCI-000366 medium The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users. To check that no password hashes are stored in /etc/passwd, run the following command: awk '!/\S:x|\*/ {print}' /etc/passwd If it produces any output, then a password hash is stored in /etc/passwd. Is it the case that any stored hashes are found in /etc/passwd? If any password hashes are stored in /etc/passwd (in the second field, instead of an x or *), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely. RHEL-06-000031
RHEL-06-000032 CCI-000366 medium An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. To list all password file entries for accounts with UID 0, run the following command: $ awk -F: '($3 == \"0\") {print}' /etc/passwd This should print only one line, for the user root. If there is a finding, change the UID of the failing (non-root) user. If the account is associated with the system commands or applications the UID should be changed to one greater than 0 but less than 1000. Otherwise assign a UID of greater than 1000 that has not already been assigned. Is it the case that any account other than root has a UID of 0? If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.
RHEL-06-000032
RHEL-06-000033 CCI-000366 medium The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. To check the ownership of /etc/shadow, run the command: $ ls -lL /etc/shadow If properly configured, the output should indicate the following owner: root Is it the case that /etc/shadow has owner root? To properly set the owner of /etc/shadow, run the command:
$ sudo chown root /etc/shadow 
RHEL-06-000033
RHEL-06-000034 CCI-000366 medium The /etc/shadow file stores password hashes. Protection of this file is critical for system security. To check the group ownership of /etc/shadow, run the command: $ ls -lL /etc/shadow If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/shadow has group owner root? To properly set the group owner of /etc/shadow, run the command:
$ sudo chgrp root /etc/shadow
RHEL-06-000034
RHEL-06-000035 CCI-000366 medium The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. To check the permissions of /etc/shadow, run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following permissions: ---------- Is it the case that /etc/shadow has unix mode ----------? To properly set the permissions of /etc/shadow, run the command:
$ sudo chmod 0000 /etc/shadow
RHEL-06-000035
RHEL-06-000036 CCI-000366 medium The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. To check the ownership of /etc/gshadow, run the command: $ ls -lL /etc/gshadow If properly configured, the output should indicate the following owner: root Is it the case that /etc/gshadow has owner root? To properly set the owner of /etc/gshadow, run the command:
$ sudo chown root /etc/gshadow 
RHEL-06-000036
RHEL-06-000037 CCI-000366 medium The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. To check the group ownership of /etc/gshadow, run the command: $ ls -lL /etc/gshadow If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/gshadow has group owner root? To properly set the group owner of /etc/gshadow, run the command:
$ sudo chgrp root /etc/gshadow
RHEL-06-000037
RHEL-06-000038 CCI-000366 medium The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. To check the permissions of /etc/gshadow, run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following permissions: ---------- Is it the case that /etc/gshadow has unix mode ----------? To properly set the permissions of /etc/gshadow, run the command:
$ sudo chmod 0000 /etc/gshadow
RHEL-06-000038
RHEL-06-000039 CCI-000366 medium The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. To check the ownership of /etc/passwd, run the command: $ ls -lL /etc/passwd If properly configured, the output should indicate the following owner: root Is it the case that /etc/passwd has owner root? To properly set the owner of /etc/passwd, run the command:
$ sudo chown root /etc/passwd 
RHEL-06-000039
RHEL-06-000040 CCI-000366 medium The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. To check the group ownership of /etc/passwd, run the command: $ ls -lL /etc/passwd If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/passwd has group owner root? To properly set the group owner of /etc/passwd, run the command:
$ sudo chgrp root /etc/passwd
RHEL-06-000040
RHEL-06-000041 CCI-000366 medium If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security. To check the permissions of /etc/passwd, run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/passwd has unix mode -rw-r--r--? To properly set the permissions of /etc/passwd, run the command:
$ sudo chmod 0644 /etc/passwd
RHEL-06-000041
RHEL-06-000042 CCI-000366 medium The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. To check the ownership of /etc/group, run the command: $ ls -lL /etc/group If properly configured, the output should indicate the following owner: root Is it the case that /etc/group has owner root? To properly set the owner of /etc/group, run the command:
$ sudo chown root /etc/group 
RHEL-06-000042
RHEL-06-000043 CCI-000366 medium The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. To check the group ownership of /etc/group, run the command: $ ls -lL /etc/group If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/group has group owner root? To properly set the group owner of /etc/group, run the command:
$ sudo chgrp root /etc/group
RHEL-06-000043
RHEL-06-000044 CCI-000366 medium The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. To check the permissions of /etc/passwd, run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/group has unix mode -rw-r--r--? To properly set the permissions of /etc/passwd, run the command:
$ sudo chmod 0644 /etc/passwd
RHEL-06-000044
RHEL-06-000045 CCI-001499 medium Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. Shared libraries are stored in the following directories: /lib /lib64 /usr/lib /usr/lib64 To find shared libraries that are group-writable or world-writable, run the following command for each directory DIR which contains shared libraries: $ sudo find -L DIR -perm /022 -type f Is it the case that any of these files are group-writable or world-writable? System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod go-w FILE
RHEL-06-000045
RHEL-06-000046 CCI-001499 medium Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. Shared libraries are stored in the following directories: /lib /lib64 /usr/lib /usr/lib64 For each of these directories, run the following command to find files not owned by root: $ sudo find -L $DIR ! -user root -exec chown root {} \; Is it the case that any of these files are not owned by root? System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command:
$ sudo chown root FILE
RHEL-06-000046
RHEL-06-000047 CCI-001499 medium System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin To find system executables that are group-writable or world-writable, run the following command for each directory DIR which contains system executables: $ sudo find -L DIR -perm /022 -type f Is it the case that any system executables are found to be group or world writable? System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod go-w FILE
RHEL-06-000047
RHEL-06-000048 CCI-001499 medium System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin To find system executables that are not owned by root, run the following command for each directory DIR which contains system executables: $ sudo find DIR/ \! -user root Is it the case that any system executables are found to not be owned by root? System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command:
$ sudo chown root FILE
RHEL-06-000048
RHEL-06-000050 CCI-000205 medium Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. To check the minimum password length, run the command: $ grep PASS_MIN_LEN /etc/login.defs The DoD requirement is 15. Is it the case that it is not set to the required value? To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following line:
PASS_MIN_LEN 


The DoD requirement is 15. The FISMA requirement is 12. The profile requirement is . If a program consults /etc/login.defs and also another PAM module (such as pam_pwquality) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements.
RHEL-06-000050
RHEL-06-000051 CCI-000198 medium Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.
To check the minimum password age, run the command: $ grep PASS_MIN_DAYS /etc/login.defs Is it the case that it is not equal to or greater than the required value? To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line:
PASS_MIN_DAYS 
A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is .
RHEL-06-000051
RHEL-06-000053 CCI-000199 medium Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
To check the maximum password age, run the command: $ grep PASS_MAX_DAYS /etc/login.defs The DoD and FISMA requirement is 60. A value of 180 days is sufficient for many environments. Is it the case that PASS_MAX_DAYS is not set equal to or greater than the required value? To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line:
PASS_MAX_DAYS 
A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .
RHEL-06-000053
RHEL-06-000054 CCI-000366 low Setting the password warning age enables users to make the change at a practical time. To check the password warning age, run the command: $ grep PASS_WARN_AGE /etc/login.defs The DoD requirement is 7. Is it the case that it is not set to the required value? To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line:
PASS_WARN_AGE 
The DoD requirement is 7. The profile requirement is .
RHEL-06-000054
RHEL-06-000056 CCI-000194 low Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. To check how many digits are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The dcredit parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as dcredit=-1. Is it the case that dcredit is not found or not set to the required value? The pam_cracklib module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add dcredit=-1 after pam_cracklib.so to require use of a digit in passwords. RHEL-06-000056
RHEL-06-000057 CCI-000192 low Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space. To check how many uppercase characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The ucredit parameter (as a negative number) will indicate how many uppercase characters are required. The DoD and FISMA require at least one uppercase character in a password. This would appear as ucredit=-1. Is it the case that ucredit is not found or not set to the required value? The pam_cracklib module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add ucredit=-1 after pam_cracklib.so to require use of an upper case character in passwords. RHEL-06-000057
RHEL-06-000058 CCI-001619 low Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. To check how many special characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The ocredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one special character in a password. This would appear as ocredit=-1. Is it the case that ocredit is not found or not set to the required value? The pam_cracklib module's ocredit= parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Add ocredit= after pam_cracklib.so to require use of a special character in passwords. RHEL-06-000058
RHEL-06-000059 CCI-000193 low Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. To check how many lowercase characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The lcredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one lowercase character in a password. This would appear as lcredit=-1. Is it the case that lcredit is not found or not set to the required value? The pam_cracklib module's lcredit= parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add lcredit=-1 after pam_cracklib.so to require use of a lowercase character in passwords. RHEL-06-000059
RHEL-06-000060 CCI-000195 low Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. To check how many characters must differ during a password change, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth The difok parameter will indicate how many characters must differ. The DoD requires four characters differ during a password change. This would appear as difok=4. Is it the case that difok is not found or not set to the required value? The pam_cracklib module's difok parameter controls requirements for usage of different characters during a password change. Add difok= after pam_cracklib.so to require differing characters when changing passwords. The DoD requirement is 4. RHEL-06-000060
RHEL-06-000061 CCI-000044 medium Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. To ensure the failed password attempt policy is configured correctly, run the following command: $ grep pam_faillock /etc/pam.d/system-auth The output should show deny=. Is it the case that that is not the case? To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so
RHEL-06-000061
RHEL-06-000062 CCI-000803 medium Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
Inspect the password section of /etc/pam.d/system-auth and ensure that the pam_unix.so module includes the argument sha512: $ grep sha512 /etc/pam.d/system-auth Is it the case that it does not? The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/system-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:
password    sufficient    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
RHEL-06-000062
RHEL-06-000063 CCI-000803 medium Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using a stronger hashing algorithm makes password cracking attacks more difficult.
Inspect /etc/login.defs and ensure the following line appears: ENCRYPT_METHOD SHA512 Is it the case that it does not? In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:
ENCRYPT_METHOD SHA512
RHEL-06-000063
RHEL-06-000064 CCI-000803 medium Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
Inspect /etc/libuser.conf and ensure the following line appears in the [default] section: crypt_style = sha512 Is it the case that it does not? In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the SHA-512 algorithm for password hashing:
crypt_style = sha512
RHEL-06-000064
RHEL-06-000065 CCI-000366 medium Only root should be able to modify important boot parameters. To check the ownership of /etc/grub.conf, run the command: $ ls -lL /etc/grub.conf If properly configured, the output should indicate the following owner: root Is it the case that /etc/grub.conf has owner root? The file /etc/grub.conf should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /etc/grub.conf, run the command:
$ sudo chown root /etc/grub.conf 
RHEL-06-000065
RHEL-06-000066 CCI-000366 medium The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. To check the group ownership of /etc/grub.conf, run the command: $ ls -lL /etc/grub.conf If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/grub.conf has group owner root? The file /etc/grub.conf should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /etc/grub.conf, run the command:
$ sudo chgrp root /etc/grub.conf
RHEL-06-000066
RHEL-06-000067 CCI-000366 medium Proper permissions ensure that only the root user can modify important boot parameters. To check the permissions of /etc/grub.conf, run the command: $ sudo ls -lL /etc/grub.conf If properly configured, the output should indicate the following permissions: -rw------- Is it the case that it does not? File permissions for /boot/grub/grub.conf should be set to 600, which is the default. To properly set the permissions of /boot/grub/grub.conf, run the command:
$ sudo chmod 600 /boot/grub/grub.conf
RHEL-06-000067
RHEL-06-000068 CCI-000213 medium Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. To verify the boot loader password has been set and encrypted, run the following command: $ sudo grep password /etc/grub.conf The output should show the following: password --encrypted password-hash Is it the case that it does not? The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command:
$ grub-crypt --sha-512
When prompted to enter a password, insert the following line into /etc/grub.conf immediately after the header comments. (Use the output from grub-crypt as the value of password-hash):
password --encrypted password-hash
NOTE: To meet FISMA Moderate, the bootloader password MUST differ from the root password.
RHEL-06-000068
RHEL-06-000069 CCI-000213 medium This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. To check if authentication is required for single-user mode, run the following command: $ grep SINGLE /etc/sysconfig/init The output should be the following: SINGLE=/sbin/sulogin Is it the case that the output is different? Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.

