CCE ID | Rule Title | Description | Rationale | Variable Setting | NIST 800-53 Mapping |
CCE-80137-3 | Disable Mounting of cramfs |
To configure the system to prevent the cramfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install cramfs /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | CM-7 |
|
CCE-80138-1 | Disable Mounting of freevxfs |
To configure the system to prevent the freevxfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install freevxfs /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | CM-7 |
|
CCE-80139-9 | Disable Mounting of jffs2 |
To configure the system to prevent the jffs2
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install jffs2 /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | CM-7 |
|
CCE-80140-7 | Disable Mounting of hfs |
To configure the system to prevent the hfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install hfs /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | CM-7 |
|
CCE-80141-5 | Disable Mounting of hfsplus |
To configure the system to prevent the hfsplus
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install hfsplus /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | CM-7 |
|
CCE-80142-3 | Disable Mounting of squashfs |
To configure the system to prevent the squashfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install squashfs /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | CM-7 |
|
CCE-80143-1 | Disable Mounting of udf |
To configure the system to prevent the udf
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install udf /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | CM-7 |
|
CCE-27173-4 | Ensure /tmp Located On Separate Partition |
The /tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM.
|
The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.
|
SC-32(1) |
|
CCE-80149-8 | Add nodev Option to /tmp |
The nodev mount option can be used to prevent device files from
being created in /tmp .
Legitimate character and block devices should not exist
within temporary directories like /tmp .
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp .
|
The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
CM-7 MP-2 |
|
CCE-80151-4 | Add nosuid Option to /tmp | The nosuid mount option can be used to prevent
execution of setuid programs in /tmp . The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp .
|
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. | CM-7 MP-2 |
|
CCE-80150-6 | Add noexec Option to /tmp | The noexec mount option can be used to prevent binaries
from being executed out of /tmp .
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp .
|
Allowing users to execute binaries from world-writable directories
such as /tmp should never be necessary in normal operation and
can expose the system to potential compromise. |
CM-7 MP-2 |
|
CCE-26404-4 | Ensure /var Located On Separate Partition | The /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM.
|
Ensuring that /var is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages.
|
SC-32(1) |
|
CCE-26967-0 | Ensure /var/log Located On Separate Partition |
System logs are stored in the /var/log directory.
Ensure that it has its own partition or logical
volume at installation time, or migrate it using LVM.
|
Placing /var/log in its own partition
enables better separation between log files
and other files in /var/ .
|
AU-9 SC-32 |
|
CCE-26971-2 | Ensure /var/log/audit Located On Separate Partition |
Audit logs are stored in the /var/log/audit directory. Ensure that it
has its own partition or logical volume at installation time, or migrate it
later using LVM. Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon.
|
Placing /var/log/audit in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space.
|
AU-4 AU-9 SC-32(1) |
|
CCE-80144-9 | Ensure /home Located On Separate Partition |
If user home directories will be stored locally, create a separate partition
for /home at installation time (or migrate it later using LVM). If
/home will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later.
|
Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.
|
SC-32(1) |
|
CCE-80152-2 | Add nodev Option to /dev/shm | The nodev mount option can be used to prevent creation
of device files in /dev/shm .
Legitimate character and block devices should not exist
within temporary directories like /dev/shm .
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm .
|
The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
CM-7 MP-2 |
|
CCE-80154-8 | Add nosuid Option to /dev/shm | The nosuid mount option can be used to prevent execution
of setuid programs in /dev/shm . The SUID and SGID permissions should not
be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm .
|
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. | CM-7 MP-2 |
|
CCE-80153-0 | Add noexec Option to /dev/shm | The noexec mount option can be used to prevent binaries
from being executed out of /dev/shm .
It can be dangerous to allow the execution of binaries
from world-writable temporary storage directories such as /dev/shm .
