This guide presents a catalog of security-relevant configuration
settings for Fedora operating system formatted in the eXtensible Configuration
Checklist Description Format (XCCDF).
Applicable platforms
|
Version: 0.0.4 Revision history
|
Table of Contents
1. Introduction
The purpose of this guidance is to provide security configuration recommendations and baselines for the Fedora operating system. Recommended settings for the basic operating system are provided, as well as for many network services that the system can provide to other systems. The guide is intended for system administrators. Readers are assumed to possess basic system administration skills for Unix-like systems, as well as some familiarity with Fedora's documentation and administration conventions. Some instructions within this guide are complex. All directions should be followed completely and with understanding of their effects in order to avoid serious adverse effects on the system and its security.
Table of Contents
link | previous | next | up | toc | home
1.1. General Principles
The following general principles motivate much of the advice in this guide and should also influence any configuration decisions that are not explicitly covered.
link | previous | next | up | toc | home
1.1.1. Encrypt Transmitted Data Whenever Possible
Data transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such data exist, they should be applied. Even if data is expected to be transmitted only over a local network, it should still be encrypted. Encrypting authentication data, such as passwords, is particularly important. Networks of Fedora machines can and should be configured so that no unencrypted authentication data is ever transmitted between machines.
1.1.2. Minimize Software to Minimize Vulnerability
The simplest way to avoid vulnerabilities in software is to avoid installing that software. On Fedora, the RPM Package Manager (originally Red Hat Package Manager, abbreviated RPM) allows for careful management of the set of software packages installed on a system. Installed software contributes to system vulnerability in several ways. Packages that include setuid programs may provide local attackers a potential path to privilege escalation. Packages that include network services may give this opportunity to network-based attackers. Packages that include programs which are predictably executed by local users (e.g. after graphical login) may provide opportunities for trojan horses or other attack code to be run undetected. The number of software packages installed on a system can almost always be significantly pruned to include only the software for which there is an environmental or operational need.
1.1.3. Run Different Network Services on Separate Systems
Whenever possible, a server should be dedicated to serving exactly one network service. This limits the number of other services that can be compromised in the event that an attacker is able to successfully exploit a software flaw in one network service.
1.1.4. Configure Security Tools to Improve System Robustness
Several tools exist which can be effectively used to improve a system's resistance to and detection of unknown attacks. These tools can improve robustness against attack at the cost of relatively little configuration effort. In particular, this guide recommends and discusses the use of Iptables for host-based firewalling, SELinux for protection against vulnerable services, and a logging and auditing infrastructure for detection of problems.
1.1.5. Least Privilege
Grant the least privilege necessary for user accounts and software to perform tasks.
For example, sudo
can be implemented to limit authorization to super user
accounts on the system only to designated personnel. Another example is to limit
logins on server systems to only those administrators who need to log into them in
order to perform administration tasks. Using SELinux also follows the principle of
least privilege: SELinux policy can confine software to perform only actions on the
system that are specifically allowed. This can be far more restrictive than the
actions permissible by the traditional Unix permissions model.
1.2. How to Use This Guide
Readers should heed the following points when using the guide.
link | previous | next | up | toc | home
1.2.1. Read Sections Completely and in Order
Each section may build on information and recommendations discussed in prior sections. Each section should be read and understood completely; instructions should never be blindly applied. Relevant discussion may occur after instructions for an action.
1.2.2. Test in Non-Production Environment
This guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which the system will be deployed as closely as possible.
1.2.3. Root Shell Environment Assumed
Most of the actions listed in this document are written with the
assumption that they will be executed by the root user running the
/bin/bash
shell. Commands preceded with a hash mark (#)
assume that the administrator will execute the commands as root, i.e.
apply the command via sudo
whenever possible, or use
su
to gain root privileges if sudo
cannot be
used. Commands which can be executed as a non-root user are are preceded
by a dollar sign ($) prompt.
1.2.4. Formatting Conventions
Commands intended for shell execution, as well as configuration file text,
are featured in a monospace font
. Italics are used
to indicate instances where the system administrator must substitute
the appropriate information into a command or configuration file.
1.2.5. Reboot Required
A system reboot is implicitly required after some actions in order to complete the reconfiguration of the system. In many cases, the changes will not take effect until a reboot is performed. In order to ensure that changes are applied properly and to test functionality, always reboot the system after applying a set of recommendations from this guide.
2. System Settings
Table of Contents
- 2.1. Installing and Maintaining Software
-
2.2. File Permissions and Masks
-
2.2.1. Restrict Dynamic Mounting and Unmounting of Filesystems
- 2.2.1.a. Disable Modprobe Loading of USB Storage Driver
- 2.2.1.b. Disable Kernel Support for USB via Bootloader Configuration
- 2.2.1.c. Disable Booting from USB Devices in Boot Firmware
- 2.2.1.d. Assign Password to Prevent Changes to Boot Firmware Configuration
- 2.2.1.e. Disable the Automounter
- 2.2.1.f. Disable GNOME3 Automounting
- 2.2.1.g. Disable Mounting of cramfs
- 2.2.1.h. Disable Mounting of freevxfs
- 2.2.1.i. Disable Mounting of jffs2
- 2.2.1.j. Disable Mounting of hfs
- 2.2.1.k. Disable Mounting of hfsplus
- 2.2.1.l. Disable Mounting of squashfs
- 2.2.1.m. Disable Mounting of udf
- 2.2.1.n. Disable All GNOME3 Thumbnailers
- 2.2.2. Verify File Permissions Within Some Important Directories
- 2.2.3. Restrict Programs from Dangerous Execution Patterns
-
2.2.1. Restrict Dynamic Mounting and Unmounting of Filesystems
-
2.3. Account and Access Control
-
2.3.1. Protect Accounts by Restricting Password-Based Login
-
2.3.1.1. Restrict Root Logins
- 2.3.1.1.a. Direct root Logins Not Allowed
- 2.3.1.1.b. Virtual Console Root Logins Restricted
- 2.3.1.1.c. Serial Port Root Logins Restricted
- 2.3.1.1.d. Web Browser Use for Administrative Accounts Restricted
- 2.3.1.1.e. System Accounts Do Not Run a Shell Upon Login
- 2.3.1.1.f. Only Root Has UID 0
- 2.3.1.1.g. Root Path Is Vendor Default
- 2.3.1.2. Proper Storage and Existence of Password Hashes
- 2.3.1.3. Set Password Expiration Parameters
-
2.3.1.1. Restrict Root Logins
- 2.3.2. Secure Session Configuration Files for Login Accounts
-
2.3.3. Protect Accounts by Configuring PAM
- 2.3.3.a. Set Last Logon/Access Notification
-
2.3.3.2. Set Password Quality Requirements
-
2.3.3.2.1. Set Password Quality Requirements with pam_pwquality
- 2.3.3.2.1.a. Set Password Retry Prompts Permitted Per-Session
- 2.3.3.2.1.b. Set Password to Maximum of Three Consecutive Repeating Characters
- 2.3.3.2.1.c. Set Password Strength Minimum Digit Characters
- 2.3.3.2.1.d. Set Password Minimum Length
- 2.3.3.2.1.e. Set Password Strength Minimum Uppercase Characters
- 2.3.3.2.1.f. Set Password Strength Minimum Special Characters
- 2.3.3.2.1.g. Set Password Strength Minimum Lowercase Characters
- 2.3.3.2.1.h. Set Password Strength Minimum Different Characters
- 2.3.3.2.1.i. Set Password Strength Minimum Different Categories
-
2.3.3.2.1. Set Password Quality Requirements with pam_pwquality
- 2.3.3.3. Set Lockouts for Failed Password Attempts
- 2.3.3.4. Set Password Hashing Algorithm
-
2.3.4. Protect Physical Console Access
- 2.3.4.a. Require Authentication for Single User Mode
- 2.3.4.b. Disable Ctrl-Alt-Del Reboot Activation
- 2.3.4.c. Disable Interactive Boot
- 2.3.4.4. Set Boot Loader Password
- 2.3.4.5. Configure Screen Locking
-
2.3.1. Protect Accounts by Restricting Password-Based Login
-
2.4. Network Configuration and Firewalls
- 2.4.a. Disable Zeroconf Networking
- 2.4.b. Ensure System is Not Acting as a Network Sniffer
- 2.4.3. Disable Unused Interfaces
-
2.4.4. IPv6
- 2.4.4.1. Disable Support for IPv6 Unless Needed
- 2.4.4.2. Configure IPv6 Settings if Necessary
-
2.5. System Accounting with auditd
- 2.5.a. Enable Auditing for Processes Which Start Prior to the Audit Daemon
-
2.5.2. Configure auditd Data Retention
- 2.5.2.a. Configure auditd Number of Logs Retained
- 2.5.2.b. Configure auditd Max Log File Size
- 2.5.2.c. Configure auditd max_log_file_action Upon Reaching Maximum Log Size
- 2.5.2.d. Configure auditd space_left Action on Low Disk Space
- 2.5.2.e. Configure auditd admin_space_left Action on Low Disk Space
- 2.5.2.f. Configure auditd mail_acct Action on Low Disk Space
- 2.5.2.g. Configure auditd flush priority
- 2.5.2.h. Configure auditd to use audispd's syslog plugin
-
2.5.3. Configure auditd Rules for Comprehensive Auditing
- 2.5.3.a. Record Events that Modify User/Group Information
- 2.5.3.b. Record Events that Modify the System's Network Environment
- 2.5.3.c. System Audit Logs Must Have Mode 0640 or Less Permissive
- 2.5.3.d. System Audit Logs Must Be Owned By Root
- 2.5.3.e. Record Events that Modify the System's Mandatory Access Controls
- 2.5.3.f. Record Attempts to Alter Logon and Logout Events
- 2.5.3.g. Record Attempts to Alter Process and Session Initiation Information
- 2.5.3.h. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
- 2.5.3.i. Ensure auditd Collects Information on the Use of Privileged Commands
- 2.5.3.j. Ensure auditd Collects Information on Exporting to Media (successful)
- 2.5.3.k. Ensure auditd Collects File Deletion Events by User
- 2.5.3.l. Ensure auditd Collects System Administrator Actions
- 2.5.3.m. Ensure auditd Collects Information on Kernel Module Loading and Unloading
- 2.5.3.n. Make the auditd Configuration Immutable
- 2.5.3.15. Records Events that Modify Date and Time Information
-
2.5.3.16. Record Events that Modify the System's Discretionary Access Controls
- 2.5.3.16.a. Record Events that Modify the System's Discretionary Access Controls - chmod
- 2.5.3.16.b. Record Events that Modify the System's Discretionary Access Controls - chown
- 2.5.3.16.c. Record Events that Modify the System's Discretionary Access Controls - fchmod
- 2.5.3.16.d. Record Events that Modify the System's Discretionary Access Controls - fchmodat
- 2.5.3.16.e. Record Events that Modify the System's Discretionary Access Controls - fchown
- 2.5.3.16.f. Record Events that Modify the System's Discretionary Access Controls - fchownat
- 2.5.3.16.g. Record Events that Modify the System's Discretionary Access Controls - fremovexattr
- 2.5.3.16.h. Record Events that Modify the System's Discretionary Access Controls - fsetxattr
- 2.5.3.16.i. Record Events that Modify the System's Discretionary Access Controls - lchown
- 2.5.3.16.j. Record Events that Modify the System's Discretionary Access Controls - lremovexattr
- 2.5.3.16.k. Record Events that Modify the System's Discretionary Access Controls - lsetxattr
- 2.5.3.16.l. Record Events that Modify the System's Discretionary Access Controls - removexattr
- 2.5.3.16.m. Record Events that Modify the System's Discretionary Access Controls - setxattr
link | previous | next | up | toc | home
2.1. Installing and Maintaining Software
The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates.
link | previous | next | up | toc | home
2.1.1. Updating Software
The yum
command line tool is used to install and
update software packages. The system also provides a graphical
software update tool in the System menu, in the Administration submenu,
called Software Update.
Fedora systems contain an installed software catalog called
the RPM database, which records metadata of installed packages. Tools such as
yum
or the graphical Software Update ensure usage of RPM
packages for software installation. This allows for insight into the current
inventory of installed software on the system, and is highly recommended.
link | previous | next | up | toc | home
2.1.1.a. gpgcheck Enabled In Main Yum Configuration
The gpgcheck
option should be used to ensure
checking of an RPM package's signature always occurs prior to its
installation. To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf
in
the [main]
section:
gpgcheck=1
Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering.
References
- SI-7. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- MA-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 352. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 663. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.1.1.b. gpgcheck Enabled For All Yum Package Repositories
To ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d
of the form:
gpgcheck=0
Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.
References
- SI-7. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- MA-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 352. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 663. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.1.2. Software Integrity Checking
Both the AIDE (Advanced Intrusion Detection Environment)
software and the RPM package management system provide
mechanisms for verifying the integrity of installed software.
AIDE uses snapshots of file metadata (such as hashes) and compares these
to current system files in order to detect changes.
The RPM package management system can conduct integrity
checks by comparing information in its metadata database with
files installed on the system.