To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file /etc/sysconfig/init:
SINGLE=/sbin/sulogin
RHEL-06-000069
RHEL-06-000070 CCI-000213 medium Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. To check whether interactive boot is disabled, run the following commands: $ grep PROMPT /etc/sysconfig/init If interactive boot is disabled, the output will show: PROMPT=no$ grep confirm /etc/grub.conf If interactive boot is disabled, there should be no output. Is it the case that it does not? To disable the ability for users to perform interactive startups, perform both of the following:
  1. Edit the file /etc/sysconfig/init. Add or correct the line:
    PROMPT=no
  2. Inspect the kernel boot arguments (which follow the word kernel) in /etc/grub.conf and ensure the confirm argument is not present.
Both the PROMPT option of the /etc/sysconfig/init file and the confirm kernel boot argument of the /etc/grub.conf file allow the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.
RHEL-06-000070
RHEL-06-000071 CCI-000058 low A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.

The screen package allows for a session lock to be implemented and configured.
Run the following command to determine if the screen package is installed: $ rpm -q screen Is it the case that the package is not installed? To enable console screen locking, install the screen package. The screen package can be installed with the following command:
$ sudo yum install screen
Instruct users to begin new terminal sessions with the following command:
$ screen
The console can now be locked with the following key combination:
ctrl+a x
RHEL-06-000071
RHEL-06-000073 CCI-NaN medium Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
To check if the system login banner is compliant, run the following command: $ cat /etc/issue Is it the case that it does not display the required banner? To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.


OR:

I've read & consent to terms in IS user agreem't.
RHEL-06-000073
RHEL-06-000078 CCI-000366 medium Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. The runtime status of the kernel.randomize_va_space kernel parameter can be queried by running the following command: $ sysctl kernel.randomize_va_space The output of the command should indicate a value of 2. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*kernel.randomize_va_space\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than kernel.randomize_va_space = 2 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains kernel.randomize_va_space = 2, and that one assignment is returned when $ grep -r kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.randomize_va_space = 2
RHEL-06-000078
RHEL-06-000079 CCI-000366 medium ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware. To verify ExecShield is enabled on 64-bit Red Hat Enterprise Linux 7 systems, run the following command: $ dmesg | grep '[NX|DX]*protection' The output should not contain 'disabled by kernel command line option'. To verify that ExecShield has not been disabled in the kernel configuration, run the following command: $ sudo grep noexec /boot/grub2/grub.cfg The output should not return noexec=off. For 32-bit Red Hat Enterprise Linux 7 systems, run the following command: $ sysctl kernel.exec-shield The output should be: To set the runtime status of the kernel.exec-shield kernel parameter, run the following command: $ sudo sysctl -w kernel.exec-shield=1 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.exec-shield = 1 Is it the case that ExecShield is not supported by the hardware, is not enabled, or has been disabled by the kernel configuration.? By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in /etc/default/grub. For Red Hat Enterprise Linux 7 32-bit systems, sysctl can be used to enable ExecShield. RHEL-06-000079
RHEL-06-000080 CCI-000366 medium ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.send_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.default.send_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.default.send_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.default.send_redirects = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.default.send_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.send_redirects = 0
RHEL-06-000080
RHEL-06-000081 CCI-000366 medium ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.send_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.all.send_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.all.send_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.all.send_redirects = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.all.send_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.send_redirects = 0
RHEL-06-000081
RHEL-06-000082 CCI-000366 medium Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. The runtime status of the net.ipv4.ip_forward kernel parameter can be queried by running the following command: $ sysctl net.ipv4.ip_forward The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.ip_forward\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.ip_forward = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.ip_forward = 0, and that one assignment is returned when $ grep -r net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d is executed. The ability to forward packets is only appropriate for routers. Is it the case that ? To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.ip_forward=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.ip_forward = 0
RHEL-06-000082
RHEL-06-000083 CCI-000366 medium Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_source_route The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.all.accept_source_route\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.all.accept_source_route = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.all.accept_source_route = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_source_route = 0
RHEL-06-000083
RHEL-06-000084 CCI-000366 medium ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."
The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.all.accept_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.all.accept_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.all.accept_redirects = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_redirects = 0
RHEL-06-000084
RHEL-06-000086 CCI-000366 medium Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. The runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.secure_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.all.secure_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.all.secure_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.all.secure_redirects = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.all.secure_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.secure_redirects = 0
RHEL-06-000086
RHEL-06-000088 CCI-000366 low The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. The runtime status of the net.ipv4.conf.all.log_martians kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.log_martians The output of the command should indicate a value of 1. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.all.log_martians\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.all.log_martians = 1 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.all.log_martians = 1, and that one assignment is returned when $ grep -r net.ipv4.conf.all.log_martians /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.log_martians = 1
RHEL-06-000088
RHEL-06-000089 CCI-000366 medium Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.
The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_source_route The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.default.accept_source_route\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.default.accept_source_route = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.default.accept_source_route = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_source_route = 0
RHEL-06-000089
RHEL-06-000090 CCI-000366 medium Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. The runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.secure_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.default.secure_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.default.secure_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.default.secure_redirects = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.default.secure_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.secure_redirects = 0
RHEL-06-000090
RHEL-06-000091 CCI-000366 low ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.default.accept_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.default.accept_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.default.accept_redirects = 0, and that one assignment is returned when $ grep -r net.ipv4.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_redirects = 0
RHEL-06-000091
RHEL-06-000092 CCI-000366 low Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
The runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_echo_ignore_broadcasts The output of the command should indicate a value of 1. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.icmp_echo_ignore_broadcasts = 1 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.icmp_echo_ignore_broadcasts = 1, and that one assignment is returned when $ grep -r net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.icmp_echo_ignore_broadcasts = 1
RHEL-06-000092
RHEL-06-000093 CCI-000366 low Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. The runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_ignore_bogus_error_responses The output of the command should indicate a value of 1. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.icmp_ignore_bogus_error_responses\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.icmp_ignore_bogus_error_responses = 1 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.icmp_ignore_bogus_error_responses = 1, and that one assignment is returned when $ grep -r net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.icmp_ignore_bogus_error_responses = 1
RHEL-06-000093
RHEL-06-000095 CCI-001095 medium A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. The runtime status of the net.ipv4.tcp_syncookies kernel parameter can be queried by running the following command: $ sysctl net.ipv4.tcp_syncookies The output of the command should indicate a value of 1. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.tcp_syncookies\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.tcp_syncookies = 1 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.tcp_syncookies = 1, and that one assignment is returned when $ grep -r net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.tcp_syncookies = 1
RHEL-06-000095
RHEL-06-000096 CCI-000366 medium Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. The runtime status of the net.ipv4.conf.all.rp_filter kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.rp_filter The output of the command should indicate a value of 1. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.all.rp_filter = 1 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.all.rp_filter = 1, and that one assignment is returned when $ grep -r net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.rp_filter = 1
RHEL-06-000096
RHEL-06-000097 CCI-000366 medium Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. The runtime status of the net.ipv4.conf.default.rp_filter kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.rp_filter The output of the command should indicate a value of 1. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.default.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv4.conf.default.rp_filter = 1 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv4.conf.default.rp_filter = 1, and that one assignment is returned when $ grep -r net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.rp_filter = 1
RHEL-06-000097
RHEL-06-000098 CCI-000366 medium Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. If the system uses IPv6, this is not applicable. If the system is configured to disable the ipv6 kernel module, it will contain a line of the form: options ipv6 disable=1 Such lines may be inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. This permits insertion of the IPv6 kernel module (which other parts of the system expect to be present), but otherwise keeps it inactive. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: preserve$ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d Is it the case that the ipv6 kernel module is not disabled? To prevent the IPv6 kernel module (ipv6) from binding to the IPv6 networking stack, add the following line to /etc/modprobe.d/disabled.conf (or another file in /etc/modprobe.d):
options ipv6 disable=1
This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol.
RHEL-06-000098
RHEL-06-000099 CCI-000366 medium An illicit ICMP redirect message could result in a man-in-the-middle attack. The runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_redirects The output of the command should indicate a value of 0. The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent kernel parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv6.conf.default.accept_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d If any assignments other than net.ipv6.conf.default.accept_redirects = 0 are found, or the correct assignment is duplicated, remove those offending lines from respective files, and make sure that exactly one file in /etc/sysctl.d contains net.ipv6.conf.default.accept_redirects = 0, and that one assignment is returned when $ grep -r net.ipv6.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d is executed. Is it the case that the correct value is not returned? To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_redirects = 0
RHEL-06-000099
RHEL-06-000103 CCI-001118 medium The ip6tables service provides the system's host-based firewalling capability for IPv6 and ICMPv6. If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the ip6tables service: $ sudo service ip6tables status If the service is enabled, it should return the following: ip6tables is running... Is it the case that ? The ip6tables service can be enabled with the following command:
$ sudo chkconfig --level 2345 ip6tables on
RHEL-06-000103
RHEL-06-000105 CCI-001117 medium The ip6tables service provides the system's host-based firewalling capability for IPv6 and ICMPv6. If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the ip6tables service: $ sudo service ip6tables status If the service is enabled, it should return the following: ip6tables is running... Is it the case that ? The ip6tables service can be enabled with the following command:
$ sudo chkconfig --level 2345 ip6tables on
RHEL-06-000105
RHEL-06-000106 CCI-001098 medium The ip6tables service provides the system's host-based firewalling capability for IPv6 and ICMPv6. If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the ip6tables service: $ sudo service ip6tables status If the service is enabled, it should return the following: ip6tables is running... Is it the case that ? The ip6tables service can be enabled with the following command:
$ sudo chkconfig --level 2345 ip6tables on
RHEL-06-000106
RHEL-06-000107 CCI-001100 medium The ip6tables service provides the system's host-based firewalling capability for IPv6 and ICMPv6. If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the ip6tables service: $ sudo service ip6tables status If the service is enabled, it should return the following: ip6tables is running... Is it the case that ? The ip6tables service can be enabled with the following command:
$ sudo chkconfig --level 2345 ip6tables on
RHEL-06-000107
RHEL-06-000108 CCI-001097 medium The ip6tables service provides the system's host-based firewalling capability for IPv6 and ICMPv6. If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the ip6tables service: $ sudo service ip6tables status If the service is enabled, it should return the following: ip6tables is running... Is it the case that ? The ip6tables service can be enabled with the following command:
$ sudo chkconfig --level 2345 ip6tables on
RHEL-06-000108
RHEL-06-000109 CCI-001414 medium The ip6tables service provides the system's host-based firewalling capability for IPv6 and ICMPv6. If IPv6 is disabled, this is not applicable. Run the following command to determine the current status of the ip6tables service: $ sudo service ip6tables status If the service is enabled, it should return the following: ip6tables is running... Is it the case that ? The ip6tables service can be enabled with the following command:
$ sudo chkconfig --level 2345 ip6tables on
RHEL-06-000109
RHEL-06-000113 CCI-001118 medium The iptables service provides the system's host-based firewalling capability for IPv4 and ICMP. Run the following command to determine the current status of the iptables service: $ sudo service iptables status If the service is enabled, it should return the following: iptables is running... Is it the case that ? The iptables service can be enabled with the following command:
$ sudo chkconfig --level 2345 iptables on
RHEL-06-000113
RHEL-06-000115 CCI-001117 medium The iptables service provides the system's host-based firewalling capability for IPv4 and ICMP. Run the following command to determine the current status of the iptables service: $ sudo service iptables status If the service is enabled, it should return the following: iptables is running... Is it the case that ? The iptables service can be enabled with the following command:
$ sudo chkconfig --level 2345 iptables on
RHEL-06-000115
RHEL-06-000116 CCI-001098 medium The iptables service provides the system's host-based firewalling capability for IPv4 and ICMP. Run the following command to determine the current status of the iptables service: $ sudo service iptables status If the service is enabled, it should return the following: iptables is running... Is it the case that ? The iptables service can be enabled with the following command:
$ sudo chkconfig --level 2345 iptables on
RHEL-06-000116
RHEL-06-000117 CCI-001100 medium The iptables service provides the system's host-based firewalling capability for IPv4 and ICMP. Run the following command to determine the current status of the iptables service: $ sudo service iptables status If the service is enabled, it should return the following: iptables is running... Is it the case that ? The iptables service can be enabled with the following command:
$ sudo chkconfig --level 2345 iptables on
RHEL-06-000117
RHEL-06-000118 CCI-001097 medium The iptables service provides the system's host-based firewalling capability for IPv4 and ICMP. Run the following command to determine the current status of the iptables service: $ sudo service iptables status If the service is enabled, it should return the following: iptables is running... Is it the case that ? The iptables service can be enabled with the following command:
$ sudo chkconfig --level 2345 iptables on
RHEL-06-000118
RHEL-06-000119 CCI-001414 medium The iptables service provides the system's host-based firewalling capability for IPv4 and ICMP. Run the following command to determine the current status of the iptables service: $ sudo service iptables status If the service is enabled, it should return the following: iptables is running... Is it the case that ? The iptables service can be enabled with the following command:
$ sudo chkconfig --level 2345 iptables on
RHEL-06-000119
RHEL-06-000120 CCI-000066 medium In iptables the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. Inspect the file /etc/sysconfig/iptables to determine the default policy for the INPUT chain. It should be set to DROP: $ sudo grep ":INPUT" /etc/sysconfig/iptables Is it the case that the default policy for the INPUT chain is not set to DROP? To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/iptables:
:INPUT DROP [0:0]
RHEL-06-000120
RHEL-06-000121 CCI-001115 medium In iptables the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. Inspect the file /etc/sysconfig/iptables to determine the default policy for the INPUT chain. It should be set to DROP: $ sudo grep ":INPUT" /etc/sysconfig/iptables Is it the case that the default policy for the INPUT chain is not set to DROP? To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/iptables:
:INPUT DROP [0:0]
RHEL-06-000121
RHEL-06-000122 CCI-001154 medium In iptables the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. Inspect the file /etc/sysconfig/iptables to determine the default policy for the INPUT chain. It should be set to DROP: $ sudo grep ":INPUT" /etc/sysconfig/iptables Is it the case that the default policy for the INPUT chain is not set to DROP? To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/iptables:
:INPUT DROP [0:0]
RHEL-06-000122
RHEL-06-000124 CCI-000382 medium Disabling DCCP protects the system against exploitation of any flaws in its implementation. If the system is configured to prevent the loading of the dccp kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r dccp /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the dccp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install dccp /bin/true
RHEL-06-000124
RHEL-06-000125 CCI-000382 medium Disabling SCTP protects the system against exploitation of any flaws in its implementation. If the system is configured to prevent the loading of the sctp kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r sctp /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install sctp /bin/true
RHEL-06-000125
RHEL-06-000126 CCI-000382 low Disabling RDS protects the system against exploitation of any flaws in its implementation. If the system is configured to prevent the loading of the rds kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r rds /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the rds kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install rds /bin/true
RHEL-06-000126
RHEL-06-000127 CCI-000382 medium Disabling TIPC protects the system against exploitation of any flaws in its implementation. If the system is configured to prevent the loading of the tipc kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r tipc /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install tipc /bin/true
RHEL-06-000127
RHEL-06-000133 CCI-001314 medium The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. The owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the owner of a given log file, run the following command: $ ls -l LOGFILE Is it the case that the owner is not correct? The owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner:
$ ls -l LOGFILE
If the owner is not , run the following command to correct this:
$ sudo chown  LOGFILE
RHEL-06-000133
RHEL-06-000134 CCI-001314 medium The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. The group-owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the group-owner of a given log file, run the following command: $ ls -l LOGFILE Is it the case that the group-owner is not correct? The group-owner of all log files written by rsyslog should be . These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner:
$ ls -l LOGFILE
If the owner is not , run the following command to correct this:
$ sudo chgrp  LOGFILE
RHEL-06-000134
RHEL-06-000135 CCI-001314 medium Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value. The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the permissions of a given log file, run the following command: $ ls -l LOGFILE The permissions should be 600, or more restrictive. Is it the case that the permissions are not correct? The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's permissions:
$ ls -l LOGFILE
If the permissions are not 600 or more restrictive, run the following command to correct this:
$ sudo chmod 0600 LOGFILE
"
RHEL-06-000135
RHEL-06-000136 CCI-001348 medium A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. To ensure logs are sent to a remote host, examine the file /etc/rsyslog.conf. If using UDP, a line similar to the following should be present: *.* @ If using TCP, a line similar to the following should be present: *.* @@ If using RELP, a line similar to the following should be present: *.* :omrelp: Is it the case that none of these are present? To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery:
*.* @

To use TCP for log message delivery:
*.* @@

To use RELP for log message delivery:
*.* :omrelp:

There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility.
RHEL-06-000136
RHEL-06-000137 CCI-000169 medium A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. To ensure logs are sent to a remote host, examine the file /etc/rsyslog.conf. If using UDP, a line similar to the following should be present: *.* @ If using TCP, a line similar to the following should be present: *.* @@ If using RELP, a line similar to the following should be present: *.* :omrelp: Is it the case that none of these are present? To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery:
*.* @

To use TCP for log message delivery:
*.* @@

To use RELP for log message delivery:
*.* :omrelp:

There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility.
RHEL-06-000137
RHEL-06-000138 CCI-000366 low Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full. To determine the status and frequency of logrotate, run the following command: $ sudo grep logrotate /var/log/cron* If logrotate is configured properly, output should include references to /etc/cron.daily. Is it the case that logrotate is not configured to run daily? The logrotate utility allows for the automatic rotation of log files. The frequency of rotation is specified in /etc/logrotate.conf, which triggers a cron task. To configure logrotate to run daily, add or correct the following line in /etc/logrotate.conf:
# rotate log files frequency
daily
RHEL-06-000138
RHEL-06-000139 CCI-000347 medium Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Run the following command to determine the current status of the auditd service: $ sudo service auditd status If the service is enabled, it should return the following: auditd is running... Is it the case that ? The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:
$ sudo chkconfig --level 2345 auditd on
RHEL-06-000139
RHEL-06-000142 CCI-000880 medium Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Run the following command to determine the current status of the auditd service: $ sudo service auditd status If the service is enabled, it should return the following: auditd is running... Is it the case that ? The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:
$ sudo chkconfig --level 2345 auditd on
RHEL-06-000142
RHEL-06-000143 CCI-001353 medium Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Run the following command to determine the current status of the auditd service: $ sudo service auditd status If the service is enabled, it should return the following: auditd is running... Is it the case that ? The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:
$ sudo chkconfig --level 2345 auditd on
RHEL-06-000143
RHEL-06-000145 CCI-001487 medium Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Run the following command to determine the current status of the auditd service: $ sudo service auditd status If the service is enabled, it should return the following: auditd is running... Is it the case that ? The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:
$ sudo chkconfig --level 2345 auditd on
RHEL-06-000145
RHEL-06-000148 CCI-000067 medium Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Run the following command to determine the current status of the auditd service: $ sudo service auditd status If the service is enabled, it should return the following: auditd is running... Is it the case that ? The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:
$ sudo chkconfig --level 2345 auditd on
RHEL-06-000148
RHEL-06-000149 CCI-000158 medium Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Run the following command to determine the current status of the auditd service: $ sudo service auditd status If the service is enabled, it should return the following: auditd is running... Is it the case that ? The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:
$ sudo chkconfig --level 2345 auditd on
RHEL-06-000149
RHEL-06-000151 CCI-001190 medium Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Run the following command to determine the current status of the auditd service: $ sudo service auditd status If the service is enabled, it should return the following: auditd is running... Is it the case that ? The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:
$ sudo chkconfig --level 2345 auditd on
RHEL-06-000151
RHEL-06-000154 CCI-000130 medium Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Run the following command to determine the current status of the auditd service: $ sudo service auditd status If the service is enabled, it should return the following: auditd is running... Is it the case that ? The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:
$ sudo chkconfig --level 2345 auditd on
RHEL-06-000154
RHEL-06-000157 CCI-001464 low Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot. Inspect the kernel boot arguments (which follow the word kernel) in /etc/grub.conf. If they include audit=1, then auditing is enabled at boot time. Is it the case that auditing is not enabled at boot time? To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the kernel line in /etc/grub.conf, in the manner below:
kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1
RHEL-06-000157
RHEL-06-000159 CCI-000366 medium The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. Inspect /etc/audit/auditd.conf and locate the following line to determine how many logs the system is configured to retain after rotation: $ sudo grep num_logs /etc/audit/auditd.conf num_logs = 5 Is it the case that the system log file retention has not been properly configured? Determine how many log files auditd should retain when it rotates logs. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting NUMLOGS with the correct value of :
num_logs = NUMLOGS
Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.
RHEL-06-000159
RHEL-06-000160 CCI-000366 medium The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. Inspect /etc/audit/auditd.conf and locate the following line to determine how much data the system will retain in each audit log file: $ sudo grep max_log_file /etc/audit/auditd.conf max_log_file = 6 Is it the case that the system audit data threshold has not been properly configured? Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value of for STOREMB:
max_log_file = STOREMB
Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.
RHEL-06-000160
RHEL-06-000161 CCI-000366 medium Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed. Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size: $ sudo grep max_log_file_action /etc/audit/auditd.conf max_log_file_action rotate Is it the case that the system has not been properly configured to rotate audit logs? The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf:
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • syslog
  • suspend
  • rotate
  • keep_logs
Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive.
RHEL-06-000161
RHEL-06-999999 CCI-000366 medium Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to either suspend, switch to single user mode, or halt when disk space has run low: admin_space_left_action single Is it the case that the system is not configured to switch to single user mode for corrective action? The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:
admin_space_left_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
RHEL-06-999999
RHEL-06-000165 CCI-000169 low Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. To determine if the system is configured to audit calls to the adjtimex system call, run the following command: preserve$ sudo grep "adjtimex" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
RHEL-06-000165
RHEL-06-000167 CCI-000169 low Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. To determine if the system is configured to audit calls to the settimeofday system call, run the following command: preserve$ sudo grep "settimeofday" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
RHEL-06-000167
RHEL-06-000169 CCI-000169 low Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. If the system is not configured to audit time changes, this is a finding. If the system is 64-bit only, this is not applicable ocil: | To determine if the system is configured to audit calls to the stime system call, run the following command: preserve$ sudo grep "stime" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
RHEL-06-000169
RHEL-06-000171 CCI-000169 low Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. To determine if the system is configured to audit calls to the clock_settime system call, run the following command: preserve$ sudo grep "clock_settime" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
RHEL-06-000171
RHEL-06-000173 CCI-000169 low Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command: $ sudo auditctl -l | grep "watch=/etc/localtime" If the system is configured to audit this activity, it will return a line. Is it the case that the system is not configured to audit time changes? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/localtime -p wa -k audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.
RHEL-06-000173
RHEL-06-000174 CCI-000018 low In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
RHEL-06-000174
RHEL-06-000175 CCI-001403 low In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
RHEL-06-000175
RHEL-06-000176 CCI-001404 low In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
RHEL-06-000176
RHEL-06-000177 CCI-001405 low In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. To determine if the system is configured to audit account changes, run the following command: auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). Is it the case that the system is not configured to audit account changes? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
RHEL-06-000177
RHEL-06-000182 CCI-000366 low The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. To determine if the system is configured to audit changes to its network configuration, run the following command: auditctl -l | egrep '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' If the system is configured to watch for network configuration changes, a line should be returned for each file specified (and perm=wa should be indicated for each). Is it the case that the system is not configured to audit changes of the network configuration? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
RHEL-06-000182
RHEL-06-000183 CCI-000366 low The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. To determine if the system is configured to audit changes to its SELinux configuration files, run the following command: $ sudo auditctl -l | grep "dir=/etc/selinux" If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including perm=wa indicating permissions that are watched). Is it the case that the system is not configured to audit attempts to change the MAC policy? If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy
RHEL-06-000183
RHEL-06-000184 CCI-000172 low The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the chmod system call, run the following command: preserve$ sudo grep "chmod" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=unset -F key=perm_mod
RHEL-06-000184
RHEL-06-000185 CCI-000172 low The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the chown system call, run the following command: preserve$ sudo grep "chown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=unset -F key=perm_mod
RHEL-06-000185
RHEL-06-000186 CCI-000172 low The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fchmod system call, run the following command: preserve$ sudo grep "fchmod" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=unset -F key=perm_mod
RHEL-06-000186
RHEL-06-000187 CCI-000172 low The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fchmodat system call, run the following command: preserve$ sudo grep "fchmodat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=unset -F key=perm_mod
RHEL-06-000187
RHEL-06-000188 CCI-000172 low The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fchown system call, run the following command: preserve$ sudo grep "fchown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=unset -F key=perm_mod
RHEL-06-000188
RHEL-06-000189 CCI-000172 low The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fchownat system call, run the following command: preserve$ sudo grep "fchownat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=unset -F key=perm_mod
RHEL-06-000189
RHEL-06-000190 CCI-000172 low The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fremovexattr system call, run the following command: preserve$ sudo grep "fremovexattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=unset -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=unset -F key=perm_mod
RHEL-06-000190
RHEL-06-000191 CCI-000172 low The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the fsetxattr system call, run the following command: preserve$ sudo grep "fsetxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=unset -F key=perm_mod
RHEL-06-000191
RHEL-06-000192 CCI-000172 low The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the lchown system call, run the following command: preserve$ sudo grep "lchown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=unset -F key=perm_mod
RHEL-06-000192
RHEL-06-000193 CCI-000172 low The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the lremovexattr system call, run the following command: preserve$ sudo grep "lremovexattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=unset -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=unset -F key=perm_mod
RHEL-06-000193
RHEL-06-000194 CCI-000172 low The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the lsetxattr system call, run the following command: preserve$ sudo grep "lsetxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=unset -F key=perm_mod
RHEL-06-000194
RHEL-06-000195 CCI-000172 low The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the removexattr system call, run the following command: preserve$ sudo grep "removexattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=unset -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=unset -F key=perm_mod
RHEL-06-000195
RHEL-06-000196 CCI-000172 low The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. To determine if the system is configured to audit calls to the setxattr system call, run the following command: preserve$ sudo grep "setxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=unset -F key=perm_mod
RHEL-06-000196
RHEL-06-000197 CCI-000172 low Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. To verify that the audit system collects unauthorized file accesses, run the following commands: $ sudo grep EACCES /etc/audit/audit.rules $ sudo grep EPERM /etc/audit/audit.rules Is it the case that 32-bit and 64-bit system calls to creat, open, openat, open_by_handle_at, truncate, and ftruncate are not audited during EACCES and EPERM? At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=500 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=500 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=500 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=500 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=500 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=500 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=500 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=500 -F auid!=unset -F key=access
RHEL-06-000197
RHEL-06-000198 CCI-000040 low Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
To verify that auditing of privileged command use is configured, run the following command for each local partition PART to find relevant setuid / setgid programs: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: $ sudo grep path /etc/audit/audit.rules It should be the case that all relevant setuid / setgid programs have a line in the audit rules. Is it the case that it is not the case? At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART:
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F auid!=unset -F key=special-config-changes
RHEL-06-000198
RHEL-06-000199 CCI-000172 low The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. To verify that auditing is configured for all media exportation events, run the following command: $ sudo auditctl -l | grep syscall | grep mount Is it the case that there is not output? At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=unset -F key=export
RHEL-06-000199
RHEL-06-000200 CCI-000172 low Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. To determine if the system is configured to audit calls to the rmdir system call, run the following command: preserve$ sudo grep "rmdir" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the unlink system call, run the following command: preserve$ sudo grep "unlink" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the unlinkat system call, run the following command: preserve$ sudo grep "unlinkat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the rename system call, run the following command: preserve$ sudo grep "rename" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the renameat system call, run the following command: preserve$ sudo grep "renameat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=500 -F auid!=unset -F key=delete
RHEL-06-000200
RHEL-06-000201 CCI-000172 low The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d" Is it the case that there is not output? At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
RHEL-06-000201
RHEL-06-000202 CCI-000172 medium The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. To determine if the system is configured to audit calls to the init_module system call, run the following command: preserve$ sudo grep "init_module" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the delete_module system call, run the following command: preserve$ sudo grep "delete_module" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules

The place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules.
RHEL-06-000202
RHEL-06-000203 CCI-000382 medium The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself. If network services are using the xinetd service, this is not applicable. To check that the xinetd service is disabled in system boot configuration, run the following command: $ sudo chkconfig xinetd --list Output should indicate the xinetd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo chkconfig xinetd --list xinetd 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify xinetd is disabled through current runtime configuration: $ sudo service xinetd status If the service is disabled the command will return the following output: xinetd is stopped Is it the case that ? The xinetd service can be disabled with the following command:
$ sudo chkconfig xinetd off
RHEL-06-000203
RHEL-06-000204 CCI-000382 low Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation. Run the following command to determine if the xinetd package is installed: $ rpm -q xinetd Is it the case that the package is installed? The xinetd package can be removed with the following command:
$ sudo yum erase xinetd
RHEL-06-000204
RHEL-06-000206 CCI-000381 high It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation.
Run the following command to determine if the telnet-server package is installed: $ rpm -q telnet-server Is it the case that the package is installed? The telnet-server package can be removed with the following command:
$ sudo yum erase telnet-server
RHEL-06-000206
RHEL-06-000213 CCI-000381 high The rsh-server service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation. Run the following command to determine if the rsh-server package is installed: $ rpm -q rsh-server Is it the case that the package is installed? The rsh-server package can be removed with the following command:
$ sudo yum erase rsh-server
RHEL-06-000213
RHEL-06-000214 CCI-000068 high The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. Is it the case that service and/or socket are running? The rsh service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rsh. RHEL-06-000214
RHEL-06-000216 CCI-000068 high The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. Is it the case that service and/or socket are running? The rexec service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rexec. RHEL-06-000216
RHEL-06-000218 CCI-001436 high The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. Is it the case that service and/or socket are running? The rlogin service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rlogin. RHEL-06-000218
RHEL-06-000220 CCI-000381 medium The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. Run the following command to determine if the ypserv package is installed: $ rpm -q ypserv Is it the case that the package is installed? The ypserv package can be removed with the following command:
$ sudo yum erase ypserv
RHEL-06-000220
RHEL-06-000221 CCI-000382 medium Disabling the ypbind service ensures the system is not acting as a client in a NIS or NIS+ domain. This service should be disabled unless in use. To check that the ypbind service is disabled in system boot configuration, run the following command: $ sudo chkconfig ypbind --list Output should indicate the ypbind service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo chkconfig ypbind --list ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify ypbind is disabled through current runtime configuration: $ sudo service ypbind status If the service is disabled the command will return the following output: ypbind is stopped Is it the case that ? The ypbind service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The ypbind service can be disabled with the following command:
$ sudo chkconfig ypbind off
RHEL-06-000221
RHEL-06-000222 CCI-000381 medium Removing the tftp-server package decreases the risk of the accidental (or intentional) activation of tftp services.