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm .
|
Allowing users to execute binaries from world-writable directories
such as /dev/shm can expose the system to potential compromise. |
CM-7 MP-2 |
|
CCE-80146-4 | Add nodev Option to Removable Media Partitions | The nodev mount option prevents files from being
interpreted as character or block devices.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions.
|
The only legitimate location for device files is the /dev directory
located on the root partition. An exception to this is chroot jails, and it is
not advised to set nodev on partitions which contain their root
filesystems. |
AC-19(a) AC-19(d) AC-19(e) CM-7 MP-2 |
|
CCE-80148-0 | Add nosuid Option to Removable Media Partitions | The nosuid mount option prevents set-user-identifier (SUID)
and set-group-identifier (SGID) permissions from taking effect. These permissions
allow users to execute binaries with the same permissions as the owner and group
of the file respectively. Users should not be allowed to introduce SUID and SGID
files into the system via partitions mounted from removeable media.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions.
|
The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. | AC-6 AC-19(a) AC-19(d) AC-19(e) CM-7 MP-2 |
|
CCE-80147-2 | Add noexec Option to Removable Media Partitions | The noexec mount option prevents the direct
execution of binaries on the mounted filesystem.
Preventing the direct execution of binaries from removable media (such as a USB
key) provides a defense against malicious software that may be present on such
untrusted media.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions.
|
Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. | AC-19(a) AC-19(d) AC-19(e) CM-7 MP-2 |
|
CCE-80130-8 | Verify that All World-Writable Directories Have Sticky Bits Set | When the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command: $ sudo chmod +t DIR |
Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.
The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp ), and for directories
requiring global read/write access.
|
AC-6 |
|
CCE-26989-4 | Ensure gpgcheck Enabled In Main Yum Configuration | The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf in
the [main] section:
gpgcheck=1 |
Changes to any software components can have significant effects on the overall security
of the operating system. This requirement ensures the software has not been tampered with
and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). |
CM-5(3) SI-7 MA-1(b) |
|
CCE-26957-1 | Ensure Red Hat GPG Key Installed |
To ensure the system can cryptographically verify base software
packages come from Red Hat (and to connect to the Red Hat Network to
receive them), the Red Hat GPG key must properly be installed.
To install the Red Hat GPG key, run:
$ sudo subscription-manager registerIf the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom , use the following command as the root user to import
it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY |
Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. | CM-5(3) SI-7 MA-1(b) |
|
CCE-80269-4 | Disable Red Hat Network Service (rhnsd) | The Red Hat Network service automatically queries Red Hat Network
servers to determine whether there are any actions that should be executed,
such as package updates. This only occurs if the system was registered to an
RHN server or satellite and managed as such.
The rhnsd service can be disabled with the following command:
$ sudo systemctl disable rhnsd.service |
Although systems management and patching is extremely important to
system security, management by a system outside the enterprise enclave is not
desirable for some environments. However, if the system is being managed by RHN or
RHN Satellite Server the rhnsd daemon can remain on. |
AC-17(8) CM-7 |
|
CCE-27096-7 | Install AIDE |
Install the AIDE package with the command:
$ sudo yum install aide |
The AIDE package must be installed if it is to be available for integrity checking. | CM-3(d) CM-3(e) CM-6(d) CM-6(3) SC-28 SI-7 |
|
CCE-26952-2 | Configure Periodic Execution of AIDE |
At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily.
To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab :
05 4 * * * root /usr/sbin/aide --checkTo implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab :
05 4 * * 0 root /usr/sbin/aide --checkAIDE can be executed periodically through other means; this is merely one example. |
By default, AIDE does not install itself for periodic execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. |
CM-3(d) CM-3(e) CM-3(5) CM-6(d) CM-6(3) SC-28 SI-7 |
|
CCE-26860-7 | Verify /boot/grub2/grub.cfg User Ownership | The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
To properly set the owner of /boot/grub2/grub.cfg , run the command:
$ sudo chown root /boot/grub2/grub.cfg |
Only root should be able to modify important boot parameters. | AC-6(7) |
|
CCE-26812-8 | Verify /boot/grub2/grub.cfg Group Ownership | The file /boot/grub2/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
To properly set the group owner of /boot/grub2/grub.cfg , run the command:
$ sudo chgrp root /boot/grub2/grub.cfg |
The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
|
AC-6(7) |
|
CCE-27054-6 | Verify /boot/grub2/grub.cfg Permissions | File permissions for /boot/grub2/grub.cfg should be set to 600.
To properly set the permissions of /boot/grub2/grub.cfg , run the command:
$ sudo chmod 600 /boot/grub2/grub.cfg |
Proper permissions ensure that only the root user can modify important boot parameters. | AC-6(7) |
|
CCE-27309-4 | Set Boot Loader Password | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To do so, select a superuser account and password and add them into the /etc/grub.d/01_users configuration file.
Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: $ grub2-mkpasswd-pbkdf2When prompted, enter the password that was selected and insert the returned password hash into the /etc/grub.d/01_users configuration file
immediately after the superuser account.
(Use the output from grub2-mkpasswd-pbkdf2 as the value of
password-hash):
password_pbkdf2 superusers-account password-hashNOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfgNOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
|
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to | IA-2(1) IA-5(e) AC-3 |
|
CCE-80354-4 | Set the UEFI Boot Loader Password | The UEFI grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To do so, select a superuser account and password and add them into the /etc/grub.d/01_users configuration file.
Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: $ grub2-mkpasswd-pbkdf2When prompted, enter the password that was selected and insert the returned password hash into the /etc/grub.d/01_users configuration file immediately
after the superuser account.
(Use the output from grub2-mkpasswd-pbkdf2 as the value of
password-hash):
password_pbkdf2 superusers-account password-hashNOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgNOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
|
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to | AC-3 |
|
CCE-27287-2 | Require Authentication for Single User Mode | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service .
|
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. | IA-2(1) AC-3 |
|
CCE-80169-6 | Disable Core Dumps for All Users | To disable core dumps for all users, add the following line to
/etc/security/limits.conf :
* hard core 0 |
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. | SC-5 |
|
CCE-26900-1 | Disable Core Dumps for SUID programs |
To set the runtime status of the fs.suid_dumpable kernel parameter,
run the following command:
$ sudo sysctl -w fs.suid_dumpable=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
fs.suid_dumpable = 0 |
The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. | SI-11 |
|
CCE-27211-2 | Enable ExecShield | By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield
is enabled and can only be disabled if the hardware does not support ExecShield
or is disabled in /etc/default/grub . For Red Hat Enterprise Linux 7
32-bit systems, sysctl can be used to enable ExecShield. |
ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware. | SC-39 |
|
CCE-27127-0 | Enable Randomized Layout of Virtual Address Space |
To set the runtime status of the kernel.randomize_va_space kernel parameter,
run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2If this is not the system's default value, add the following line to /etc/sysctl.conf :
kernel.randomize_va_space = 2 |
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. | SC-30(2) |
|
CCE-27078-5 | Disable Prelinking |
The prelinking feature changes binaries in an attempt to decrease their startup
time. In order to disable it, change or add the following line inside the file
/etc/sysconfig/prelink :
PRELINKING=noNext, run the following command to return binaries to a normal, non-prelinked state: $ sudo /usr/sbin/prelink -ua |
Because the prelinking feature changes binaries, it can interfere with the operation of certain software and/or modes such as AIDE, FIPS, etc. | CM-6(d) CM-6(3) SC-28 SI-7 |
|
CCE-26961-3 | Ensure SELinux Not Disabled in /etc/default/grub | SELinux can be disabled at boot time by an argument in
/etc/default/grub .
Remove any instances of selinux=0 from the kernel arguments in that
file to prevent SELinux from being disabled at boot.
|
Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. | AC-3 AC-3(3) AC-3(4) AC-4 AC-6 AU-9 SI-6(a) |
|
CCE-27334-2 | Ensure SELinux State is Enforcing | The SELinux state should be set to at
system boot time. In the file /etc/selinux/config , add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX= |
Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. | AC-3 AC-3(3) AC-3(4) AC-4 AC-6 AU-9 SI-6(a) |
|
CCE-27279-9 | Configure SELinux Policy | The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config :
SELINUXTYPE=Other policies, such as mls , provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
|
Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
.
|
AC-3 AC-3(3) AC-3(4) AC-4 AC-6 AU-9 SI-6(a) |
|
CCE-80444-3 | Uninstall setroubleshoot Package | The SETroubleshoot service notifies desktop users of SELinux
denials. The service provides information around configuration errors,
unauthorized intrusions, and other potential errors.
The setroubleshoot package can be removed with the following command:
$ sudo yum erase setroubleshoot |
The SETroubleshoot service is an unnecessary daemon to have running on a server | ||
CCE-80445-0 | Uninstall mcstrans Package | The mcstransd daemon provides category label information
to client processes requesting information. The label translations are defined
in /etc/selinux/targeted/setrans.conf .
The mcstrans package can be removed with the following command:
$ sudo yum erase mcstrans |
Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system. NOTE: This rule was added in support of the CIS RHEL6 v1.2.0 benchmark. Please note that Red Hat does not feel this rule is security relevant. | ||
CCE-27288-0 | Ensure No Daemons are Unconfined by SELinux |
Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the init process, they inherit the initrc_t context.