Integrity checking cannot prevent intrusions,
but can detect that they have occurred. Requirements
for software integrity checking may be highly dependent on
the environment in which the system will be used. Snapshot-based
approaches such as AIDE may induce considerable overhead
in the presence of frequent software updates.
link | previous | next | up | toc | home
2.1.2.1. Verify Integrity with AIDE
AIDE conducts integrity checks by comparing information about
files with previously-gathered information. Ideally, the AIDE database is
created immediately after initial system configuration, and then again after any
software update. AIDE is highly configurable, with further configuration
information located in /usr/share/doc/aide-VERSION
.
link | previous | next | up | toc | home
2.1.2.1.a. Install AIDE
Install the AIDE package with the command:
$ sudo yum install aide
The AIDE package must be installed if it is to be available for integrity checking.
References
- CM-3(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- CM-3(e). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- CM-6(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- CM-6(3). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- SC-28. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- SI-7. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 1069. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- Test attestation on 20121024 by DS. URL: <https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors>.
2.1.2.1.b. Disable Prelinking
The prelinking feature changes binaries in an attempt to decrease their startup
time. In order to disable it, change or add the following line inside the file
/etc/sysconfig/prelink
:
PRELINKING=no
Next, run the following command to return binaries to a normal, non-prelinked state:
$ sudo /usr/sbin/prelink -ua
The prelinking feature can interfere with the operation of AIDE, because it changes binaries.
Remediation script
#
# Disable prelinking altogether
#
if grep -q ^PRELINKING /etc/sysconfig/prelink
then
sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
else
echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink
echo "PRELINKING=no" >> /etc/sysconfig/prelink
fi
#
# Undo previous prelink changes to binaries
#
/usr/sbin/prelink -ua
References
- CM-6(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- CM-6(3). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- SC-28. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- SI-7. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
2.1.2.1.c. Build and Test AIDE Database
Run the following command to generate a new database:
# /usr/sbin/aide --init
By default, the database will be written to the file /var/lib/aide/aide.db.new.gz
.
Storing the database, the configuration file /etc/aide.conf
, and the binary
/usr/sbin/aide
(or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command:
# /usr/sbin/aide --check
If this check produces any unexpected output, investigate.
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
References
- CM-3(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- CM-3(e). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- CM-6(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- CM-6(3). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- SC-28. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- SI-7. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
2.1.2.1.d. Configure Periodic Execution of AIDE
To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab
:
05 4 * * * root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example.
By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.
References
- CM-3(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- CM-3(e). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- CM-6(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- CM-6(3). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- SC-28. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- SI-7. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 374. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 416. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1069. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1263. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1297. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1589. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.1.2.2. Verify Integrity with RPM
The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database. Although an attacker could corrupt the RPM database (analogous to attacking the AIDE database as described above), this check can still reveal modification of important files. To list which files on the system differ from what is expected by the RPM database:
# rpm -qVa
See the man page for rpm
to see a complete explanation of each column.
link | previous | next | up | toc | home
2.1.2.2.a. Verify and Correct File Permissions with RPM
The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, run the following command to determine which package owns it:
# rpm -qf FILENAME
Next, run the following command to reset its permissions to
the correct values:
# rpm --setperms PACKAGENAME
Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.
References
- AC-6. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- CM-6(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- CM-6(3). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 1493. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1494. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1495. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.1.2.2.b. Verify File Hashes with RPM
The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:
# rpm -Va | grep '^..5'
A "c" in the second column indicates that a file is a configuration file, which
may appropriately be expected to change. If the file was not expected to
change, investigate the cause of the change using audit logs or other means.
The package can then be reinstalled to restore the file.
Run the following command to determine which package owns the file:
# rpm -qf FILENAME
The package can be reinstalled from a yum repository using the command:
yum reinstall PACKAGENAME
Alternatively, the package can be reinstalled from trusted media using the command:
rpm -Uvh PACKAGENAME
The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.
References
- CM-6(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- CM-6(3). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- SI-7. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 1496. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.1.2.3. Additional Security Software
Additional security software that is not provided or supported by Red Hat can be installed to provide complementary or duplicative security capabilities to those provided by the base platform. Add-on software may not be appropriate for some specialized systems.
link | previous | next | up | toc | home
2.1.2.3.a. Install Intrusion Detection Software
The Red Hat platform includes a sophisticated auditing system and SELinux, which provide host-based intrusion detection capabilities.
Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network.
References
2.1.2.3.b. Install Virus Scanning Software
Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems. Ensure virus definition files are no older than 7 days, or their last release. Configure the virus scanning software to perform scans dynamically on all accessed files. If this is not possible, configure the system to scan all altered files on the system on a daily basis. If the system processes inbound SMTP mail, configure the virus scanner to scan all received mail.
Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.
References
- SC-28. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- SI-3. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 1239. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1668. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.2. File Permissions and Masks
Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access.
link | previous | next | up | toc | home
2.2.1. Restrict Dynamic Mounting and Unmounting of Filesystems
Linux includes a number of facilities for the automated addition
and removal of filesystems on a running system. These facilities may be
necessary in many environments, but this capability also carries some risk -- whether direct
risk from allowing users to introduce arbitrary filesystems,
or risk that software flaws in the automated mount facility itself could
allow an attacker to compromise the system.
This command can be used to list the types of filesystems that are
available to the currently executing kernel:
$ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'
If these filesystems are not required then they can be explicitly disabled
in a configuratio file in /etc/modprobe.d
.
link | previous | next | up | toc | home
2.2.1.a. Disable Modprobe Loading of USB Storage Driver
To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d
:
install usb-storage /bin/true
This will prevent the modprobe
program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod
program to load the module manually.
USB storage devices such as thumb drives can be used to introduce malicious software.
References
- AC-19(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AC-19(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AC-19(e). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 1250. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 85. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.2.1.b. Disable Kernel Support for USB via Bootloader Configuration
All USB support can be disabled by adding the nousb
argument to the kernel's boot loader configuration. To do so,
append "nousb" to the kernel line in /etc/grub.conf
as shown:
kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb
WARNING: Disabling all kernel support for USB will cause problems for
systems with USB-based keyboards, mice, or printers. This configuration is
infeasible for systems which require USB devices, which is common.
Disabling the USB subsystem within the Linux kernel at system boot will protect against potentially malicious USB devices, although it is only practical in specialized systems.
References
- AC-19(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AC-19(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AC-19(e). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 1250. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.2.1.c. Disable Booting from USB Devices in Boot Firmware
Configure the system boot firmware (historically called BIOS on PC systems) to disallow booting from USB drives.
Booting a system from a USB device would allow an attacker to circumvent any security measures provided by the operating system. Attackers could mount partitions and modify the configuration of the OS.
References
- AC-19(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AC-19(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AC-19(e). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 1250. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.2.1.d. Assign Password to Prevent Changes to Boot Firmware Configuration
Assign a password to the system boot firmware (historically called BIOS on PC systems) to require a password for any configuration changes.
Assigning a password to the system boot firmware prevents anyone with physical access from configuring the system to boot from local media and circumvent the operating system's access controls. For systems in physically secure locations, such as a data center or Sensitive Compartmented Information Facility (SCIF), this risk must be weighed against the risk of administrative personnel being unable to conduct recovery operations in a timely fashion.
2.2.1.e. Disable the Automounter
The autofs
daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd
.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
The autofs
service can be disabled with the following command:
$ sudo systemctl disable autofs.service
Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab
.
References
- AC-19(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AC-19(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AC-19(e). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 1250. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 85. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.2.1.f. Disable GNOME3 Automounting
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount and autorun within GNOME3,
the automount
, automount-open
, and autorun-never
settings must be set
under an appropriate configuration file(s) in the /etc/dconf/db/local.d
directory
and locked in /etc/dconf/db/local.d/locks
directory to prevent user modification.
After the settings have been set, run dconf update
.
Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.
References
- AC-19(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AC-19(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AC-19(e). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
2.2.1.g. Disable Mounting of cramfs
To configure the system to prevent the cramfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d
:
install cramfs /bin/true
This effectively prevents usage of this uncommon filesystem.
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.
References
2.2.1.h. Disable Mounting of freevxfs
To configure the system to prevent the freevxfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d
:
install freevxfs /bin/true
This effectively prevents usage of this uncommon filesystem.
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.
References
2.2.1.i. Disable Mounting of jffs2
To configure the system to prevent the jffs2
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d
:
install jffs2 /bin/true
This effectively prevents usage of this uncommon filesystem.
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.
References
2.2.1.j. Disable Mounting of hfs
To configure the system to prevent the hfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d
:
install hfs /bin/true
This effectively prevents usage of this uncommon filesystem.
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.
References
2.2.1.k. Disable Mounting of hfsplus
To configure the system to prevent the hfsplus
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d
:
install hfsplus /bin/true
This effectively prevents usage of this uncommon filesystem.
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.
References
2.2.1.l. Disable Mounting of squashfs
To configure the system to prevent the squashfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d
:
install squashfs /bin/true
This effectively prevents usage of this uncommon filesystem.
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.
References
2.2.1.m. Disable Mounting of udf
To configure the system to prevent the udf
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d
:
install udf /bin/true
This effectively prevents usage of this uncommon filesystem.
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.
References
2.2.1.n. Disable All GNOME3 Thumbnailers
The system's default desktop environment, GNOME3, uses
a number of different thumbnailer programs to generate thumbnails
for any new or modified content in an opened folder. To disable the
execution of these thumbnail applications, the disable-all
setting must be set
under an appropriate configuration file(s) in the /etc/dconf/db/local.d
directory
and locked in /etc/dconf/db/local.d/locks
directory to prevent user modification.
After the settings have been set, run dconf update
.
This effectively prevents an attacker from gaining access to a
system through a flaw in GNOME3's Nautilus thumbnail creators.
An attacker with knowledge of a flaw in a GNOME3 thumbnailer application could craft a malicious file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem (via a web upload for example) and assuming a user browses the same location using Nautilus, the malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required.
References
2.2.2. Verify File Permissions Within Some Important Directories
Some directories contain files whose confidentiality or integrity is notably important and may also be susceptible to misconfiguration over time, particularly if unpackaged software is installed. As such, an argument exists to verify that files' permissions within these directories remain configured correctly and restrictively.
link | previous | next | up | toc | home
2.2.2.a. Shared Library Files Have Restrictive Permissions
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in
/lib/modules
. All files in these directories should not be
group-writable or world-writable. If any file in these directories is found to
be group-writable or world-writable, correct its permission with the following
command:
# chmod go-w FILE
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.
References
2.2.2.b. Shared Library Files Have Root Ownership
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules
. All files in these directories should be owned
by the root
user. If the directory, or any file in these directories,
is found to be owned by a user other than root correct its ownership with the
following command:
# chown root FILE
Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.
References
2.2.2.c. System Executables Have Restrictive Permissions
System executables are stored in the following directories by default:
/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin
All files in these directories should not be group-writable or world-writable.
If any file FILE in these directories is found to be group-writable or
world-writable, correct its permission with the following command:
# chmod go-w FILE
System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.
References
2.2.2.d. System Executables Have Root Ownership
System executables are stored in the following directories by default:
/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin
All files in these directories should be owned by the root
user. If
any file FILE in these directories is found to be owned by a user other
than root, correct its ownership with the following command:
# chown root FILE
System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.
References
2.2.3. Restrict Programs from Dangerous Execution Patterns
The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution are activated. These protections are applied at the system initialization or kernel level, and defend against certain types of badly-configured or compromised programs.
link | previous | next | up | toc | home
2.2.3.a. Restrict Access to Kernel Message Buffer
To set the runtime status of the kernel.dmesg_restrict
kernel parameter,
run the following command:
$ sudo sysctl -w kernel.dmesg_restrict=1
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
kernel.dmesg_restrict = 1
Unprivileged access to the kernel syslog can expose sensitive kernel address information.
2.2.3.2. Daemon Umask
The umask is a per-process setting which limits the default permissions for creation of new files and directories. The system includes initialization scripts which set the default umask for system daemons.
link | previous | next | up | toc | home
2.2.3.2.a. Set Daemon Umask
The file /etc/init.d/functions
includes initialization
parameters for most or all daemons started at boot time. The default umask of
022 prevents creation of group- or world-writable files. To set the default
umask for daemons, edit the following line, inserting 022 or 027 for
UMASK appropriately:
umask 022
Setting the umask to too restrictive a setting can cause serious errors at
runtime. Many daemons on the system already individually restrict themselves to
a umask of 077 in their own init scripts.
The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.
References
2.2.3.3. Disable Core Dumps
A core dump file is the memory image of an executable
program when it was terminated by the operating system due to
errant behavior. In most cases, only software developers
legitimately need to access these files. The core dump files may
also contain sensitive information, or unnecessarily occupy large
amounts of disk space.
Once a hard limit is set in /etc/security/limits.conf
, a
user cannot increase that limit within his or her own session. If access
to core dumps is required, consider restricting them to only
certain users or groups. See the limits.conf
man page for more
information.