If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established.
Run the following command to determine if the tftp-server package is installed: $ rpm -q tftp-server Is it the case that the package is installed? The tftp-server package can be removed with the following command:
 $ sudo yum erase tftp-server
RHEL-06-000222
RHEL-06-000223 CCI-001436 medium Disabling the tftp service ensures the system is not acting as a TFTP server, which does not provide encryption or authentication. To check that the tftp service is disabled in system boot configuration, run the following command: $ sudo chkconfig tftp --list Output should indicate the tftp service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo chkconfig tftp --list tftp 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify tftp is disabled through current runtime configuration: $ sudo service tftp status If the service is disabled the command will return the following output: tftp is stopped Is it the case that ? The tftp service should be disabled. The tftp service can be disabled with the following command:
$ sudo chkconfig tftp off
RHEL-06-000223
RHEL-06-000224 CCI-000366 medium Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. Run the following command to determine the current status of the crond service: $ sudo service crond status If the service is enabled, it should return the following: crond is running... Is it the case that ? The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The crond service can be enabled with the following command:
$ sudo chkconfig --level 2345 crond on
RHEL-06-000224
RHEL-06-000227 CCI-000774 high SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. To check which SSH protocol version is allowed, check version of openssh-server with following command: $ rpm -qi openssh-server | grep Version Versions equal to or higher than 7.4 only allow Protocol 2. If version is lower than 7.4, run the following command to check configuration: $ sudo grep Protocol /etc/ssh/sshd_config If configured properly, output should be Protocol 2 Is it the case that it is commented out or is not set correctly to Protocol 2? Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears:
Protocol 2
RHEL-06-000227
RHEL-06-000230 CCI-001133 low Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. Run the following command to see what the timeout interval is: $ sudo grep ClientAliveInterval /etc/ssh/sshd_config If properly configured, the output should be: ClientAliveInterval Is it the case that it is commented out or not configured properly? SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows:
ClientAliveInterval 


The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
RHEL-06-000230
RHEL-06-000231 CCI-000879 low This ensures a user login will be terminated as soon as the ClientAliveInterval is reached. To ensure the SSH idle timeout will occur when the ClientAliveInterval is set, run the following command: $ sudo grep ClientAliveCountMax /etc/ssh/sshd_config If properly configured, output should be: ClientAliveCountMax Is it the case that it is commented out or not configured properly? To ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set, edit /etc/ssh/sshd_config as follows:
ClientAliveCountMax 
RHEL-06-000231
RHEL-06-000234 CCI-000766 medium SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. To determine how the SSH daemon's IgnoreRhosts option is set, run the following command: $ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value yes is returned, then the required value is set. Is it the case that the required value is not set? SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
IgnoreRhosts yes
RHEL-06-000234
RHEL-06-000235 CCI-000765 medium SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. To determine how the SSH daemon's HostbasedAuthentication option is set, run the following command: $ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value no is returned, then the required value is set. Is it the case that the required value is not set? SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config:
HostbasedAuthentication no
RHEL-06-000235
RHEL-06-000236 CCI-000766 medium SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. To determine how the SSH daemon's HostbasedAuthentication option is set, run the following command: $ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value no is returned, then the required value is set. Is it the case that the required value is not set? SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config:
HostbasedAuthentication no
RHEL-06-000236
RHEL-06-000237 CCI-000770 medium Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. To determine how the SSH daemon's PermitRootLogin option is set, run the following command: $ sudo grep -i PermitRootLogin /etc/ssh/sshd_config If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config:
PermitRootLogin no
RHEL-06-000237
RHEL-06-000239 CCI-000766 high Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command: $ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config If no line, a commented line, or a line indicating the value no is returned, then the required value is set. Is it the case that the required value is not set? To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config:
PermitEmptyPasswords no

Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
RHEL-06-000239
RHEL-06-000240 CCI-000048 medium The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. To determine how the SSH daemon's Banner option is set, run the following command: $ sudo grep -i Banner /etc/ssh/sshd_config If a line indicating /etc/issue is returned, then the required value is set. Is it the case that the required value is not set? To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner.
RHEL-06-000240
RHEL-06-000241 CCI-001414 low SSH environment options potentially allow users to bypass access restriction in some configurations. To ensure users are not able to send environment variables, run the following command: $ sudo grep PermitUserEnvironment /etc/ssh/sshd_config If properly configured, output should be: PermitUserEnvironment no Is it the case that PermitUserEnvironment is not disabled? To ensure users are not able to override environment variables of the SSH daemon, add or correct the following line in /etc/ssh/sshd_config:
PermitUserEnvironment no
RHEL-06-000241
RHEL-06-000243 CCI-001144 medium Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux 6.
Only FIPS ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: $ sudo grep Ciphers /etc/ssh/sshd_config The output should contain only those ciphers which are FIPS-approved. Is it the case that FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved? Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The man page sshd_config(5) contains a list of supported ciphers. The rule is parametrized to use the following ciphers: .
RHEL-06-000243
RHEL-06-000244 CCI-001145 medium Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux 6.
Only FIPS ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: $ sudo grep Ciphers /etc/ssh/sshd_config The output should contain only those ciphers which are FIPS-approved. Is it the case that FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved? Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The man page sshd_config(5) contains a list of supported ciphers. The rule is parametrized to use the following ciphers: .
RHEL-06-000244
RHEL-06-000245 CCI-001146 medium Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux 6.
Only FIPS ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: $ sudo grep Ciphers /etc/ssh/sshd_config The output should contain only those ciphers which are FIPS-approved. Is it the case that FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved? Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The man page sshd_config(5) contains a list of supported ciphers. The rule is parametrized to use the following ciphers: .
RHEL-06-000245
RHEL-06-000246 CCI-000366 low Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted. To check that the avahi-daemon service is disabled in system boot configuration, run the following command: $ sudo chkconfig avahi-daemon --list Output should indicate the avahi-daemon service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo chkconfig avahi-daemon --list avahi-daemon 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify avahi-daemon is disabled through current runtime configuration: $ sudo service avahi-daemon status If the service is disabled the command will return the following output: avahi-daemon is stopped Is it the case that ? The avahi-daemon service can be disabled with the following command:
$ sudo chkconfig avahi-daemon off
RHEL-06-000246
RHEL-06-000247 CCI-000160 medium Enabling the ntpd service ensures that the ntpd service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

The NTP daemon offers all of the functionality of ntpdate, which is now deprecated. Additional information on this is available at http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate.
Run the following command to determine the current status of the ntpd service: $ sudo service ntpd status If the service is enabled, it should return the following: ntpd is running... Is it the case that ? The ntpd service can be enabled with the following command:
$ sudo chkconfig --level 2345 ntpd on
RHEL-06-000247
RHEL-06-000248 CCI-000160 medium Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. To verify that a remote NTP service is configured for time synchronization, open the following file: /etc/ntp.conf In the file, there should be a section similar to the following: server ntpserver Is it the case that this is not the case? To specify a remote NTP server for time synchronization, edit the file /etc/ntp.conf. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver:
server ntpserver
This instructs the NTP software to contact that remote server to obtain time data.
RHEL-06-000248
RHEL-06-000249 CCI-000382 medium This ensures postfix accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack. Run the following command to ensure postfix accepts mail messages from only the local system: $ grep inet_interfaces /etc/postfix/main.cf If properly configured, the output should show only . Is it the case that it does not? Edit the file /etc/postfix/main.cf to ensure that only the following inet_interfaces line appears:
inet_interfaces = 
RHEL-06-000249
RHEL-06-000252 CCI-001453 medium Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. To ensure LDAP is configured to use TLS for all transactions, run the following command: $ grep start_tls /etc/pam_ldap.conf The result should contain: ssl start_tls Is it the case that LDAP is not in use, the line is commented out, or not configured correctly? This check verifies cryptography has been implemented to protect the integrity of remote LDAP authentication sessions.

To determine if LDAP is being used for authentication, use the following command:
$ sudo grep -i useldapauth /etc/sysconfig/authconfig