To check for unconfined daemons, run the following command: $ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'It should produce no output in a well-configured system. |
Daemons which run with the initrc_t context may cause AVC denials,
or allow privileges that the daemon does not require.
|
AC-6 AU-9 CM-7 |
|
CCE-27303-7 | Modify the System Login Banner |
To configure the system login banner edit /etc/issue . Replace
the default text with a message compliant with the local site policy
or a legal disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:
OR: I've read & consent to terms in IS user agreem't.
|
Display of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws,
Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. |
AC-8(a) AC-8(b) AC-8(c)(1) AC-8(c)(2) AC-8(c)(3) |
|
CCE-26828-4 | Disable DCCP Support |
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the dccp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install dccp /bin/true |
Disabling DCCP protects the system against exploitation of any flaws in its implementation. | CM-7 |
|
CCE-27106-4 | Disable SCTP Support |
The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the sctp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d :
install sctp /bin/true |
Disabling SCTP protects the system against exploitation of any flaws in its implementation. | CM-7 |
|
CCE-27407-6 | Enable auditd Service | The auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service |
Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the auditd service is active ensures audit records
generated by the kernel are appropriately recorded.
Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. |
AU-3 AC-17(1) AU-1(b) AU-10 AU-12(a) AU-12(c) AU-14(1) IR-5 |
|
CCE-27212-0 | Enable Auditing for Processes Which Start Prior to the Audit Daemon | To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub , in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1" |
Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot.
|
AC-17(1) AU-14(1) AU-1(b) AU-2(a) AU-2(c) AU-2(d) AU-10 IR-5 |
|
CCE-27097-5 | Make the auditd Configuration Immutable | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d in order to make the auditd configuration
immutable:
-e 2If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2With this setting, a reboot will be required to change any audit rules. |
Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation | AC-6 AU-1(b) AU-2(a) AU-2(c) AU-2(d) IR-5 |
|
CCE-80188-6 | Enable rsyslog Service | The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 7.
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service |
The rsyslog service must be running in order to provide
logging services, which are essential to system administration.
|
AU-4(1) AU-12 |
|
CCE-80191-0 | Ensure System Log Files Have Correct Permissions | The file permissions for all log files written by
rsyslog should be set to 600, or more restrictive.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf and typically all appear in /var/log .
For each log file LOGFILE referenced in /etc/rsyslog.conf ,
run the following command to inspect the file's permissions:
$ ls -l LOGFILEIf the permissions are not 600 or more restrictive, run the following command to correct this: $ sudo chmod 0600 LOGFILE |
Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value. | SI-11 |
|
CCE-27343-3 | Ensure Logs Sent To Remote Host |
To configure rsyslog to send logs to a remote log server,
open /etc/rsyslog.conf and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting loghost.example.com appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.
To use UDP for log message delivery: *.* @loghost.example.com To use TCP for log message delivery: *.* @@loghost.example.com To use RELP for log message delivery: *.* :omrelp:loghost.example.com There must be a resolvable DNS CNAME or Alias record set to " |
A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. | AU-3(2) AU-4(1) AU-9 |
|
CCE-80193-6 | Enable rsyslog to Accept Messages via TCP, if Acting As Log Server | The rsyslog daemon should not accept remote messages
unless the system acts as a log server.
If the system needs to act as a central log server, add the following lines to
/etc/rsyslog.conf to enable reception of messages over TCP:
$ModLoad imtcp $InputTCPServerRun 514 |
If the system needs to act as a log server, this ensures that it can receive messages over a reliable TCP connection. | AU-9 |
|
CCE-80194-4 | Enable rsyslog to Accept Messages via UDP, if Acting As Log Server | The rsyslog daemon should not accept remote messages
unless the system acts as a log server.
If the system needs to act as a central log server, add the following lines to
/etc/rsyslog.conf to enable reception of messages over UDP:
$ModLoad imudp $UDPServerRun 514 |
Many devices, such as switches, routers, and other Unix-like systems, may only support the traditional syslog transmission over UDP. If the system must act as a log server, this enables it to receive their messages as well. | AU-9 |
|
CCE-80187-8 | Ensure rsyslog is Installed |
Rsyslog is installed by default.