The core dumps of setuid programs are further protected. The
sysctl
variable fs.suid_dumpable
controls whether
the kernel allows core dumps from these programs at all. The default
value of 0 is recommended.
link | previous | next | up | toc | home
2.2.3.3.a. Disable Core Dumps for All Users
To disable core dumps for all users, add the following line to
/etc/security/limits.conf
:
* hard core 0
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
References
2.2.3.3.b. Disable Core Dumps for SUID programs
To set the runtime status of the fs.suid_dumpable
kernel parameter,
run the following command:
$ sudo sysctl -w fs.suid_dumpable=0
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
fs.suid_dumpable = 0
The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.
References
2.2.3.4. Enable ExecShield
ExecShield describes kernel features that provide
protection against exploitation of memory corruption errors such as buffer
overflows. These features include random placement of the stack and other
memory regions, prevention of execution in memory that should only hold data,
and special handling of text buffers. These protections are enabled by default
on 32-bit systems and controlled through sysctl
variables
kernel.exec-shield
and kernel.randomize_va_space
. On the latest
64-bit systems, kernel.exec-shield
cannot be enabled or disabled with
sysctl
.
link | previous | next | up | toc | home
2.2.3.4.a. Enable ExecShield
By default on Fedora 64-bit systems, ExecShield is enabled and can
only be disabled if the hardware does not support ExecShield or is disabled in
/etc/default/grub
. For Fedora 32-bit systems, sysctl
can be
used to enable ExecShield.
ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.
References
- SC-39. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 2530. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.2.3.4.b. Enable Randomized Layout of Virtual Address Space
To set the runtime status of the kernel.randomize_va_space
kernel parameter,
run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
kernel.randomize_va_space = 2
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.
References
2.2.3.5. Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems
Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.
link | previous | next | up | toc | home
2.2.3.5.a. Install PAE Kernel on Supported 32-bit x86 Systems
Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package should be installed to enable XD or NX support:
$ sudo yum install kernel-PAE
The installation process should also have configured the
bootloader to load the new kernel at boot. Verify this at reboot
and modify /etc/default/grub
if necessary.
The kernel-PAE package should not be installed on older systems that do not support the XD or NX bit, as this may prevent them from booting.
On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.
References
2.2.3.5.b. Enable NX or XD Support in the BIOS
Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems.
Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will.
References
2.3. Account and Access Control
In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, making it more difficult for unauthorized people to gain shell access to accounts, particularly to privileged accounts, is a necessary part of securing a system. This section introduces mechanisms for restricting access to accounts under Fedora.
link | previous | next | up | toc | home
2.3.1. Protect Accounts by Restricting Password-Based Login
Conventionally, Unix shell accounts are accessed by
providing a username and password to a login program, which tests
these values for correctness using the /etc/passwd
and
/etc/shadow
files. Password-based login is vulnerable to
guessing of weak passwords, and to sniffing and man-in-the-middle
attacks against passwords entered over a network or at an insecure
console. Therefore, mechanisms for accessing accounts by entering
usernames and passwords should be restricted to those which are
operationally necessary.
link | previous | next | up | toc | home
2.3.1.1. Restrict Root Logins
Direct root logins should be allowed only for emergency use.
In normal situations, the administrator should access the system
via a unique unprivileged account, and then use su
or sudo
to execute
privileged commands. Discouraging administrators from accessing the
root account directly ensures an audit trail in organizations with
multiple administrators. Locking down the channels through which
root can connect directly also reduces opportunities for
password-guessing against the root account. The login
program
uses the file /etc/securetty
to determine which interfaces
should allow root logins.
The virtual devices /dev/console
and /dev/tty*
represent the system consoles (accessible via
the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default
installation). The default securetty file also contains /dev/vc/*
.
These are likely to be deprecated in most environments, but may be retained
for compatibility. Furthermore, /dev/hvc*
represent virtio-serial
consoles, /dev/hvsi*
IBM pSeries serial consoles, and finally
/dev/xvc0
Xen virtual console. Root should also be prohibited
from connecting via network protocols. Other sections of this document
include guidance describing how to prevent root from logging in via SSH.
link | previous | next | up | toc | home
2.3.1.1.a. Direct root Logins Not Allowed
To further limit access to the root
account, administrators
can disable root logins at the console by editing the /etc/securetty
file.
This file lists all devices the root user is allowed to login to. If the file does
not exist at all, the root user can login through any communication device on the
system, whether via the console or via a raw network interface. This is dangerous
as user can login to his machine as root via Telnet, which sends the password in
plain text over the network. By default, Fedora's /etc/securetty
file
only allows the root user to login at the console physically attached to the
machine. To prevent root from logging in, remove the contents of this file.
To prevent direct root logins, remove the contents of this file by typing the
following command:
echo > /etc/securetty
Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This scenario is nowadays required by security standards.
References
2.3.1.1.b. Virtual Console Root Logins Restricted
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in /etc/securetty
:
vc/1
vc/2
vc/3
vc/4
Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.
References
- AC-6(2). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 770. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.1.1.c. Serial Port Root Logins Restricted
To restrict root logins on serial ports,
ensure lines of this form do not appear in /etc/securetty
:
ttyS0
ttyS1
Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.
References
- AC-6(2). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 770. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.1.1.d. Web Browser Use for Administrative Accounts Restricted
Enforce policy requiring administrative accounts use web browsers only for local service administration.
If a browser vulnerability is exploited while running with administrative privileges, the entire system could be compromised. Specific exceptions for local service administration should be documented in site-defined policy.
2.3.1.1.e. System Accounts Do Not Run a Shell Upon Login
Some accounts are not associated with a human
user of the system, and exist to perform some administrative
function. Should an attacker be able to log into these accounts,
they should not be granted access to a shell.
The login shell for each local account is stored in the last field of each line
in /etc/passwd
. System accounts are those user accounts with a user ID less than
500. The user ID is stored in the third field.
If any system account SYSACCT (other than root) has a login shell,
disable it with the command:
# usermod -s /sbin/nologin SYSACCT
Do not perform the steps in this section on the root account. Doing so might cause the system to become inaccessible.
Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.
References
2.3.1.1.f. Only Root Has UID 0
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
References
2.3.1.1.g. Root Path Is Vendor Default
Assuming root shell is bash, edit the following files:
~/.profile
~/.bashrc
Change any PATH
variables to the vendor default for root and remove any
empty PATH
entries or references to relative paths.
The root account's executable search path must be the vendor default, and must contain only absolute paths.
2.3.1.2. Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored
in the second field (colon-separated) in
/etc/shadow
. This file should be readable only by
processes running with root credentials, preventing users from
casually accessing others' password hashes and attempting
to crack them.
However, it remains possible to misconfigure the system
and store password hashes
in world-readable files such as /etc/passwd
, or
to even store passwords themselves in plaintext on the system.
Using system-provided tools for password change/creation
should allow administrators to avoid such misconfiguration.
link | previous | next | up | toc | home
2.3.1.2.a. Log In to Accounts With Empty Password Impossible
If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the nullok
option in /etc/pam.d/system-auth
to
prevent logins with empty passwords.
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
References
- IA-5(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(1)(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
2.3.1.2.b. Password Hashes For Each Account Shadowed
If any password hashes are stored in /etc/passwd
(in the second field,
instead of an x
), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.
The hashes for all user account passwords should be stored in
the file /etc/shadow
and never in /etc/passwd
,
which is readable by all users.
References
- IA-5(h). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 201. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.1.2.c. All GIDs referenced in /etc/passwd Defined in /etc/group
Add a group to the system for each GID referenced without a corresponding group.
Inconsistency in GIDs between /etc/passwd
and /etc/group
could lead to a user having unintended rights.
References
- 366. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.1.2.d. netrc Files Do Not Exist
The .netrc
files contain login information
used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
remote FTP servers making them susceptible to access by unauthorized
users and should not be used. Any .netrc
files should be removed.
Unencrypted passwords for remote FTP servers may be stored in .netrc
files. DoD policy requires passwords be encrypted in storage and not used
in access scripts.
References
- IA-5(h). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 196. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.1.3. Set Password Expiration Parameters
The file /etc/login.defs
controls several
password-related settings. Programs such as passwd
,
su
, and login
consult /etc/login.defs
to determine
behavior with regard to password aging, expiration warnings,
and length. See the man page login.defs(5)
for more information.
Users should be forced to change their passwords, in order to
decrease the utility of compromised passwords. However, the need to
change passwords often should be balanced against the risk that
users will reuse or write down passwords if forced to change them
too often. Forcing password changes every 90-360 days, depending on
the environment, is recommended. Set the appropriate value as
PASS_MAX_DAYS
and apply it to existing accounts with the
-M
flag.
The PASS_MIN_DAYS
(-m
) setting prevents password
changes for 7 days after the first change, to discourage password
cycling. If you use this setting, train users to contact an administrator
for an emergency password change in case a new password becomes
compromised. The PASS_WARN_AGE
(-W
) setting gives
users 7 days of warnings at login time that their passwords are about to expire.
For example, for each existing human user USER, expiration parameters
could be adjusted to a 180 day maximum password age, 7 day minimum password
age, and 7 day warning period with the following command:
# chage -M 180 -m 7 -W 7 USER
link | previous | next | up | toc | home
2.3.1.3.a. Password Minimum Length
To specify password length requirements for new accounts,
edit the file /etc/login.defs
, locate the following line:
PASS_MIN_LEN LENGTH
and correct it to have the form of:
PASS_MIN_LEN 12
Nowadays recommended values, considered as secure by various organizations focused on topic of computer security, range from
12 (FISMA)
up to
14 (DoD)
characters for password length requirements.
If a program consults /etc/login.defs
and also another PAM module
(such as pam_pwquality
) during a password change operation,
then the most restrictive must be satisfied. See PAM section
for more information about enforcing password quality requirements.
Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.
Remediation script
var_accounts_password_minlen_login_defs="12"
grep -q ^PASS_MIN_LEN /etc/login.defs && \
sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs
fi
References
- IA-5(f). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(1)(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 205. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.1.3.b. Password Minimum Age
To specify password minimum age for new accounts,
edit the file /etc/login.defs
, locate the following line:
PASS_MIN_DAYS DAYS
and correct it to have the form of:
PASS_MIN_DAYS 7
A value greater than 1 day is considered to be sufficient for many environments.
Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.
Remediation script
var_accounts_minimum_age_login_defs="7"
grep -q ^PASS_MIN_DAYS /etc/login.defs && \
sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs" >> /etc/login.defs
fi
References
- IA-5(f). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(1)(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 198. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.1.3.c. Password Maximum Age
To specify password maximum age for new accounts,
edit the file /etc/login.defs
, locate the following line:
PASS_MAX_DAYS DAYS
and correct it to have the form of:
PASS_MAX_DAYS 90
A value less than 180 days is sufficient for many environments.
Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
Remediation script
var_accounts_maximum_age_login_defs="90"
grep -q ^PASS_MAX_DAYS /etc/login.defs && \
sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs" >> /etc/login.defs
fi
References
- IA-5(f). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(g). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(1)(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 180. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 199. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.1.3.d. Password Warning Age
To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file /etc/login.defs
, locate the following line:
PASS_WARN_AGE DAYS
and correct it to have the form of:
PASS_WARN_AGE 7
A value of 7 days would be nowadays considered to be a standard.
Setting the password warning age enables users to make the change at a practical time.
Remediation script
var_accounts_password_warn_age_login_defs="7"
grep -q ^PASS_WARN_AGE /etc/login.defs && \
sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs" >> /etc/login.defs
fi
References
2.3.2. Secure Session Configuration Files for Login Accounts
When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the user's home directory, and may have weak permissions as a result of user error or misconfiguration. If an attacker can modify or even read certain types of account configuration information, they can often gain full access to the affected user's account. Therefore, it is important to test and correct configuration file permissions for interactive accounts, particularly those of privileged users such as root or system administrators.
link | previous | next | up | toc | home
2.3.2.a. Limit the Number of Concurrent Login Sessions Allowed Per User
Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. The DoD requirement is 10. To set the number of concurrent
sessions per user add the following line in /etc/security/limits.conf
:
* hard maxlogins 1
Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.
References
2.3.2.b. Ensure that User Home Directories are not Group-Writable or World-Readable
For each human user of the system, view the permissions of the user's home directory:
$ sudo ls -ld /home/USER
Ensure that the directory is not group-writable and that it
is not world-readable. If necessary, repair the permissions:
$ sudo chmod g-w /home/USER
$ sudo chmod o-rwx /home/USER
This action may involve modifying user home directories. Notify your user community, and solicit input if appropriate, before making this type of change.
User home directories contain many configuration files which affect the behavior of a user's account. No user should ever have write permission to another user's home directory. Group shared directories can be configured in sub-directories or elsewhere in the filesystem if they are needed. Typically, user home directories should not be world-readable, as it would disclose file names to other users. If a subset of users need read access to one another's home directories, this can be provided using groups or ACLs.
References
- AC-6(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 225. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.2.3. Ensure that No Dangerous Directories Exist in Root's Path
The active path of the root account can be obtained by starting a new root shell and running:
$ sudo echo $PATH
This will produce a colon-separated list of
directories in the path.