If USELDAPAUTH=yes, then LDAP is being used. To check if LDAP is configured to use TLS, use the following command:
$ sudo grep -i ssl /etc/pam_ldap.conf
RHEL-06-000252
RHEL-06-000253 CCI-000776 medium The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA. To ensure TLS is configured with trust certificates, run the following command: $ grep cert /etc/nslcd.conf Is it the case that LDAP is not in use, the line is commented out, or not configured correctly? Ensure a copy of a trusted CA certificate has been placed in the file /etc/pki/tls/CA/cacert.pem. Configure LDAP to enforce TLS use and to trust certificates signed by that CA. First, edit the file /etc/pam_ldap.conf, and add or correct either of the following lines:
tls_cacertdir /etc/pki/tls/CA
or
tls_cacertfile /etc/pki/tls/CA/cacert.pem
Then review the LDAP server and ensure TLS has been configured.
RHEL-06-000253
RHEL-06-000256 CCI-000366 low Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems. To verify the openldap-servers package is not installed, run the following command: $ rpm -q openldap-servers The output should show the following: package openldap-servers is not installed Is it the case that it does not? The openldap-servers RPM is not installed by default on a Red Hat Enterprise Linux 6 system. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed. RHEL-06-000256
RHEL-06-000257 CCI-000057 medium Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby. To check the current idle time-out value, run the following command: $ gconftool-2 -g /desktop/gnome/session/idle_delay If properly configured, the output should be . Is it the case that it is not? Run the following command to set the idle time-out value for inactivity in the GNOME desktop to minutes:
$ sudo gconftool-2 \
  --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type int \
  --set /desktop/gnome/session/idle_delay 
RHEL-06-000257
RHEL-06-000258 CCI-000057 medium Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area. To check the screensaver mandatory use status, run the following command: $ gconftool-2 -g /apps/gnome-screensaver/idle_activation_enabled If properly configured, the output should be true. Is it the case that it is not? Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity:
$ sudo gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type bool \
  --set /apps/gnome-screensaver/idle_activation_enabled true
RHEL-06-000258
RHEL-06-000259 CCI-000057 medium Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby. To check the status of the idle screen lock activation, run the following command: $ gconftool-2 -g /apps/gnome-screensaver/lock_enabled If properly configured, the output should be true. Is it the case that it is not? Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated:
$ sudo gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type bool \
  --set /apps/gnome-screensaver/lock_enabled true
RHEL-06-000259
RHEL-06-000260 CCI-000060 low Setting the screensaver mode to blank-only conceals the contents of the display from passersby. To ensure the screensaver is configured to be blank, run the following command: $ gconftool-2 -g /apps/gnome-screensaver/mode If properly configured, the output should be blank-only Is it the case that it is not? Run the following command to set the screensaver mode in the GNOME desktop to a blank screen:
$ sudo gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type string \
  --set /apps/gnome-screensaver/mode blank-only
RHEL-06-000260
RHEL-06-000261 CCI-000382 low Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers. To check that the abrtd service is disabled in system boot configuration, run the following command: $ sudo chkconfig abrtd --list Output should indicate the abrtd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo chkconfig abrtd --list abrtd 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify abrtd is disabled through current runtime configuration: $ sudo service abrtd status If the service is disabled the command will return the following output: abrtd is stopped Is it the case that ? The Automatic Bug Reporting Tool (abrtd) daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The abrtd service can be disabled with the following command:
$ sudo chkconfig abrtd off
RHEL-06-000261
RHEL-06-000262 CCI-000382 low The atd service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with at or batch is not common. To check that the atd service is disabled in system boot configuration, run the following command: $ sudo chkconfig atd --list Output should indicate the atd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo chkconfig atd --list atd 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify atd is disabled through current runtime configuration: $ sudo service atd status If the service is disabled the command will return the following output: atd is stopped Is it the case that ? The at and batch commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon atd keeps track of tasks scheduled via at and batch, and executes them at the specified time. The atd service can be disabled with the following command:
$ sudo chkconfig atd off
RHEL-06-000262
RHEL-06-000263 CCI-001250 low Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.
To check that the autofs service is disabled in system boot configuration, run the following command: $ sudo chkconfig autofs --list Output should indicate the autofs service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo chkconfig autofs --list autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify autofs is disabled through current runtime configuration: $ sudo service autofs status If the service is disabled the command will return the following output: autofs is stopped Is it the case that ? The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

The autofs service can be disabled with the following command:
$ sudo chkconfig autofs off
RHEL-06-000263
RHEL-06-000265 CCI-000382 low The ntpdate service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated. To check that the ntpdate service is disabled in system boot configuration, run the following command: $ sudo chkconfig ntpdate --list Output should indicate the ntpdate service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo chkconfig ntpdate --list ntpdate 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify ntpdate is disabled through current runtime configuration: $ sudo service ntpdate status If the service is disabled the command will return the following output: ntpdate is stopped Is it the case that ? The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in /etc/ntp/step-tickers or /etc/ntp.conf and then sets the local hardware clock to the newly synchronized system time. The ntpdate service can be disabled with the following command:
$ sudo chkconfig ntpdate off
RHEL-06-000265
RHEL-06-000266 CCI-000382 low The oddjobd service may provide necessary functionality in some environments, and can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues. To check that the oddjobd service is disabled in system boot configuration, run the following command: $ sudo chkconfig oddjobd --list Output should indicate the oddjobd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo chkconfig oddjobd --list oddjobd 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify oddjobd is disabled through current runtime configuration: $ sudo service oddjobd status If the service is disabled the command will return the following output: oddjobd is stopped Is it the case that ? The oddjobd service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with oddjobd through the system message bus. The oddjobd service can be disabled with the following command:
$ sudo chkconfig oddjobd off
RHEL-06-000266
RHEL-06-000267 CCI-000382 low The qpidd service is automatically installed when the base package selection is selected during installation. The qpidd service listens for network connections, which increases the attack surface of the system. If the system is not intended to receive AMQP traffic, then the qpidd service is not needed and should be disabled or removed. To check that the qpidd service is disabled in system boot configuration, run the following command: $ sudo chkconfig qpidd --list Output should indicate the qpidd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo chkconfig qpidd --list qpidd 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify qpidd is disabled through current runtime configuration: $ sudo service qpidd status If the service is disabled the command will return the following output: qpidd is stopped Is it the case that ? The qpidd service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The qpidd service can be disabled with the following command:
$ sudo chkconfig qpidd off
RHEL-06-000267
RHEL-06-000268 CCI-000382 low General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information. To check that the rdisc service is disabled in system boot configuration, run the following command: $ sudo chkconfig rdisc --list Output should indicate the rdisc service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo chkconfig rdisc --list rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify rdisc is disabled through current runtime configuration: $ sudo service rdisc status If the service is disabled the command will return the following output: rdisc is stopped Is it the case that ? The rdisc service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The rdisc service can be disabled with the following command:
$ sudo chkconfig rdisc off
RHEL-06-000268
RHEL-06-000269 CCI-000366 medium Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. To verify the nodev option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the nodev setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting does not show? Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. RHEL-06-000269
RHEL-06-000270 CCI-000366 medium NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. To verify the nosuid option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the nosuid setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting does not show? Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. RHEL-06-000270
RHEL-06-000271 CCI-000087 low Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. To verify that binaries cannot be directly executed from removable media, run the following command: $ grep -v noexec /etc/fstab The resulting output will show partitions which do not have the noexec flag. Verify all partitions in the output are not removable media. Is it the case that removable media partitions are present? The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. RHEL-06-000271
RHEL-06-000272 CCI-000366 low Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. To verify that Samba clients running smbclient must use packet signing, run the following command: $ grep signing /etc/samba/smb.conf The output should show: client signing = mandatory Is it the case that it is not? To require samba clients running smbclient to use packet signing, add the following to the [global] section of the Samba configuration file, /etc/samba/smb.conf:
client signing = mandatory
Requiring samba clients such as smbclient to use packet signing ensures they can only communicate with servers that support packet signing.
RHEL-06-000272
RHEL-06-000273 CCI-000366 low Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. To verify that Samba clients using mount.cifs must use packet signing, run the following command: $ grep sec /etc/fstab The output should show either krb5i or ntlmv2i in use. Is it the case that it does not? Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure signing options (either sec=krb5i or sec=ntlmv2i) are used.

See the mount.cifs(8) man page for more information. A Samba client should only communicate with servers who can support SMB packet signing.
RHEL-06-000273
RHEL-06-000274 CCI-000200 medium Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. To verify the password reuse setting is compliant, run the following command: $ grep remember /etc/pam.d/system-auth The output should show the following at the end of the line: remember= Is it the case that the value of remember is not set equal to or greater than the expected setting? Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules.

In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:
  • for the pam_unix.so case:
    password sufficient pam_unix.so ...existing_options... remember=
  • for the pam_pwhistory.so case:
    password requisite pam_pwhistory.so ...existing_options... remember=
The DoD STIG requirement is 5 passwords.
RHEL-06-000274
RHEL-06-000275 CCI-001019 low The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. Check the system partitions to determine if they are encrypted with the following command: blkid Output will be similar to: /dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2 " TYPE="crypto_LUKS" /dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2 " TYPE="crypto_LUKS" Pseudo-file systems, such as /proc, /sys, and tmpfs, are not required to use disk encryption and are not a finding. Is it the case that partitions do not have a type of crypto_LUKS? Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

By default, the Anaconda installer uses aes-xts-plain64 cipher with a minimum 512 bit key size which should be compatible with FIPS enabled.

Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 6 Documentation web site:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html.
RHEL-06-000275
RHEL-06-000276 CCI-001199 low The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. Check the system partitions to determine if they are encrypted with the following command: blkid Output will be similar to: /dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2 " TYPE="crypto_LUKS" /dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2 " TYPE="crypto_LUKS" Pseudo-file systems, such as /proc, /sys, and tmpfs, are not required to use disk encryption and are not a finding. Is it the case that partitions do not have a type of crypto_LUKS? Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

By default, the Anaconda installer uses aes-xts-plain64 cipher with a minimum 512 bit key size which should be compatible with FIPS enabled.

Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 6 Documentation web site:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html.
RHEL-06-000276
RHEL-06-000277 CCI-001200 low The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. Check the system partitions to determine if they are encrypted with the following command: blkid Output will be similar to: /dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2 " TYPE="crypto_LUKS" /dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2 " TYPE="crypto_LUKS" Pseudo-file systems, such as /proc, /sys, and tmpfs, are not required to use disk encryption and are not a finding. Is it the case that partitions do not have a type of crypto_LUKS? Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

By default, the Anaconda installer uses aes-xts-plain64 cipher with a minimum 512 bit key size which should be compatible with FIPS enabled.

Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 6 Documentation web site:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html.
RHEL-06-000277
RHEL-06-000282 CCI-000366 medium Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files. To find world-writable files, run the following command: $ sudo find / -xdev -type f -perm -002 Is it the case that there is output? It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. Finally, this applies to real files and not virtual files that are a part of pseudo file systems such as sysfs or procfs. RHEL-06-000282
RHEL-06-000284 CCI-001668 high Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. Is it the case that there is no anti-virus solution installed on the system? Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis. If the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail. RHEL-06-000284
RHEL-06-000285 CCI-001263 medium Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network. Inspect the system to determine if intrusion detection software has been installed. Verify this intrusion detection software is active. Is it the case that no host-based intrusion detection tools are installed? The base Red Hat Enterprise Linux 6 platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised. RHEL-06-000285
RHEL-06-000286 CCI-000366 high A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Del sequence is reduced because the user will be prompted before any action is taken. NOTE: When updating the initscripts package on a Red Hat Enterprise Linux 6 system, custom changes to /etc/init/control-alt-delete.conf may be overwritten. Refer to https://access.redhat.com/site/solutions/70464 for additional information. To ensure the system is configured to log a message instead of rebooting the system when Ctrl-Alt-Del is pressed, ensure the following line is in /etc/init/control-alt-delete.conf: exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed" Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? By default, the system includes the following line in /etc/init/control-alt-delete.conf to reboot the system when the Ctrl-Alt-Del key sequence is pressed:
exec /sbin/shutdown -r now "Control-Alt-Delete pressed"