The rsyslog package can be installed with the following command:
$ sudo yum install rsyslog |
The rsyslog package provides the rsyslog daemon, which provides system logging services. | AU-9(2) |
|
CCE-27323-5 | Enable cron Service | The crond service is used to execute commands at
preconfigured times. It is required by almost all systems to perform necessary
maintenance tasks, such as notifying root of system activity.
The crond service can be enabled with the following command:
$ sudo systemctl enable crond.service |
Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. | CM-7 |
|
CCE-27320-1 | Allow Only SSH Protocol 2 | Only SSH protocol version 2 connections should be
permitted. The default setting in
/etc/ssh/sshd_config is correct, and can be
verified by ensuring that the following
line appears:
Protocol 2 |
SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. | AC-17(8).1(ii) IA-5(1)(c) |
|
Set LogLevel to INFO | The INFO parameter specifices that record login and logout activity will be logged.
To specify the log level in
SSH, add or correct the following line in the /etc/ssh/sshd_config file:
LogLevel INFO |
SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically
not recommended other than strictly for debugging SSH communications since it provides
so much data that it is difficult to identify important security information. INFO level is the
basic level that only records login activity of SSH users. In many situations, such as Incident
Response, it is important to determine when a particular user was active on a system. The
logout record can eliminate those users who disconnected, which helps narrow the field.
|
|||
CCE-27413-4 | Disable Host-Based Authentication | SSH's cryptographic host-based authentication is
more secure than .rhosts authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config :
HostbasedAuthentication no |
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | AC-3 CM-6(b) |
|
CCE-27445-6 | Disable SSH Root Login | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in /etc/ssh/sshd_config :
PermitRootLogin no |
Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. | AC-3 AC-6(2) IA-2(1) IA-2(5) |
|
CCE-27471-2 | Disable SSH Access via Empty Passwords | To explicitly disallow SSH login from accounts with
empty passwords, add or correct the following line in /etc/ssh/sshd_config :
PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. |
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. | AC-3 AC-6 CM-6(b) |
|
CCE-27363-1 | Do Not Allow SSH Environment Options | To ensure users are not able to override environment
options to the SSH daemon, add or correct the following line
in /etc/ssh/sshd_config :
PermitUserEnvironment no |
SSH environment options potentially allow users to bypass access restriction in some configurations. | CM-6(b) |
|
CCE-27295-5 | Use Only FIPS 140-2 Validated Ciphers | Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config demonstrates use of
FIPS 140-2 validated ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr The following ciphers are FIPS 140-2 certified on RHEL 7: - aes128-ctr - aes192-ctr - aes256-ctr - aes128-cbc - aes192-cbc - aes256-cbc - 3des-cbc - rijndael-cbc@lysator.liu.se Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf. |
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux. |
AC-3 AC-17(2) AU-10(5) CM-6(b) IA-5(1)(c) IA-7 |
|
CCE-27314-4 | Enable SSH Warning Banner |
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in /etc/ssh/sshd_config :
Banner /etc/issueAnother section contains information on how to create an appropriate system-wide warning banner. |
The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. | AC-8(a) AC-8(b) AC-8(c)(1) AC-8(c)(2) AC-8(c)(3) |
|
CCE-26923-3 | Limit Password Reuse | Do not allow users to reuse recent passwords. This can be
accomplished by using the remember option for the pam_unix
or pam_pwhistory PAM modules.
In the file /etc/pam.d/system-auth , append remember=
to the line which refers to the pam_unix.so or pam_pwhistory.so module, as shown below:
|
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. | IA-5(f) IA-5(1)(e) |
|
CCE-27051-2 | Set Password Maximum Age | To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYSA value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .
|
Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. |
IA-5(f) IA-5(g) IA-5(1)(d) |
|
CCE-27294-8 | Direct root Logins Not Allowed | To further limit access to the root account, administrators
can disable root logins at the console by editing the /etc/securetty file.
This file lists all devices the root user is allowed to login to. If the file does
not exist at all, the root user can login through any communication device on the
system, whether via the console or via a raw network interface. This is dangerous
as user can login to the system as root via Telnet, which sends the password in
plain text over the network. By default, Red Hat Enteprise Linux's
/etc/securetty file only allows the root user to login at the console
physically attached to the system. To prevent root from logging in, remove the
contents of this file. To prevent direct root logins, remove the contents of this
file by typing the following command:
$ sudo echo > /etc/securetty |
Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems. | IA-2(1) |