Certain path elements could be considered dangerous, as they could lead to root executing unknown or untrusted programs, which could contain malicious code. Since root may sometimes work inside untrusted directories, the
.
character, which represents the
current directory, should never be in the root path, nor should any
directory which can be written to by an unprivileged or
semi-privileged (system) user.
It is a good practice for administrators to always execute privileged commands by typing the full path to the command.
link | previous | next | up | toc | home
2.3.2.3.a. Ensure that Root's Path Does Not Include Relative Paths or Null Directories
Ensure that none of the directories in root's path is equal to a single
.
character, or
that it contains any instances that lead to relative path traversal, such as
..
or beginning a path without the slash (/
) character.
Also ensure that there are no "empty" elements in the path, such as in these examples:
PATH=:/bin
PATH=/bin:
PATH=/bin::/sbin
These empty elements have the same effect as a single .
character.
Including these entries increases the risk that root could execute code from an untrusted location.
References
- CM-6(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 366. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.2.3.b. Ensure that Root's Path Does Not Include World or Group-Writable Directories
For each element in root's path, run:
$ sudo ls -ld DIR
and ensure that write permissions are disabled for group and
other.
Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code.
References
- CM-6(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 366. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.2.4. Ensure that Users Have Sensible Umask Values
The umask setting controls the default permissions
for the creation of new files.
With a default umask
setting of 077, files and directories
created by users will not be readable by any other user on the
system. Users who wish to make specific files group- or
world-readable can accomplish this by using the chmod command.
Additionally, users can make all their files readable to their
group by default by setting a umask
of 027 in their shell
configuration files. If default per-user groups exist (that is, if
every user has a default group whose name is the same as that
user's username and whose only member is the user), then it may
even be safe for users to select a umask
of 007, making it very
easy to intentionally share files with groups of which the user is
a member.
link | previous | next | up | toc | home
2.3.2.4.a. Ensure the Default Bash Umask is Set Correctly
To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask
setting in /etc/bashrc
to read
as follows:
umask 027
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
References
2.3.2.4.b. Ensure the Default C Shell Umask is Set Correctly
To ensure the default umask for users of the C shell is set properly,
add or correct the umask
setting in /etc/csh.cshrc
to read as follows:
umask 027
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
References
2.3.2.4.c. Ensure the Default Umask is Set Correctly in /etc/profile
To ensure the default umask controlled by /etc/profile
is set properly,
add or correct the umask
setting in /etc/profile
to read as follows:
umask 027
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
References
2.3.2.4.d. Ensure the Default Umask is Set Correctly in login.defs
To ensure the default umask controlled by /etc/login.defs
is set properly,
add or correct the UMASK
setting in /etc/login.defs
to read as follows:
UMASK 027
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users.
References
2.3.3. Protect Accounts by Configuring PAM
PAM, or Pluggable Authentication Modules, is a system
which implements modular authentication for Linux programs. PAM provides
a flexible and configurable architecture for authentication, and it should be configured
to minimize exposure to unnecessary risk. This section contains
guidance on how to accomplish that.
PAM is implemented as a set of shared objects which are
loaded and invoked whenever an application wishes to authenticate a
user. Typically, the application must be running as root in order
to take advantage of PAM, because PAM's modules often need to be able
to access sensitive stores of account information, such as /etc/shadow.
Traditional privileged network listeners
(e.g. sshd) or SUID programs (e.g. sudo) already meet this
requirement. An SUID root application, userhelper, is provided so
that programs which are not SUID or privileged themselves can still
take advantage of PAM.
PAM looks in the directory /etc/pam.d
for
application-specific configuration information. For instance, if
the program login attempts to authenticate a user, then PAM's
libraries follow the instructions in the file /etc/pam.d/login
to determine what actions should be taken.
One very important file in /etc/pam.d
is
/etc/pam.d/system-auth
. This file, which is included by
many other PAM configuration files, defines 'default' system authentication
measures. Modifying this file is a good way to make far-reaching
authentication changes, for instance when implementing a
centralized authentication service.
Be careful when making changes to PAM's configuration files. The syntax for these files is complex, and modifications can have unexpected consequences. The default configurations shipped with applications should be sufficient for most users.
Running authconfig
or
system-config-authentication
will re-write the PAM configuration
files, destroying any manually made changes and replacing them with
a series of system defaults. One reference to the configuration
file syntax can be found at
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html.
link | previous | next | up | toc | home
2.3.3.a. Set Last Logon/Access Notification
To configure the system to notify users of last logon/access
using pam_lastlog
, add or correct the pam_lastlog
settings in
/etc/pam.d/postlogin
to read as follows:
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp showfailed
session optional pam_lastlog.so silent noupdate showfailed
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
References
- 53. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.3.2. Set Password Quality Requirements
The default pam_pwquality
PAM module provides strength
checking for passwords. It performs a number of checks, such as
making sure passwords are not similar to dictionary words, are of
at least a certain length, are not the previous password reversed,
and are not simply a change of case from the previous password. It
can also require passwords to be in certain character classes. The
pam_pwquality
module is the preferred way of configuring
password requirements.
The pam_cracklib
PAM module can also provide strength
checking for passwords as the pam_pwquality
module.
It performs a number of checks, such as making sure passwords are
not similar to dictionary words, are of at least a certain length,
are not the previous password reversed, and are not simply a change
of case from the previous password. It can also require passwords to
be in certain character classes.
The pam_passwdqc
PAM module also provides the ability to enforce
stringent password strength requirements. It is provided
in an RPM of the same name and can be configured by setting the configuration
settings in /etc/passwdqc.conf
.
The man pages pam_pwquality(8)
, pam_cracklib(8)
, and
pam_passwdqc(8)
provide information on the capabilities and
configuration of each.
link | previous | next | up | toc | home
2.3.3.2.1. Set Password Quality Requirements with pam_pwquality
The pam_pwquality
PAM module can be configured to meet
requirements for a variety of policies.
For example, to configure pam_pwquality
to require at least one uppercase
character, lowercase character, digit, and other (special)
character, make sure that pam_pwquality
exists in /etc/pam.d/system-auth
:
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth
.
Next, modify the settings in /etc/security/pwquality.conf
to match the following:
difok = 4
minlen = 14
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
maxrepeat = 3
The arguments can be modified to ensure compliance with
your organization's security policy. Discussion of each parameter follows.
Note that the password quality requirements are not enforced for the root account for some reason.
link | previous | next | up | toc | home
2.3.3.2.1.a. Set Password Retry Prompts Permitted Per-Session
To configure the number of retry prompts that are permitted per-session:
Edit the pam_pwquality.so
statement in /etc/pam.d/system-auth
to
show retry=3
, or a lower value if site policy is more restrictive.
The DoD requirement is a maximum of 3 prompts per session.
Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module.
References
2.3.3.2.1.b. Set Password to Maximum of Three Consecutive Repeating Characters
The pam_pwquality module's maxrepeat
parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters. Modify the maxrepeat
setting
in /etc/security/pwquality.conf
to equal 3 to prevent a run of (3 + 1) or more identical characters.
Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
References
- IA-5(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 366. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.3.2.1.c. Set Password Strength Minimum Digit Characters
The pam_pwquality module's dcredit
parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each digit. Modify the dcredit
setting in
/etc/security/pwquality.conf
to require the use of a digit in passwords.
Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
References
- IA-5(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 194. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- . URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.3.2.1.d. Set Password Minimum Length
The pam_pwquality module's minlen
parameter controls requirements for
minimum characters required in a password. Add minlen=15
after pam_pwquality to set minimum password length requirements.
Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
References
- IA-5(1)(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 205. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 78. .
2.3.3.2.1.e. Set Password Strength Minimum Uppercase Characters
The pam_pwquality module's ucredit=
parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each uppercase character. Modify the ucredit
setting in
/etc/security/pwquality.conf
to require the use of an uppercase character in passwords.
Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.
References
- IA-5(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(1)(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- . URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.3.2.1.f. Set Password Strength Minimum Special Characters
The pam_pwquality module's ocredit=
parameter controls requirements for
usage of special (or "other") characters in a password. When set to a negative number, any password will be
required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1
additional length credit for each special character. Modify the ocredit
setting in
/etc/security/pwquality.conf
to equal -1 to require use of a special character in passwords.
Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
References
- IA-5(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(1)(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- . URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.3.2.1.g. Set Password Strength Minimum Lowercase Characters
The pam_pwquality module's lcredit
parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each lowercase character. Modify the lcredit
setting in
/etc/security/pwquality.conf
to require the use of a lowercase character in passwords.
Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
References
- IA-5(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(1)(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- . URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.3.2.1.h. Set Password Strength Minimum Different Characters
The pam_pwquality module's difok
parameter controls requirements for usage of different
characters during a password change. Modify the difok
setting in /etc/security/pwquality.conf
to equal 15 to require differing characters when changing passwords. The DoD requirement is 4
.
Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.
References
- IA-5(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(1)(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- . URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.3.2.1.i. Set Password Strength Minimum Different Categories
The pam_pwquality module's minclass
parameter controls
requirements for usage of different character classes, or types, of character
that must exist in a password before it is considered valid. For example,
setting this value to three (3) requires that any password must have characters
from at least three different categories in order to be approved. The default
value is zero (0), meaning there are no required classes. There are four
categories available:
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass
setting in /etc/security/pwquality.conf
entry to require 3
differing categories of characters when changing passwords. The minimum requirement is 3
.
Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space.
2.3.3.3. Set Lockouts for Failed Password Attempts
The pam_faillock
PAM module provides the capability to
lock out user accounts after a number of failed login attempts. Its
documentation is available in
/usr/share/doc/pam-VERSION/txts/README.pam_faillock
.
Locking out user accounts presents the risk of a denial-of-service attack. The lockout policy must weigh whether the risk of such a denial-of-service attack outweighs the benefits of thwarting password guessing attacks.
link | previous | next | up | toc | home
2.3.3.3.a. Set Deny For Failed Password Attempts
To configure the system to lock out accounts after a number of incorrect login
attempts using pam_faillock.so
, modify the content of both
/etc/pam.d/system-auth
and /etc/pam.d/password-auth
as follows:
-
add the following line immediately
before
thepam_unix.so
statement in theAUTH
section:auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900
-
add the following line immediately
after
thepam_unix.so
statement in theAUTH
section:auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
-
add the following line immediately
before
thepam_unix.so
statement in theACCOUNT
section:account required pam_faillock.so
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.
References
2.3.3.3.b. Set Lockout Time For Failed Password Attempts
To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using pam_faillock.so
,
modify the content of both /etc/pam.d/system-auth
and /etc/pam.d/password-auth
as follows:
-
add the following line immediately
before
thepam_unix.so
statement in theAUTH
section:auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900
-
add the following line immediately
after
thepam_unix.so
statement in theAUTH
section:auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
-
add the following line immediately
before
thepam_unix.so
statement in theACCOUNT
section:account required pam_faillock.so
Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.
References
- AC-7(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 47. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.3.3.c. Set Interval For Counting Failed Password Attempts
Utilizing pam_faillock.so
, the fail_interval
directive configures the system to lock out accounts after a number of incorrect login
attempts. Modify the content of both /etc/pam.d/system-auth
and /etc/pam.d/password-auth
as follows:
-
add the following line immediately
before
thepam_unix.so
statement in theAUTH
section:auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900
-
add the following line immediately
after
thepam_unix.so
statement in theAUTH
section:auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
-
add the following line immediately
before
thepam_unix.so
statement in theACCOUNT
section:account required pam_faillock.so
Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks.
References
- AC-7(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 1452. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.3.3.d. Limit Password Reuse
Do not allow users to reuse recent passwords. This can
be accomplished by using the remember
option for the pam_unix
PAM
module. In the file /etc/pam.d/system-auth
, append
remember=24
to the
line which refers to the pam_unix.so
module, as shown:
password sufficient pam_unix.so existing_options remember=24
The DoD and FISMA requirement is 24 passwords.
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
References
- IA-5(f). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(1)(e). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- . URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.3.4. Set Password Hashing Algorithm
The system's default algorithm for storing password hashes in
/etc/shadow
is SHA-512. This can be configured in several
locations.
link | previous | next | up | toc | home
2.3.3.4.a. Set Password Hashing Algorithm in /etc/pam.d/system-auth
In /etc/pam.d/system-auth
, the password
section of
the file controls which PAM modules execute during a password change.
Set the pam_unix.so
module in the
password
section to include the argument sha512
, as shown below:
password sufficient pam_unix.so sha512 other arguments...
This will help ensure when local users change their passwords, hashes for the new
passwords will be generated using the SHA-512 algorithm.
This is the default.
Using a stronger hashing algorithm makes password cracking attacks more difficult.
References
- IA-5(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(1)(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-7. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- . URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.3.4.b. Set Password Hashing Algorithm in /etc/login.defs
In /etc/login.defs
, add or correct the following line to ensure
the system will use SHA-512 as the hashing algorithm:
ENCRYPT_METHOD SHA512
Using a stronger hashing algorithm makes password cracking attacks more difficult.