To configure the system to log a message instead of rebooting the system, alter that line to read as follows:
exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"
RHEL-06-000286
RHEL-06-000287 CCI-000366 low Local mail delivery is essential to some system maintenance and notification tasks. Run the following command to determine the current status of the postfix service: $ sudo service postfix status If the service is enabled, it should return the following: postfix is running... Is it the case that the system is not a cross domain solution and the service is not enabled? The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The postfix service can be enabled with the following command:
$ sudo chkconfig --level 2345 postfix on
RHEL-06-000287
RHEL-06-000288 CCI-000366 medium The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead. Run the following command to determine if the sendmail package is installed: $ rpm -q sendmail Is it the case that the package is installed? Sendmail is not the default mail transfer agent and is not installed by default. The sendmail package can be removed with the following command:
$ sudo yum erase sendmail
RHEL-06-000288
RHEL-06-000289 CCI-000382 low The netconsole service is not necessary unless there is a need to debug kernel panics, which is not common. To check that the netconsole service is disabled in system boot configuration, run the following command: $ sudo chkconfig netconsole --list Output should indicate the netconsole service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo chkconfig netconsole --list netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify netconsole is disabled through current runtime configuration: $ sudo service netconsole status If the service is disabled the command will return the following output: netconsole is stopped Is it the case that ? The netconsole service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The netconsole service can be disabled with the following command:
$ sudo chkconfig netconsole off
RHEL-06-000289
RHEL-06-000290 CCI-001436 medium Unnecessary services should be disabled to decrease the attack surface of the system. To verify the default runlevel is 3, run the following command: $ grep initdefault /etc/inittab The output should show the following: id:3:initdefault: Is it the case that it does not? Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in /etc/inittab features a 3 as shown:
id:3:initdefault:
RHEL-06-000290
RHEL-06-000291 CCI-NaN low Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented. To ensure the X Windows package group is removed, run the following command: $ rpm -qi xorg-x11-server-common The output should be: package xorg-x11-server-common is not installed Is it the case that the X Windows package group or xorg-x11-server-common has not be removed? By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command:
$ sudo yum groupremove "X Window System"
$ sudo yum remove xorg-x11-server-common
RHEL-06-000291
RHEL-06-000292 CCI-000366 medium DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances. To verify that DHCP is not being used, examine the following file for each interface: # /etc/sysconfig/network-scripts/ifcfg-interface Look for the following: BOOTPROTO=none and the following, substituting the appropriate values based on your site's addressing scheme: NETMASK=255.255.255.0 IPADDR=192.168.1.2 GATEWAY=192.168.1.1 Is it the case that it does not? For each interface on the system (e.g. eth0), edit /etc/sysconfig/network-scripts/ifcfg-interface and make the following changes:
  • Correct the BOOTPROTO line to read:
    BOOTPROTO=none
  • Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme:
    NETMASK=255.255.255.0
    IPADDR=192.168.1.2
    GATEWAY=192.168.1.1
RHEL-06-000292
RHEL-06-000294 CCI-000366 low If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group. To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command: $ sudo pwck -qr There should be no output. Is it the case that GIFs referenced in /etc/passwd are returned as not defined in /etc/group? Add a group to the system for each GID referenced without a corresponding group. RHEL-06-000294
RHEL-06-000296 CCI-000804 low Unique usernames allow for accountability on the system. To verify all accounts have unique names, run the following command: $ sudo getent passwd | awk -F: '{ print $1}' | uniq -d No output should be returned. Is it the case that a line is returned? Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command:
$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
If a username is returned, change or delete the username.
RHEL-06-000296
RHEL-06-000299 CCI-000366 low Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. To check the maximum value for consecutive repeating characters, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth Look for the value of the maxrepeat parameter. The DoD requirement is 3. Is it the case that maxrepeat is not found or not set to the required value? The pam_cracklib module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Add maxrepeat= after pam_cracklib.so to prevent a run of ( + 1) or more identical characters:
password required pam_cracklib.so maxrepeat=
RHEL-06-000299
RHEL-06-000300 CCI-000224 low Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. The following command will discover and print any files on local partitions which do not belong to a valid user. $ sudo find / -xdev -fstype local -nouser Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the chown command: $ sudo chown user file Is it the case that files exist that are not owned by a valid user? If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. RHEL-06-000300
RHEL-06-000301 CCI-000224 low Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. The following command will discover and print any files on local partitions which do not belong to a valid group. $ sudo find / -xdev -fstype local -nogroup Either remove all files and directories from the system that do not have a valid group, or assign a valid group with the chgrp command: $ sudo chgrp group file Is it the case that there is output? If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. RHEL-06-000301
RHEL-06-000302 CCI-000374 medium By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return something similar to the following: 05 4 * * * root /usr/sbin/aide --check NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. Is it the case that there is no output? At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.
RHEL-06-000302
RHEL-06-000303 CCI-000416 medium By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return something similar to the following: 05 4 * * * root /usr/sbin/aide --check NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. Is it the case that there is no output? At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.
RHEL-06-000303
RHEL-06-000304 CCI-001069 medium By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return something similar to the following: 05 4 * * * root /usr/sbin/aide --check NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. Is it the case that there is no output? At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.
RHEL-06-000304
RHEL-06-000305 CCI-001263 medium By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return something similar to the following: 05 4 * * * root /usr/sbin/aide --check NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. Is it the case that there is no output? At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.
RHEL-06-000305
RHEL-06-000306 CCI-001297 medium By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return something similar to the following: 05 4 * * * root /usr/sbin/aide --check NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. Is it the case that there is no output? At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.
RHEL-06-000306
RHEL-06-000307 CCI-001589 medium By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return something similar to the following: 05 4 * * * root /usr/sbin/aide --check NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. Is it the case that there is no output? At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.
RHEL-06-000307
RHEL-06-000308 CCI-000366 low A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. To verify that core dumps are disabled for all users, run the following command: $ grep core /etc/security/limits.conf The output should be: * hard core 0 Is it the case that it is not? To disable core dumps for all users, add the following line to /etc/security/limits.conf, or to a file within the /etc/security/limits.d/ directory:
*     hard   core    0
RHEL-06-000308
RHEL-06-000309 CCI-000764 high Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. To verify insecure file locking has been disabled, run the following command: $ grep insecure_locks /etc/exports Is it the case that there is output? By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the insecure_locks option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the insecure_locks option from the file /etc/exports. RHEL-06-000309
RHEL-06-000311 CCI-000143 medium Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: $ sudo grep space_left_action /etc/audit/auditd.conf space_left_action Acceptable values are email, suspend, single, and halt. Is it the case that the system is not configured to send an email to the system administrator when disk space is starting to run low? The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • syslog
  • email
  • exec
  • suspend
  • single
  • halt
Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.
RHEL-06-000311
RHEL-06-000313 CCI-000139 medium Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator: action_mail_acct = root Is it the case that auditd is not configured to send emails per identified actions? The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations:
action_mail_acct = 
RHEL-06-000313
RHEL-06-000315 CCI-000085 medium If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. If the system is configured to prevent the loading of the bluetooth kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module:
install bluetooth /bin/true
RHEL-06-000315
RHEL-06-000317 CCI-001250 medium USB storage devices such as thumb drives can be used to introduce malicious software. If the system is configured to prevent the loading of the usb-storage kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.
RHEL-06-000317
RHEL-06-000319 CCI-000054 low Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. Run the following command to ensure the maxlogins value is configured for all users on the system: # grep "maxlogins" /etc/security/limits.conf You should receive output similar to the following: *\t\thard\tmaxlogins\t Is it the case that maxlogins is not equal to or less than the expected value? Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf or a file under /etc/security/limits.d/:
* hard maxlogins 
RHEL-06-000319
RHEL-06-000320 CCI-001109 medium In iptables, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. Run the following command to ensure the default FORWARD policy is DROP: grep ":FORWARD" /etc/sysconfig/iptables The output should be similar to the following: $ sudo grep ":FORWARD" /etc/sysconfig/iptables :FORWARD DROP [0:0 Is it the case that the default policy for the FORWARD chain is not set to DROP? To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in /etc/sysconfig/iptables:
:FORWARD DROP [0:0]
RHEL-06-000320
RHEL-06-000321 CCI-001130 low Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. Run the following command to determine if the libreswan package is installed: $ rpm -q libreswan Is it the case that the package is not installed? The Libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The libreswan package can be installed with the following command:
$ sudo yum install libreswan
RHEL-06-000321
RHEL-06-000324 CCI-000050 medium An appropriate warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. To ensure a login warning banner is enabled, run the following: $ gconftool-2 -g /apps/gdm/simple-greeter/banner_message_enable Search for the banner_message_enable schema. If properly configured, the default value should be true. Is it the case that it is not? To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command:
$ sudo gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type bool \
  --set /apps/gdm/simple-greeter/banner_message_enable true
To display a banner, this setting must be enabled and then banner text must also be set.
RHEL-06-000324
RHEL-06-000326 CCI-NaN medium An appropriate warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. To ensure the login warning banner text is properly set, run the following: $ gconftool-2 -g /apps/gdm/simple-greeter/banner_message_text If properly configured, the proper banner text will appear within this schema. Is it the case that it does not? To set the text shown by the GNOME Display Manager in the login screen, run the following command:
$ sudo gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type string \
  --set /apps/gdm/simple-greeter/banner_message_text \
  "Text of the warning banner here"
When entering a warning banner that spans several lines, remember to begin and end the string with ". This command writes directly either to the /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml if it exists or to the file /etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml. Either of these files can later be edited directly if necessary.
RHEL-06-000326
RHEL-06-000331 CCI-000085 medium Disabling the bluetooth service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range. To check that the bluetooth service is disabled in system boot configuration, run the following command: $ sudo chkconfig bluetooth --list Output should indicate the bluetooth service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo chkconfig bluetooth --list bluetooth 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify bluetooth is disabled through current runtime configuration: $ sudo service bluetooth status If the service is disabled the command will return the following output: bluetooth is stopped Is it the case that ? The bluetooth service can be disabled with the following command:
$ sudo chkconfig bluetooth off
$ sudo service bluetooth stop
RHEL-06-000331
RHEL-06-000334 CCI-000017 low Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. To verify the INACTIVE setting, run the following command: $ grep "INACTIVE" /etc/default/useradd The output should indicate the INACTIVE configuration option is set to an appropriate integer as shown in the example below: $ grep "INACTIVE" /etc/default/useradd INACTIVE= Is it the case that the value of INACTIVE is greater than the expected value? To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately:
INACTIVE=
A value of 35 is recommended; however, this profile expects that the value is set to . If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.
RHEL-06-000334
RHEL-06-000335 CCI-000795 low Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. To verify the INACTIVE setting, run the following command: $ grep "INACTIVE" /etc/default/useradd The output should indicate the INACTIVE configuration option is set to an appropriate integer as shown in the example below: $ grep "INACTIVE" /etc/default/useradd INACTIVE= Is it the case that the value of INACTIVE is greater than the expected value? To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately:
INACTIVE=
A value of 35 is recommended; however, this profile expects that the value is set to . If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.
RHEL-06-000335
RHEL-06-000336 CCI-000366 low Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.