References
- IA-5(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(1)(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-7. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- . URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.3.4.c. Set Password Hashing Algorithm in /etc/libuser.conf
In /etc/libuser.conf
, add or correct the following line in its
[defaults]
section to ensure the system will use the SHA-512
algorithm for password hashing:
crypt_style = sha512
Using a stronger hashing algorithm makes password cracking attacks more difficult.
References
- IA-5(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(1)(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-7. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- . URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.4. Protect Physical Console Access
It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. However, there are some steps which, if taken, make it more difficult for an attacker to quickly or undetectably modify a system from its console.
link | previous | next | up | toc | home
2.3.4.a. Require Authentication for Single User Mode
Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
By default, single-user mode is protected by requiring a password and is set
in /usr/lib/systemd/system/rescue.service
.
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
References
- IA-2(1). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 213. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.4.b. Disable Ctrl-Alt-Del Reboot Activation
By default, the system includes the following line in
/etc/init/control-alt-delete.conf
to reboot the system when the Ctrl-Alt-Del key sequence is pressed:
exec /sbin/shutdown -r now "Control-Alt-Delete pressed"
To configure the system to log a message instead of rebooting the system, alter that line to read as follows:
exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"
A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Del sequence is reduced because the user will be prompted before any action is taken.
2.3.4.c. Disable Interactive Boot
To disable the ability for users to perform interactive startups,
edit the file /etc/sysconfig/init
.
Add or correct the line:
PROMPT=no
The PROMPT
option allows the console user to perform an
interactive system startup, in which it is possible to select the
set of services which are started on boot.
Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.
References
2.3.4.4. Set Boot Loader Password
During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly on different partitions or media. The default Fedora boot loader for x86 systems is called GRUB2. Options it can pass to the kernel include single-user mode, which provides root access without any authentication, and the ability to disable SELinux. To prevent local users from modifying the boot parameters and endangering security, protect the boot loader configuration with a password and ensure its configuration file's permissions are set properly.
link | previous | next | up | toc | home
2.3.4.4.a. Verify /boot/grub2/grub.cfg User Ownership
The file /boot/grub2/grub.cfg
should
be owned by the root
user to prevent destruction
or modification of the file.
To properly set the owner of /boot/grub2/grub.cfg
, run the command:
$ sudo chown root /boot/grub2/grub.cfg
Only root should be able to modify important boot parameters.
References
- AC-6(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 225. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.4.4.b. Verify /boot/grub2/grub.cfg Group Ownership
The file /boot/grub2/grub.cfg
should
be group-owned by the root
group to prevent
destruction or modification of the file.
To properly set the group owner of /boot/grub2/grub.cfg
, run the command:
$ sudo chgrp root /boot/grub2/grub.cfg
The root
group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
References
- AC-6(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 225. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.4.4.c. Verify /boot/grub2/grub.cfg Permissions
File permissions for /boot/grub2/grub.cfg
should be set to 600, which
is the default.
To properly set the permissions of /boot/grub2/grub.cfg
, run the command:
$ sudo chmod 600 /boot/grub2/grub.cfg
Proper permissions ensure that only the root user can modify important boot parameters.
References
- AC-6(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 225. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.4.4.d. Set Boot Loader Password
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To do so, select a superuser account and password and add them into the
appropriate grub2 configuration file(s) under /etc/grub.d
.
Since plaintext passwords are a security risk, generate a hash for the pasword
by running the following command:
$ grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected and insert the returned
password hash into the appropriate grub2 configuration file(s) under
/etc/grub.d
immediately after the superuser account.
(Use the output from grub2-mkpasswd-pbkdf2
as the value of
password-hash):
password_pbkdf2 superusers-accountpassword-hash
NOTE: It is recommended not to use common administrator account names like root,
admin, or administrator for the grub2 superuser account.
To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the
grub.cfg
file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg
NOTE: Do NOT manually add the superuser account and password to the
grub.cfg
file as the grub2-mkconfig command overwrites this file.
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to
-
https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html
References
- IA-2(1). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-5(e). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 213. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.4.5. Configure Screen Locking
When a user must temporarily leave an account
logged-in, screen locking should be employed to prevent passersby
from abusing the account. User education and training is
particularly important for screen locking to be effective, and policies
can be implemented to reinforce this.
Automatic screen locking is only meant as a safeguard for
those cases where a user forgot to lock the screen.
link | previous | next | up | toc | home
2.3.4.5.1. Configure GUI Screen Locking
In the default GNOME3 desktop, the screen can be locked
by selecting the user name in the far right corner of the main panel and
selecting Lock.
The following sections detail commands to enforce idle activation of the screensaver,
screen locking, a blank-screen screensaver, and an idle
activation time.
Because users should be trained to lock the screen when they
step away from the computer, the automatic locking feature is only
meant as a backup.
The root account can be screen-locked; however,
the root account should never be used
to log into an X Windows environment and should only be used to
for direct login via console in emergency circumstances.
For more information about enforcing preferences in the GNOME3 environment using the DConf
configuration system, see http://wiki.gnome.org/dconf and
the man page dconf(1)
. For Red Hat specific information on configuring DConf
settings, see https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/part-Configuration_and_Administration.html
link | previous | next | up | toc | home
2.3.4.5.1.a. Set GNOME3 Screensaver Inactivity Timeout
To set the idle time-out value for inactivity in the GNOME3 desktop to 5 minutes (in seconds),
the idle-delay
setting must be set under an appropriate
configuration file(s) in the /etc/dconf/db/local.d
directory
and locked in /etc/dconf/db/local.d/locks
directory to prevent user modification.
After the settings have been set, run dconf update
.
Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.
References
- AC-11(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 57. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.4.5.1.b. Enable GNOME3 Screensaver Idle Activation
To activate the screensaver in the GNOME3 desktop after a period of inactivity,
the idle-activation-enabled
setting must be set under an appropriate
configuration file(s) in the /etc/dconf/db/local.d
directory
and locked in /etc/dconf/db/local.d/locks
directory to prevent user modification.
After the settings have been set, run dconf update
.
Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.
References
- AC-11(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 57. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.4.5.1.c. Enable GNOME3 Screensaver Lock After Idle Period
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
the lock-enabled
and lock-delay
setting must be set under an appropriate
configuration file(s) in the /etc/dconf/db/local.d
directory
and locked in /etc/dconf/db/local.d/locks
directory to prevent user modification.
After the settings have been set, run dconf update
.
Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.
References
- AC-11(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 57. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.4.5.1.d. Implement Blank Screensaver
To set the screensaver mode in the GNOME3 desktop to a blank screen,
the picture-uri
setting must be set under an appropriate
configuration file(s) in the /etc/dconf/db/local.d
directory
and locked in /etc/dconf/db/local.d/locks
directory to prevent user modification.
After the settings have been set, run dconf update
.
Setting the screensaver mode to blank-only conceals the contents of the display from passersby.
References
- AC-11(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 60. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.4.5.2. Configure Console Screen Locking
A console screen locking mechanism is provided in the
screen
package, which is not installed by default.
link | previous | next | up | toc | home
2.3.4.5.2.a. Install the screen Package
To enable console screen locking, install the screen
package:
$ sudo yum install screen
Instruct users to begin new terminal sessions with the following command:
$ screen
The console can now be locked with the following key combination:
ctrl+a x
Installing screen
ensures a console locking capability is available
for users who may need to suspend console logins.
References
- 58. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.4.5.3. Hardware Tokens for Authentication
The use of hardware tokens such as smart cards for system login provides stronger, two-factor authentication than using a username/password. In Fedora servers and workstations, hardware token login is not enabled by default and must be enabled in the system settings.
link | previous | next | up | toc | home
2.3.4.5.3.a. Enable Smart Card Login
To enable smart card authentication, consult the documentation at:
-
https://docs.fedoraproject.org/docs/en-US/Fedora/18/html/Security_Guide/sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card.html
Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials.
References
- 765. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 766. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 767. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 768. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 771. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 772. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 884. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.3.5. Warning Banners for System Accesses
Each system should expose as little information about
itself as possible.
System banners, which are typically displayed just before a
login prompt, give out information about the service or the host's
operating system. This might include the distribution name and the
system kernel version, and the particular version of a network
service. This information can assist intruders in gaining access to
the system as it can reveal whether the system is running
vulnerable software. Most network services can be configured to
limit what information is displayed.
Many organizations implement security policies that require a
system banner provide notice of the system's ownership, provide
warning to unauthorized users, and remind authorized users of their
consent to monitoring.
link | previous | next | up | toc | home
2.3.5.a. Modify the System Login Banner
To configure the system login banner:
Edit /etc/issue
. Replace the default text with a message
compliant with the local site policy or a legal disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes
including, but not limited to, penetration testing, COMSEC monitoring, network
operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used
for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls)
to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative
searching or monitoring of the content of privileged communications, or work
product, related to personal representation or services by attorneys,
psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.
OR:
I've read & consent to terms in IS user agreem't.
An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
2.3.5.b. Disable the GNOME3 Login User List
In the default graphical environment, users logging
directly into the system are greeted with a login screen that displays
all known users. This functionality should be disabled.
The disable-user-list
setting must be
set under an appropriate configuration file(s) in the /etc/dconf/db/gdm.d
directory
and locked in /etc/dconf/db/gdm.d/locks
directory to prevent user modification.
After the settings have been set, run dconf update
.
Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.
References
2.3.5.3. Implement a GUI Warning Banner
In the default graphical environment, users logging directly into the system are greeted with a login screen provided by the GNOME3 Display Manager (GDM). The warning banner should be displayed in this graphical environment for these users. The following sections describe how to configure the GDM login banner.
link | previous | next | up | toc | home
2.3.5.3.a. Enable GNOME3 Login Warning Banner
To enable displaying a login warning banner in the GNOME
Display Manager's login screen, the banner-message-enable
setting must be
set under an appropriate configuration file(s) in the /etc/dconf/db/gdm.d
directory
and locked in /etc/dconf/db/gdm.d/locks
directory to prevent user modification.
After the settings have been set, run dconf update
.
To display a banner, this setting must be enabled, and the user must be prevented
from making changes. The banner text must also be set.
An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
2.3.5.3.b. Set the GNOME3 Login Warning Banner Text
To set the text shown by the GNOME3 Display Manager
in the login screen, the banner-message-text
setting must be set under an
appropriate configuration file(s) in the /etc/dconf/db/gdm.d
directory and locked
in /etc/dconf/db/gdm.d/locks
directory to prevent user modification.
After the settings have been set, run dconf update
.
When entering a warning banner that spans several lines, remember
to begin and end the string with '
and use \n
for new lines.
An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
2.4. Network Configuration and Firewalls
Most machines must be connected to a network of some
sort, and this brings with it the substantial risk of network
attack. This section discusses the security impact of decisions
about networking which must be made when configuring a system.
This section also discusses firewalls, network access
controls, and other network security frameworks, which allow
system-level rules to be written that can limit an attackers' ability
to connect to your system. These rules can specify that network
traffic should be allowed or denied from certain IP addresses,
hosts, and networks. The rules can also specify which of the
system's network services are available to particular hosts or
networks.
link | previous | next | up | toc | home
2.4.a. Disable Zeroconf Networking
Zeroconf networking allows the system to assign itself an IP
address and engage in IP communication without a statically-assigned address or
even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not
recommended. To disable Zeroconf automatic route assignment in the 169.254.0.0
subnet, add or correct the following line in /etc/sysconfig/network
:
NOZEROCONF=yes
Zeroconf addresses are in the network 169.254.0.0. The networking scripts add entries to the system's routing table for these addresses. Zeroconf address assignment commonly occurs when the system is configured to use DHCP but fails to receive an address assignment from the DHCP server.
References
2.4.b. Ensure System is Not Acting as a Network Sniffer
The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISC
If any results are returned, then a sniffing process (such as tcpdump or Wireshark) is likely to be using the interface and this should be investigated.
References
2.4.3. Disable Unused Interfaces
Network interfaces expand the attack surface of the
system. Unused interfaces are not monitored or controlled, and
should be disabled.
If the system does not require network communications but still
needs to use the loopback interface, remove all files of the form
ifcfg-interface
except for ifcfg-lo
from
/etc/sysconfig/network-scripts
:
$ sudo rm /etc/sysconfig/network-scripts/ifcfg-interface
If the system is a standalone machine with no need for network access or even
communication over the loopback device, then disable this service.
The network
service can be disabled with the following command:
$ sudo systemctl disable network.service
2.4.4. IPv6
The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the number of available addresses. Another important feature is its support for automatic configuration of many network settings.
link | previous | next | up | toc | home
2.4.4.1. Disable Support for IPv6 Unless Needed
Despite configuration that suggests support for IPv6 has been disabled, link-local IPv6 address auto-configuration occurs even when only an IPv4 address is assigned. The only way to effectively prevent execution of the IPv6 networking stack is to instruct the system not to activate the IPv6 kernel module.
link | previous | next | up | toc | home
2.4.4.1.a. Disable IPv6 Networking Support Automatic Loading
To disable support for (ipv6
) add the following line to
/etc/sysctl.d/ipv6.conf
(or another file in
/etc/sysctl.d
):
net.ipv6.conf.all.disable_ipv6 = 1
This disables IPv6 on all network interfaces as other services and system
functionality require the IPv6 stack loaded to work.
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.
References
2.4.4.1.b. Disable Interface Usage of IPv6
To disable interface usage of IPv6, add or correct the following lines in /etc/sysconfig/network
:
NETWORKING_IPV6=no
IPV6INIT=no
2.4.4.1.c. Disable Support for RPC IPv6
RPC services for NFSv4 try to load transport modules for
udp6
and tcp6
by default, even if IPv6 has been disabled in
/etc/modprobe.d
. To prevent RPC services such as rpc.mountd
from attempting to start IPv6 network listeners, remove or comment out the
following two lines in /etc/netconfig
:
udp6 tpi_clts v inet6 udp - -
tcp6 tpi_cots_ord v inet6 tcp - -
References
2.4.4.2. Configure IPv6 Settings if Necessary
A major feature of IPv6 is the extent to which systems implementing it can automatically configure their networking devices using information from the network. From a security perspective, manually configuring important configuration information is preferable to accepting it from the network in an unauthenticated fashion.
link | previous | next | up | toc | home
2.4.4.2.a. Manually Assign Global IPv6 Address
To manually assign an IP address for an interface, edit the
file /etc/sysconfig/network-scripts/ifcfg-interface
. Add or correct the
following line (substituting the correct IPv6 address):
IPV6ADDR=2001:0DB8::ABCD/64
Manually assigning an IP address is preferable to accepting one from routers or
from the network otherwise. The example address here is an IPv6 address
reserved for documentation purposes, as defined by RFC3849.
References
- 366. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.4.4.2.b. Use Privacy Extensions for Address
To introduce randomness into the automatic generation of IPv6
addresses, add or correct the following line in
/etc/sysconfig/network-scripts/ifcfg-interface
:
IPV6_PRIVACY=rfc3041
Automatically-generated IPv6 addresses are based on the underlying hardware
(e.g. Ethernet) address, and so it becomes possible to track a piece of
hardware over its lifetime using its traffic. If it is important for a system's
IP address to not trivially reveal its hardware address, this setting should be
applied.
References
- 366. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.4.4.2.c. Manually Assign IPv6 Router Address
Edit the file
/etc/sysconfig/network-scripts/ifcfg-interface
, and add or correct
the following line (substituting your gateway IP as appropriate):
IPV6_DEFAULTGW=2001:0DB8::0001
Router addresses should be manually set and not accepted via any
auto-configuration or router advertisement.
References
- 366. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.4.4.2.4. Disable Automatic Configuration
Disable the system's acceptance of router
advertisements and redirects by adding or correcting the following
line in /etc/sysconfig/network
(note that this does not disable
sending router solicitations):
IPV6_AUTOCONF=no
link | previous | next | up | toc | home
2.4.4.2.4.a. Disable Accepting IPv6 Router Advertisements
To set the runtime status of the net.ipv6.conf.default.accept_ra
kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv6.conf.default.accept_ra = 0
An illicit router advertisement message could result in a man-in-the-middle attack.
References
2.4.4.2.4.b. Disable Accepting IPv6 Redirects
To set the runtime status of the net.ipv6.conf.default.accept_redirects
kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf
:
net.ipv6.conf.default.accept_redirects = 0
An illicit ICMP redirect message could result in a man-in-the-middle attack.
References
2.4.4.2.5. Limit Network-Transmitted Configuration if Using Static IPv6 Addresses
To limit the configuration information requested from other
systems and accepted from the network on a system that uses
statically-configured IPv6 addresses, add the following lines to
/etc/sysctl.conf
:
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
The router_solicitations
setting determines how many router
solicitations are sent when bringing up the interface. If addresses are
statically assigned, there is no need to send any solicitations.
The
accept_ra_pinfo
setting controls whether the system will accept
prefix info from the router.
The
accept_ra_defrtr
setting controls whether the system will accept
Hop Limit settings from a router advertisement. Setting it to 0 prevents a
router from changing your default IPv6 Hop Limit for outgoing packets.
The
autoconf
setting controls whether router advertisements can cause
the system to assign a global unicast address to an interface.
The
dad_transmits
setting determines how many neighbor solicitations
to send out per address (global and link-local) when bringing up an interface
to ensure the desired address is unique on the network.
The
max_addresses
setting determines how many global unicast IPv6
addresses can be assigned to each interface. The default is 16, but it should
be set to exactly the number of statically configured global addresses
required.
2.5. System Accounting with auditd
The audit service provides substantial capabilities
for recording system activities. By default, the service audits about
SELinux AVC denials and certain types of security-relevant events
such as system logins, account modifications, and authentication
events performed by programs such as sudo.
Under its default configuration, auditd
has modest disk space
requirements, and should not noticeably impact system performance.
NOTE: The Linux Audit daemon auditd
can be configured to use the
auditctl
utility to read audit rules from the /etc/audit/audit.rules
configuration file, and load them into the kernel during daemon startup
(default configuration). Alternatively, the auditd
daemon can be
configured to use the augenrules
program to read audit rules files
(*.rules
) located in /etc/audit/rules.d
location and compile
them to create the resulting form of the /etc/audit/audit.rules
configuration
file during the daemon startup. The expected behavior is configured via the
appropriate ExecStartPost
directive setting in the /usr/lib/systemd/system/auditd.service
configuration file. To instruct the auditd
daemon to use the auditctl
utility to read audit rules (default configuration), use the following setting:
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
in the /usr/lib/systemd/system/auditd.service
configuration file. In order
to instruct the auditd
daemon to use the augenrules
program
to read audit rules, use the following setting:
ExecStartPost=-/sbin/augenrules --load
in the /usr/lib/systemd/system/auditd.service
configuration file. Refer to
[Service]
section of the /usr/lib/systemd/system/auditd.service
configuration for further details.
Government networks often have substantial auditing requirements and
auditd
can be configured to meet these
requirements.
Examining some example audit records demonstrates how the Linux audit system
satisfies common requirements.
The following example from Fedora Documentation available at
http://docs.fedoraproject.org/en-US/Fedora/21/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html
shows the substantial amount of information captured in a
two typical "raw" audit messages, followed by a breakdown of the most important
fields. In this example the message is SELinux-related and reports an AVC
denial (and the associated system call) that occurred when the Apache HTTP
Server attempted to access the /var/www/html/file1
file (labeled with
the samba_share_t
type):
type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd"
path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13
a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd"
exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
-
msg=audit(1226874073.147:96)
-
The number in parentheses is the unformatted time stamp (Epoch time) for the event, which can be converted to standard time by using the
date
command.
-
-
{ getattr }
-
The item in braces indicates the permission that was denied.
getattr
indicates the source process was trying to read the target file's status information. This occurs before reading files. This action is denied due to the file being accessed having the wrong label. Commonly seen permissions includegetattr
,read
, andwrite
.
-
-
comm="httpd"
-
The executable that launched the process. The full path of the executable is found in the
exe=
section of the system call (SYSCALL
) message, which in this case, isexe="/usr/sbin/httpd"
.
-
-
path="/var/www/html/file1"
-
The path to the object (target) the process attempted to access.
-
-
scontext="unconfined_u:system_r:httpd_t:s0"
-
The SELinux context of the process that attempted the denied action. In this case, it is the SELinux context of the Apache HTTP Server, which is running in the
httpd_t
domain.
-
-
tcontext="unconfined_u:object_r:samba_share_t:s0"
-
The SELinux context of the object (target) the process attempted to access. In this case, it is the SELinux context of
file1
. Note: thesamba_share_t
type is not accessible to processes running in thehttpd_t
domain.
-
-
From the system call (
SYSCALL
) message, two items are of interest:success=no
: indicates whether the denial (AVC) was enforced or not.success=no
indicates the system call was not successful (SELinux denied access).success=yes
indicates the system call was successful - this can be seen for permissive domains or unconfined domains, such asinitrc_t
andkernel_t
.exe="/usr/sbin/httpd"
: the full path to the executable that launched the process, which in this case, isexe="/usr/sbin/httpd"
.
link | previous | next | up | toc | home
2.5.a. Enable Auditing for Processes Which Start Prior to the Audit Daemon
To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1
to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub
, in the manner below:
GRUB_CMDLINE_LINUX="rd.lvm.lv=fedora/swap rd.lvm.lv=fedora/root rd.luks.uuid=luks-3431fd4f-80aa-436e-8acf-24f5bcb4e23a rhgb quiet audit=1"
The GRUB 2 configuration file, grub.cfg
,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub
require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o
command as follows:
-
On BIOS-based machines, issue the following command as
root
:~]# grub2-mkconfig -o /boot/grub2/grub.cfg
-
On UEFI-based machines, issue the following command as
root
:~]# grub2-mkconfig -o /boot/efi/fedora/grub2/grub.cfg
Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd
takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot.
References
- AC-17(1). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-14(1). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-10. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 1464. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 130. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.2. Configure auditd Data Retention
The audit system writes data to /var/log/audit/audit.log
. By default,
auditd
rotates 5 logs by size (6MB), retaining a maximum of 30MB of
data in total, and refuses to write entries when the disk is too
full. This minimizes the risk of audit data filling its partition
and impacting other services. This also minimizes the risk of the audit
daemon temporarily disabling the system if it cannot write audit log (which
it can be configured to do).
For a busy
system or a system which is thoroughly auditing system activity, the default settings
for data retention may be
insufficient. The log file size needed will depend heavily on what types
of events are being audited. First configure auditing to log all the events of
interest. Then monitor the log size manually for awhile to determine what file
size will allow you to keep the required data for the correct time period.
Using a dedicated partition for /var/log/audit
prevents the
auditd
logs from disrupting system functionality if they fill, and,
more importantly, prevents other activity in /var
from filling the
partition and stopping the audit trail. (The audit logs are size-limited and
therefore unlikely to grow without bound unless configured to do so.) Some
machines may have requirements that no actions occur which cannot be audited.
If this is the case, then auditd
can be configured to halt the machine
if it runs out of space. Note: Since older logs are rotated,
configuring auditd
this way does not prevent older logs from being
rotated away before they can be viewed.
If your system is configured to halt when logging cannot be performed, make
sure this can never happen under normal circumstances! Ensure that
/var/log/audit
is on its own partition, and that this partition is
larger than the maximum amount of data auditd
will retain
normally.
References
link | previous | next | up | toc | home
2.5.2.a. Configure auditd Number of Logs Retained
Determine how many log files
auditd
should retain when it rotates logs.
Edit the file /etc/audit/auditd.conf
. Add or modify the following
line, substituting NUMLOGS with the correct value of 5:
num_logs = NUMLOGS
Set the value to 5 for general-purpose systems.
Note that values less than 2 result in no log rotation.
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
References
2.5.2.b. Configure auditd Max Log File Size
Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
/etc/audit/auditd.conf
. Add or modify the following line, substituting
the correct value of 6 for STOREMB:
max_log_file = STOREMB
Set the value to 6
(MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data.
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
References
2.5.2.c. Configure auditd max_log_file_action Upon Reaching Maximum Log Size
The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by auditd
, add or correct the line in /etc/audit/auditd.conf
:
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf
man
page. These include:
-
ignore
-
syslog
-
suspend
-
rotate
-
keep_logs
Set the ACTION
to rotate
to ensure log rotation
occurs. This is the default. The setting is case-insensitive.
Automatically rotating logs (by setting this to rotate
)
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
keep_logs
can be employed.
References
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-4. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-11. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
2.5.2.d. Configure auditd space_left Action on Low Disk Space
The auditd
service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf
. Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf
man page.
These include:
-
ignore
-
syslog
-
email
-
exec
-
suspend
-
single
-
halt
Set this to email
(instead of the default,
which is suspend
) as it is more likely to get prompt attention. Acceptable values
also include suspend
, single
, and halt
.
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
References
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-4. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-5(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 140. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 143. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.2.e. Configure auditd admin_space_left Action on Low Disk Space
The auditd
service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf
. Add or modify the following line,
substituting ACTION appropriately:
admin_space_left_action = ACTION
Set this value to single
to cause the system to switch to single user
mode for corrective action. Acceptable values also include suspend
and
halt
. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf
man page.
Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
References
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-4. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-5(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 140. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1343. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.2.f. Configure auditd mail_acct Action on Low Disk Space
The auditd
service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf
to ensure that administrators are notified
via email for those situations:
action_mail_acct = root
Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.
References
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-4. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-5(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 139. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 144. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.2.g. Configure auditd flush priority
The auditd
service can be configured to
synchronously write audit event data to disk. Add or correct the following
line in /etc/audit/auditd.conf
to ensure that audit event data is
fully synchronized with the log files on the disk:
flush = data
Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk.
References
2.5.2.h. Configure auditd to use audispd's syslog plugin
To configure the auditd
service to use the
syslog
plug-in of the audispd
audit event multiplexor, set
the active
line in /etc/audisp/plugins.d/syslog.conf
to
yes
. Restart the auditd
service:
$ sudo service auditd restart
The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server
References
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-3(2). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 136. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3. Configure auditd Rules for Comprehensive Auditing
The auditd
program can perform comprehensive
monitoring of system activity. This section describes recommended
configuration settings for comprehensive auditing, but a full
description of the auditing system's capabilities is beyond the
scope of this guide. The mailing list linux-audit@redhat.com exists
to facilitate community discussion of the auditing system.