The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access.
To find world-writable directories that lack the sticky bit, run the following command: $ sudo find / -xdev -type d -perm 002 ! -perm 1000 Is it the case that any world-writable directories are missing the sticky bit? When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command:
$ sudo chmod +t DIR
RHEL-06-000336
RHEL-06-000337 CCI-000366 low Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition PART: $ sudo find PART -xdev -type d -perm -0002 -uid +499 -print Is it the case that there is output? All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. RHEL-06-000337
RHEL-06-000338 CCI-000366 high Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private. If TFTP is not installed, this is not applicable. To determine if TFTP is installed, run the following command: $ rpm -qa | grep tftp Verify tftp is configured by with the -s option by running the following command: grep "server_args" /etc/xinetd.d/tftp The output should indicate the server_args variable is configured with the -s flag, matching the example below: $ grep "server_args" /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot Is it the case that this flag is missing? If running the tftp service is necessary, it should be configured to change its root directory at startup. To do so, ensure /etc/xinetd.d/tftp includes -s as a command line argument, as shown in the following example (which is also the default):
server_args = -s /var/lib/tftpboot
RHEL-06-000338
RHEL-06-000339 CCI-000130 low To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the FTP server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log. Find if logging is applied to the FTP daemon. Procedures: If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file: $ grep vsftpd /etc/xinetd.d/* $ grep server_args vsftpd xinetd.d startup file This will indicate the vsftpd config file used when starting through xinetd. If the server_args line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used. $ sudo grep xferlog_enable vsftpd config file Is it the case that xferlog_enable is missing, or is not set to yes? Add or correct the following configuration options within the vsftpd configuration file, located at /etc/vsftpd/vsftpd.conf:
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
RHEL-06-000339
RHEL-06-000340 CCI-000366 medium Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information. To ensure only SNMPv3 or newer is used, run the following command: $ sudo grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#" There should be no output. Is it the case that there is output? Edit /etc/snmp/snmpd.conf, removing any references to rocommunity, rwcommunity, or com2sec. Upon doing that, restart the SNMP service:
$ sudo service snmpd restart
RHEL-06-000340
RHEL-06-000341 CCI-000366 high Whether active or not, default simple network management protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system and network(s). To ensure the default password is not set, run the following command: $ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep -E 'public|private' There should be no output. Is it the case that the default SNMP passwords public and private have not been changed or removed? Edit /etc/snmp/snmpd.conf, remove or change the default community strings of public and private. Once the default community strings have been changed, restart the SNMP service:
$ sudo service snmpd restart
RHEL-06-000341
RHEL-06-000342 CCI-000366 low The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. Verify the umask setting is configured correctly in the /etc/bashrc file by running the following command: # grep "umask" /etc/bashrc All output must show the value of umask set as shown below: # grep "umask" /etc/bashrc umask umask Is it the case that the above command returns no output, or if the umask is configured incorrectly? To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows:
umask 
RHEL-06-000342
RHEL-06-000343 CCI-000366 low The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. Verify the umask setting is configured correctly in the /etc/csh.cshrc file by running the following command: # grep "umask" /etc/csh.cshrc All output must show the value of umask set as shown in the below: # grep "umask" /etc/csh.cshrc umask Is it the case that the above command returns no output, or if the umask is configured incorrectly? To ensure the default umask for users of the C shell is set properly, add or correct the umask setting in /etc/csh.cshrc to read as follows:
umask 
RHEL-06-000343
RHEL-06-000344 CCI-000366 low The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. Verify the umask setting is configured correctly in the /etc/profile file by running the following command: # grep "umask" /etc/profile All output must show the value of umask set as shown in the below: # grep "umask" /etc/profile umask Is it the case that the above command returns no output, or if the umask is configured incorrectly? To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows:
umask 
RHEL-06-000344
RHEL-06-000345 CCI-000366 low The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. Verify the UMASK setting is configured correctly in the /etc/login.defs file by running the following command: # grep -i "UMASK" /etc/login.defs All output must show the value of umask set as shown in the below: # grep -i "UMASK" /etc/login.defs umask Is it the case that the above command returns no output, or if the umask is configured incorrectly? To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK 
RHEL-06-000345
RHEL-06-000346 CCI-000366 low The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions. To check the value of the umask, run the following command: $ grep umask /etc/init.d/functions The output should show . Is it the case that it does not? The file /etc/init.d/functions includes initialization parameters for most or all daemons started at boot time. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts. By default, the umask of 022 is set which prevents creation of group- or world-writable files. To set the umask for daemons expected by the profile, edit the following line:
umask 
RHEL-06-000346
RHEL-06-000347 CCI-000196 medium Unencrypted passwords for remote FTP servers may be stored in .netrc files. To check the system for the existence of any .netrc files, run the following command: $ sudo find /home -xdev -name .netrc Is it the case that any .netrc files exist? The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any .netrc files should be removed. RHEL-06-000347
RHEL-06-000348 CCI-000048 medium This setting will cause the system greeting banner to be used for FTP connections as well. If FTP services are not installed, this is not applicable. To verify this configuration, run the following command: grep "banner_file" /etc/vsftpd/vsftpd.conf The output should show the value of banner_file is set to /etc/issue, an example of which is shown below: $ sudo grep "banner_file" /etc/vsftpd/vsftpd.conf banner_file=/etc/issue Is it the case that it does not? Edit the vsftpd configuration file, which resides at /etc/vsftpd/vsftpd.conf by default. Add or correct the following configuration options:
banner_file=/etc/issue
RHEL-06-000348
RHEL-06-000349 CCI-000765 medium Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. Interview the SA to determine if all accounts not exempted by policy are using CAC authentication. For DoD systems, the following systems and accounts are exempt from using smart card (CAC) authentication: SIPRNET systemsStandalone systemsApplication accountsTemporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIVOperational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALTTest systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT. Is it the case that non-exempt accounts are not using CAC authentication? To enable smart card authentication, consult the documentation at: For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: RHEL-06-000349
RHEL-06-000356 CCI-000047 medium Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations. To ensure the failed password attempt policy is configured correctly, run the following command: $ grep pam_faillock /etc/pam.d/system-auth The output should show unlock_time=<some-large-number> or 0 for never. Is it the case that unlock_time is less than the expected value? To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so
If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user.
RHEL-06-000356
RHEL-06-000357 CCI-001452 medium By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. To ensure the failed password attempt policy is configured correctly, run the following command: $ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is or greater. If the fail_interval parameter is not set, the default setting of 900 seconds is acceptable. Is it the case that fail_interval is less than the required value? Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • Add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • Add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
    
  • Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so
RHEL-06-000357
RHEL-06-000372 CCI-000366 medium Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. To ensure that last logon/access notification is configured correctly, run the following command: $ grep pam_lastlog.so /etc/pam.d/postlogin The output should show output showfailed. Is it the case that that is not the case? To configure the system to notify users of last logon/access using pam_lastlog, add or correct the pam_lastlog settings in /etc/pam.d/postlogin to read as follows:
session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]   pam_lastlog.so nowtmp showfailed
session     optional      pam_lastlog.so silent noupdate showfailed
RHEL-06-000372
RHEL-06-000383 CCI-000163 medium If users can write to audit logs, audit trails can be modified or destroyed. Run the following command to check the mode of the system audit logs: $ sudo ls -l /var/log/audit Audit logs must be mode 0640 or less permissive. Is it the case that any are more permissive? If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command:
$ sudo chmod 0640 audit_file

Otherwise, change the mode of the audit log files with the following command:
$ sudo chmod 0600 audit_file
RHEL-06-000383
RHEL-06-000384 CCI-000162 medium Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. To properly set the owner of /var/log/audit, run the command: $ sudo chown root /var/log/audit To properly set the owner of /var/log/audit/*, run the command: $ sudo chown root /var/log/audit/* Is it the case that ? All audit logs must be owned by root user and group. By default, the path for audit log is
/var/log/audit/
. To properly set the owner of /var/log/audit, run the command:
$ sudo chown root /var/log/audit 
To properly set the owner of /var/log/audit/*, run the command:
$ sudo chown root /var/log/audit/* 
RHEL-06-000384
RHEL-06-000503 CCI-NaN medium USB storage devices such as thumb drives can be used to introduce malicious software. If the system is configured to prevent the loading of the usb-storage kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.
RHEL-06-000503
RHEL-06-000509 CCI-000136 low The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server To verify the audispd's syslog plugin is active, run the following command: $ sudo grep active /etc/audisp/plugins.d/syslog.conf If the plugin is active, the output will show yes. Is it the case that it is not activated? To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service:
$ sudo service auditd restart
RHEL-06-000509
RHEL-06-000518 CCI-000366 low Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated. The following command will list which files on the system have permissions different from what is expected by the RPM database: $ rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }' Is it the case that there is output? The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command:
$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it:
$ rpm -qf FILENAME

Next, run the following command to reset its permissions to the correct values:
$ sudo rpm --setperms PACKAGENAME
RHEL-06-000518
RHEL-06-000519 CCI-000366 low The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. The following command will list which files on the system have file hashes different from what is expected by the RPM database. $ rpm -Va | awk '$1 ~ /..5/ && $2 != "c"' Is it the case that there is output? Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:
$ rpm -Va | grep '^..5'
A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file:
$ rpm -qf FILENAME
The package can be reinstalled from a yum repository using the command:
$ sudo yum reinstall PACKAGENAME
Alternatively, the package can be reinstalled from trusted media using the command:
$ sudo rpm -Uvh PACKAGENAME
RHEL-06-000519
RHEL-06-000523 CCI-000066 medium In ip6tables, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. If IPv6 is disabled, this is not applicable. Inspect the file /etc/sysconfig/ip6tables to determine the default policy for the INPUT chain. It should be set to DROP: $ sudo grep ":INPUT" /etc/sysconfig/ip6tables Is it the case that the default policy for the INPUT chain is not set to DROP? To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/ip6tables:
:INPUT DROP [0:0]
If changes were required, reload the ip6tables rules:
$ sudo service ip6tables reload
RHEL-06-000523
RHEL-06-000525 CCI-000169 low Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot. Inspect the kernel boot arguments (which follow the word kernel) in /etc/grub.conf. If they include audit=1, then auditing is enabled at boot time. Is it the case that auditing is not enabled at boot time? To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the kernel line in /etc/grub.conf, in the manner below:
kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1
RHEL-06-000525
RHEL-06-000526 CCI-000366 low Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.
To check that the autofs service is disabled in system boot configuration, run the following command: $ sudo chkconfig autofs --list Output should indicate the autofs service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo chkconfig autofs --list autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify autofs is disabled through current runtime configuration: $ sudo service autofs status If the service is disabled the command will return the following output: autofs is stopped Is it the case that ? The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

The autofs service can be disabled with the following command:
$ sudo chkconfig autofs off
RHEL-06-000526