The audit subsystem supports extensive collection of events, including:
-
Tracing of arbitrary system calls (identified by name or number) on entry or exit.
-
Filtering by PID, UID, call success, system call argument (with some limitations), etc.
-
Monitoring of specific files for modifications to the file's contents or metadata.
Auditing rules at startup are controlled by the file /etc/audit/audit.rules
.
Add rules to it to meet the auditing requirements for your organization.
Each line in /etc/audit/audit.rules
represents a series of arguments
that can be passed to auditctl
and can be individually tested
during runtime. See documentation in /usr/share/doc/audit-VERSION
and
in the related man pages for more details.
If copying any example audit rulesets from /usr/share/doc/audit-VERSION
,
be sure to comment out the
lines containing arch=
which are not appropriate for your system's
architecture. Then review and understand the following rules,
ensuring rules are activated as needed for the appropriate
architecture.
After reviewing all the rules, reading the following sections, and
editing as needed, the new rules can be activated as follows:
$ sudo service auditd restart
link | previous | next | up | toc | home
2.5.3.a. Record Events that Modify User/Group Information
If the auditd
daemon is configured to use the
auditctl
utility to read audit rules during daemon startup (the
default), add the following lines to /etc/audit/audit.rules
file,
in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following lines to a
file with suffix .rules
in the directory /etc/audit/rules.d
,
in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
References
- AC-2(4). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 18. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1403. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1404. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1405. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1684. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1683. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1685. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1686. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.b. Record Events that Modify the System's Network Environment
If the auditd
daemon is configured to use the
auditctl
utility to read audit rules during daemon startup (the
default), add the following lines to /etc/audit/audit.rules
file,
setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following lines to a
file with suffix .rules
in the directory /etc/audit/rules.d
,
setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
2.5.3.c. System Audit Logs Must Have Mode 0640 or Less Permissive
Change the mode of the audit log files with the following command:
$ sudo chmod 0640 audit_file
If users can write to audit logs, audit trails can be modified or destroyed.
References
- AC-6. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-9. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- . URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.d. System Audit Logs Must Be Owned By Root
To properly set the owner of /var/log
, run the command:
$ sudo chown root /var/log
Failure to give ownership of the audit log files to root allows the designated owner, and unauthorized users, potential access to sensitive information.
References
- AC-6. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-9. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 166. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.e. Record Events that Modify the System's Mandatory Access Controls
If the auditd
daemon is configured to use the
auditctl
utility to read audit rules during daemon startup (the
default), add the following line to /etc/audit/audit.rules
file:
-w /etc/selinux/ -p wa -k MAC-policy
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-w /etc/selinux/ -p wa -k MAC-policy
The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
2.5.3.f. Record Attempts to Alter Logon and Logout Events
The audit system already collects login information for all users
and root. If the auditd
daemon is configured to use the
auditctl
utility to read audit rules during daemon startup (the
default), add the following lines to /etc/audit/audit.rules
file in
order to watch for attempted manual edits of files involved in storing logon
events:
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following lines to a
file with suffix .rules
in the directory /etc/audit/rules.d
in order to watch for attempted manual edits of files involved in storing logon
events:
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
2.5.3.g. Record Attempts to Alter Process and Session Initiation Information
The audit system already collects process information for all
users and root. If the auditd
daemon is configured to use the
auditctl
utility to read audit rules during daemon startup (the
default), add the following lines to /etc/audit/audit.rules
file in
order to watch for attempted manual edits of files involved in storing such
process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following lines to a
file with suffix .rules
in the directory /etc/audit/rules.d
in order to watch for attempted manual edits of files involved in storing such
process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
2.5.3.h. Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
At a minimum the audit system should collect unauthorized file
accesses for all users and root. If the auditd
daemon is configured
to use the auditctl
utility to read audit rules during daemon startup
(the default), add the following lines to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following lines to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.i. Ensure auditd Collects Information on the Use of Privileged Commands
At a minimum the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART:
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
If the auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup (the default), add a line of
the following form to /etc/audit/audit.rules
for each setuid / setgid
program on the system, replacing the SETUID_PROG_PATH part with the full
path of that setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add a line of the following
form to a file with suffix .rules
in the directory
/etc/audit/rules.d
for each setuid / setgid program on the system,
replacing the SETUID_PROG_PATH part with the full path of that setuid /
setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(4). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 40. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.j. Ensure auditd Collects Information on Exporting to Media (successful)
At a minimum the audit system should collect media exportation
events for all users and root. If the auditd
daemon is configured to
use the auditctl
utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules
file,
setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -k export
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
,
setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -k export
The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.k. Ensure auditd Collects File Deletion Events by User
At a minimum the audit system should collect file deletion events
for all users and root. If the auditd
daemon is configured to use the
auditctl
utility to read audit rules during daemon startup (the
default), add the following line to /etc/audit/audit.rules
file,
setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
,
setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.l. Ensure auditd Collects System Administrator Actions
At a minimum the audit system should collect administrator actions
for all users and root. If the auditd
daemon is configured to use the
auditctl
utility to read audit rules during daemon startup (the default),
add the following line to /etc/audit/audit.rules
file:
-w /etc/sudoers -p wa -k actions
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-w /etc/sudoers -p wa -k actions
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.
References
- AC-2(7)(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.m. Ensure auditd Collects Information on Kernel Module Loading and Unloading
If the auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup (the default), add the following
lines to /etc/audit/audit.rules
file in order to capture kernel module loading
and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
If the auditd
daemon is configured to use the augenrules
program to
read audit rules during daemon startup, add the following lines to a file with suffix
.rules
in the directory /etc/audit/rules.d
to capture kernel module
loading and unloading events, setting ARCH to either b32 or b64 as appropriate for
your system:
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.n. Make the auditd Configuration Immutable
If the auditd
daemon is configured to use the
auditctl
utility to read audit rules during daemon startup (the
default), add the following line to /etc/audit/audit.rules
file in
order to make the auditd configuration immutable:
-e 2
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
in
order to make the auditd configuration immutable:
-e 2
With this setting, a reboot will be required to change any audit rules.
Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation
References
- AC-6. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
2.5.3.15. Records Events that Modify Date and Time Information
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time. All changes to the system time should be audited.
link | previous | next | up | toc | home
2.5.3.15.a. Record attempts to alter time through adjtimex
If the auditd
daemon is configured to use the
auditctl
utility to read audit rules during daemon startup (the
default), add the following line to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 1487. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 169. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.15.b. Record attempts to alter time through settimeofday
If the auditd
daemon is configured to use the
auditctl
utility to read audit rules during daemon startup (the
default), add the following line to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 1487. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 169. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.15.c. Record Attempts to Alter Time Through stime
If the auditd
daemon is configured to use the
auditctl
utility to read audit rules during daemon startup (the
default), add the following line to /etc/audit/audit.rules
file
for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -k audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). If the
auditd
daemon is configured to use the augenrules
program to
read audit rules during daemon startup, add the following line to a file with
suffix .rules
in the directory /etc/audit/rules.d
for both
32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -k audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). The -k option
allows for the specification of a key in string form that can be used for
better reporting capability through ausearch and aureport. Multiple system
calls can be defined on the same line to save space if desired, but is not
required. See an example of multiple combined system calls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 1487. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 169. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.15.d. Record Attempts to Alter Time Through clock_settime
If the auditd
daemon is configured
to use the auditctl
utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 1487. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 169. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.15.e. Record Attempts to Alter the localtime File
If the auditd
daemon is configured to use the
auditctl
utility to read audit rules during daemon startup (the default),
add the following line to /etc/audit/audit.rules
file:
-w /etc/localtime -p wa -k audit_time_rules
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport and
should always be used.
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 1487. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 169. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.16. Record Events that Modify the System's Discretionary Access Controls
At a minimum the audit system should collect file permission
changes for all users and root. Note that the "-F arch=b32" lines should be
present even on a 64 bit system. These commands identify system calls for
auditing. Even if the system is 64 bit it can still execute 32 bit system
calls. Additionally, these rules can be configured in a number of ways while
still achieving the desired effect. An example of this is that the "-S" calls
could be split up and placed on separate lines, however, this is less efficient.
Add the following to /etc/audit/audit.rules
:
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If your system is 64 bit then these lines should be duplicated and the
arch=b32 replaced with arch=b64 as follows:
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
link | previous | next | up | toc | home
2.5.3.16.a. Record Events that Modify the System's Discretionary Access Controls - chmod
At a minimum the audit system should collect file permission
changes for all users and root. If the auditd
daemon is configured to
use the auditctl
utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.16.b. Record Events that Modify the System's Discretionary Access Controls - chown
At a minimum the audit system should collect file permission
changes for all users and root. If the auditd
daemon is configured to
use the auditctl
utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.16.c. Record Events that Modify the System's Discretionary Access Controls - fchmod
At a minimum the audit system should collect file permission
changes for all users and root. If the auditd
daemon is configured to
use the auditctl
utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.16.d. Record Events that Modify the System's Discretionary Access Controls - fchmodat
At a minimum the audit system should collect file permission
changes for all users and root. If the auditd
daemon is configured to
use the auditctl
utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.16.e. Record Events that Modify the System's Discretionary Access Controls - fchown
At a minimum the audit system should collect file permission
changes for all users and root. If the auditd
daemon is configured
to use the auditctl
utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.16.f. Record Events that Modify the System's Discretionary Access Controls - fchownat
At a minimum the audit system should collect file permission
changes for all users and root. If the auditd
daemon is configured
to use the auditctl
utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.16.g. Record Events that Modify the System's Discretionary Access Controls - fremovexattr
At a minimum the audit system should collect file permission
changes for all users and root. If the auditd
daemon is configured
to use the auditctl
utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.16.h. Record Events that Modify the System's Discretionary Access Controls - fsetxattr
At a minimum the audit system should collect file permission
changes for all users and root. If the auditd
daemon is configured
to use the auditctl
utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.16.i. Record Events that Modify the System's Discretionary Access Controls - lchown
At a minimum the audit system should collect file permission
changes for all users and root. If the auditd
daemon is configured
to use the auditctl
utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.16.j. Record Events that Modify the System's Discretionary Access Controls - lremovexattr
At a minimum the audit system should collect file permission
changes for all users and root. If the auditd
daemon is configured
to use the auditctl
utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.16.k. Record Events that Modify the System's Discretionary Access Controls - lsetxattr
At a minimum the audit system should collect file permission
changes for all users and root. If the auditd
daemon is configured
to use the auditctl
utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.16.l. Record Events that Modify the System's Discretionary Access Controls - removexattr
At a minimum the audit system should collect file permission
changes for all users and root. If the auditd
daemon is configured
to use the auditctl
utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
2.5.3.16.m. Record Events that Modify the System's Discretionary Access Controls - setxattr
At a minimum the audit system should collect file permission
changes for all users and root. If the auditd
daemon is configured
to use the auditctl
utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
References
- AC-17(7). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-1(b). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-2(d). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(a). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- AU-12(c). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IR-5. URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 126. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
3. Services
The best protection against vulnerable software is running less software. This
section describes how to review the software which Fedora installs on a system
and disable software which is not needed. It then enumerates the software
packages installed on a default Fedora system and provides guidance about which
ones can be safely disabled.
Fedora provides a convenient minimal install option that essentially installs
the bare necessities for a functional system. When building Fedora servers, it
is highly recommended to select the minimal packages and then build up the
system from there.
Table of Contents
- 3.1. SSH Server
- 3.2. Network Time Protocol
- 3.3. Audit Deamon
-
3.4. FTP Server
- 3.4.1. Disable vsftpd if Possible
- 3.4.2. Use vsftpd to Provide FTP Service if Necessary
- 3.4.3. Use vsftpd to Provide FTP Service if Necessary
- 3.5. SNMP Server
-
3.6. NFS and RPC
- 3.6.1. Disable All NFS Services if Possible
- 3.6.2. Configure All Machines which Use NFS
- 3.6.3. Configure NFS Clients
-
3.6.4. Configure NFS Servers
- 3.6.4.a. Use Root-Squashing on All Exports
- 3.6.4.b. Restrict NFS Clients to Privileged Ports
- 3.6.4.c. Ensure Insecure File Locking is Not Allowed
- 3.6.4.4. Configure the Exports File Restrictively
- 3.6.4.5. Use Access Lists to Enforce Authorization Restrictions
- 3.6.4.6. Export Filesystems Read-Only if Possible
link | previous | next | up | toc | home
3.1. SSH Server
The SSH protocol is recommended for remote login and remote file
transfer. SSH provides confidentiality and integrity for data exchanged between
two systems, as well as server authentication, through the use of public key
cryptography. The implementation included with the system is called OpenSSH,
and more detailed documentation is available from its website,
http://www.openssh.org. Its server program is called sshd
and
provided by the RPM package openssh-server
.
link | previous | next | up | toc | home
3.1.1. Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes
should be made to the OpenSSH daemon configuration file
/etc/ssh/sshd_config
. The following recommendations can be applied
to this file. See the sshd_config(5)
man page for more detailed
information.
link | previous | next | up | toc | home
3.1.1.a. SSH Root Login Disabled
The root user should never be allowed to login to a system
directly over a network. To disable root login via SSH, add or correct the
following line in /etc/ssh/sshd_config
:
PermitRootLogin no
Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.
Remediation script
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# PermitRootLogin directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]*PermitRootLogin[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
then
# Append 'PermitRootLogin no' at the end of $SSHD_CONFIG
echo -e "\nPermitRootLogin no" >> $SSHD_CONFIG
# Case: PermitRootLogin directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of PermitRootLogin directive
sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
then
# Prepend 'PermitRootLogin no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG
# Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of PermitRootLogin directive
sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG
# Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'PermitRootLogin no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG
fi
fi
References
- AC-6(2). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- IA-2(1). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 770. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
3.1.1.b. SSH Access via Empty Passwords Disabled
To explicitly disallow remote login from accounts with empty
passwords, add or correct the following line in /etc/ssh/sshd_config
:
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM
configuration should prevent users from being able to assign themselves empty
passwords.
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
Remediation script
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# PermitEmptyPasswords directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_PERMIT_EMPTY_PASSWORDS=$(sed -n '/^[[:space:]]*PermitEmptyPasswords[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: PermitEmptyPasswords directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_EMPTY_PASSWORDS" ]
then
# Append 'PermitEmptyPasswords no' at the end of $SSHD_CONFIG
echo -e "\nPermitEmptyPasswords no" >> $SSHD_CONFIG
# Case: PermitEmptyPasswords directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of PermitEmptyPasswords directive
sed -i "$FIRST_PERMIT_EMPTY_PASSWORDS s/^[[:space:]]*PermitEmptyPasswords.*$/PermitEmptyPasswords no/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: PermitEmptyPasswords directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_EMPTY_PASSWORDS" ]
then
# Prepend 'PermitEmptyPasswords no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitEmptyPasswords no\n\1/I" $SSHD_CONFIG
# Case: PermitEmptyPasswords directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_PERMIT_EMPTY_PASSWORDS" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of PermitEmptyPasswords directive
sed -i "$FIRST_PERMIT_EMPTY_PASSWORDS s/^[[:space:]]*PermitEmptyPasswords.*$/PermitEmptyPasswords no/I" $SSHD_CONFIG
# Case: PermitEmptyPasswords directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'PermitEmptyPasswords no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitEmptyPasswords no\n\1/I" $SSHD_CONFIG
fi
fi
References
- 765. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 766. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
3.1.1.c. SSH Idle Timeout Interval Used
SSH allows administrators to set an idle timeout interval.
After this interval has passed, the idle user will be automatically logged out.
To set an idle timeout interval, edit the /etc/ssh/sshd_config
file,
locate the following line:
ClientAliveInterval INTERVAL
and correct it to have the form of:
ClientAliveInterval 300
The timeout INTERVAL is given in seconds. To have a timeout of 15
minutes, set INTERVAL to 900.
If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.
Remediation script
sshd_idle_timeout_value="300"
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# ClientAliveInterval directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_CLIENT_ALIVE_INTERVAL=$(sed -n '/^[[:space:]]*ClientAliveInterval[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ]
then
# Append 'ClientAliveInterval $sshd_idle_timeout_value' at the end of $SSHD_CONFIG
echo -e "\nClientAliveInterval $sshd_idle_timeout_value" >> $SSHD_CONFIG
# Case: ClientAliveInterval directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of ClientAliveInterval directive
sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]*ClientAliveInterval.*$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ]
then
# Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG
# Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_CLIENT_ALIVE_INTERVAL" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of ClientAliveInterval directive
sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]*ClientAliveInterval.*$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG
# Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG
fi
fi
References
- 879. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1133. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
3.1.1.d. SSH Client Alive Count Used
To ensure the SSH idle timeout occurs precisely when the
ClientAliveCountMax
is set, edit /etc/ssh/sshd_config
as
follows:
ClientAliveCountMax 0
This ensures a user login will be terminated as soon as the
ClientAliveCountMax
is reached.
Remediation script
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# ClientAliveCountMax directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_CLIENT_ALIVE_COUNT_MAX=$(sed -n '/^[[:space:]]*ClientAliveCountMax[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ]
then
# Append 'ClientAliveCountMax 0' at the end of $SSHD_CONFIG
echo -e "\nClientAliveCountMax 0" >> $SSHD_CONFIG
# Case: ClientAliveCountMax directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of ClientAliveCountMax directive
sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]*ClientAliveCountMax.*$/ClientAliveCountMax 0/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ]
then
# Prepend 'ClientAliveCountMax 0' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG
# Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_CLIENT_ALIVE_COUNT_MAX" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of ClientAliveCountMax directive
sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]*ClientAliveCountMax.*$/ClientAliveCountMax 0/I" $SSHD_CONFIG
# Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'ClientAliveCountMax 0' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG
fi
fi
References
- 879. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
- 1133. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
3.2. Network Time Protocol
The Network Time Protocol is used to manage the system
clock over a network. Computer clocks are not very accurate, so
time will drift unpredictably on unmanaged systems. Central time
protocols can be used both to ensure that time is consistent among
a network of machines, and that their time is consistent with the
outside world.
If every system on a network reliably reports the same time, then it is much
easier to correlate log messages in case of an attack. In addition, a number of
cryptographic protocols (such as Kerberos) use timestamps to prevent certain
types of attacks. If your network does not have synchronized time, these
protocols may be unreliable or even unusable.
Depending on the specifics of the network, global time accuracy may be just as
important as local synchronization, or not very important at all. If your
network is connected to the Internet, using a
public timeserver (or one provided by your enterprise) provides globally
accurate timestamps which may be essential in investigating or responding to
an attack which originated outside of your network.
A typical network setup involves a small number of internal systems operating as NTP
servers, and the remainder obtaining time information from those
internal servers.
More information on how to configure the NTP server software,
including configuration of cryptographic authentication for
time data, is available at http://www.ntp.org.
link | previous | next | up | toc | home
3.2.a. Enable the Chrony Daemon
The ntpd
service can be enabled with the following command:
$ sudo systemctl enable ntpd.service
Enabling the chronyd
service ensures that the chronyd
service will be running and that the system will synchronize its time to
any servers specified. This is important whether the system is configured to be
a client (and synchronize only its own clock) or it is also acting as an NTP
server to other systems. Synchronizing time is essential for authentication
services such as Kerberos, but it is also important for maintaining accurate
logs and auditing possible security breaches.
The chrony daemon offers all of the functionality of ntpdate
, which is now
deprecated. Additional information on this is available at
http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate
Remediation script
#
# Install chrony package if necessary
#
yum -y install chrony
#
# Enable chronyd service (for current systemd target)
#
systemctl enable chronyd.service
#
# Start chronyd if not currently running
#
systemctl start chronyd.service
References
- AU-8(1). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 160. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
3.2.b. Specify a Remote NTP Server
To specify a remote NTP server for time synchronization, edit
the file /etc/chrony.conf
. Add or correct the following lines,
substituting the IP or hostname of a remote NTP server for ntpserver:
server ntpserver
This instructs the NTP software to contact that remote server to obtain time
data.
Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events.
References
- AU-8(1). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 160. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
3.2.c. Specify Additional Remote NTP Servers
Additional NTP servers can be specified for time synchronization
in the file /etc/chrony.conf
. To do so, add additional lines of the
following form, substituting the IP address or hostname of a remote NTP server for
ntpserver:
server ntpserver
Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems.
References
3.3. Audit Deamon
The Linux Audit system provides a way to track security-relevant information on your system. Based on pre-configured rules, Audit generates log entries to record as much information about the events that are happening on your system as possible. This information is crucial for mission-critical environments to determine the violator of the security policy and the actions they performed. Audit does not provide additional security to your system; rather, it can be used to discover violations of security policies used on your system. These violations can further be prevented by additional security measures such as SELinux.
link | previous | next | up | toc | home
3.3.a. Enable the Audit Daemon
The audit
service can be enabled with the following command:
$ sudo systemctl enable audit.service
Enabling the auditd
service ensures that The Linux Audit system is capable
to watch the system and generate log entries.
References
- AU-8(1). URL: <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf>.
- 160. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
3.4. FTP Server
FTP is a common method for allowing remote access to
files. Like telnet, the FTP protocol is unencrypted, which means
that passwords and other data transmitted during the session can be
captured and that the session is vulnerable to hijacking.
Therefore, running the FTP server software is not recommended.
However, there are some FTP server configurations which may
be appropriate for some environments, particularly those which
allow only read-only anonymous access as a means of downloading
data available to the public.
link | previous | next | up | toc | home
3.4.1. Disable vsftpd if Possible
link | previous | next | up | toc | home
3.4.1.a. Disable vsftpd Service
The vsftpd
service can be disabled with the following command:
$ sudo systemctl disable vsftpd.service
Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information.
References
3.4.1.b. Uninstall vsftpd Package
The vsftpd
package can be removed with the following command:
$ sudo yum erase vsftpd
Removing the vsftpd package decreases the risk of its accidental activation.
References
3.4.2. Use vsftpd to Provide FTP Service if Necessary
link | previous | next | up | toc | home
3.4.2.a. Install vsftpd Package
If this machine must operate as an FTP server, install the vsftpd
package via the standard channels.
# yum install vsftpd
After Red Hat Enterprise Linux 2.1, Red Hat switched from distributing wu-ftpd with Red Hat Enterprise Linux to distributing vsftpd. For security and for consistency with future Red Hat releases, the use of vsftpd is recommended.
References
3.4.3. Use vsftpd to Provide FTP Service if Necessary
The primary vsftpd configuration file is
/etc/vsftpd.conf
, if that file exists, or
/etc/vsftpd/vsftpd.conf
if it does not.
link | previous | next | up | toc | home
3.4.3.a. Enable Logging of All FTP Transactions
Add or correct the following configuration options within the vsftpd
configuration file, located at /etc/vsftpd/vsftpd.conf
:
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
If verbose logging to vsftpd.log
is done, sparse logging of downloads to /var/log/xferlog
will not also occur. However, the information about what files were downloaded is included in the information logged to vsftpd.log
To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to
the FTP server are logged using the verbose vsftpd log
format. The default vsftpd log file is /var/log/vsftpd.log
.
3.4.3.b. Create Warning Banners for All FTP Users
Edit the vsftpd configuration file, which resides at /etc/vsftpd/vsftpd.conf
by default. Add or correct the following configuration options:
banner_file=/etc/issue
This setting will cause the system greeting banner to be used for FTP connections as well.
3.4.3.c. Disable FTP Uploads if Possible
Is there a mission-critical reason for users to upload files via FTP? If not, edit the vsftpd configuration file to add or correct the following configuration options:
write_enable=NO
If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions
as much as possible.
Anonymous FTP can be a convenient way to make files available for universal download. However, it is less common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it is necessary to ensure that files cannot be uploaded and downloaded from the same directory.
3.4.3.d. Place the FTP Home Directory on its Own Partition
By default, the anonymous FTP root is the home directory of the FTP user account. The df command can be used to verify that this directory is on its own partition.
If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent these users from filling a disk used by other services.
3.4.3.5. Restrict the Set of Users Allowed to Access FTP
This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an identified need for this access.
link | previous | next | up | toc | home
3.4.3.5.a. Restrict Access to Anonymous Users if Possible
Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option:
local_enable=NO
If non-anonymous FTP logins are necessary, follow the guidance in the remainder of this section to secure
these logins as much as possible.
The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access.
3.4.3.5.2. Limit Users Allowed FTP Access if Necessary
If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options:
userlist_enable=YES
userlist_file=/etc/vsftp.ftpusers
userlist_deny=NO
Edit the file /etc/vsftp.ftpusers
. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name:
USERNAME
If anonymous access is also required, add the anonymous usernames to /etc/vsftp.ftpusers
as well.
anonymous
ftp
Historically, the file /etc/ftpusers
contained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration option userlist deny=NO
is set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified.
3.4.3.6. Configure Firewalls to Protect the FTP Server
By default, iptables
blocks access to the ports used by the web server.
To configure iptables
to allow port
21 traffic one must edit
/etc/sysconfig/iptables
and
/etc/sysconfig/ip6tables
(if IPv6 is in use).
Add the following line, ensuring that it appears before the final LOG
and DROP lines for the INPUT chain:
-A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
Edit the file /etc/sysconfig/iptables-config
. Ensure that the space-separated list of modules contains
the FTP connection tracking module:
IPTABLES_MODULES="ip_conntrack_ftp"
These settings configure iptables to allow connections to an FTP server. The first line allows initial connections
to the FTP server port.
FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client
and server negotiate an arbitrary port to be used for data transfer. The ip_conntrack_ftp
module is used by
iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an
FTP server to operate on a machine which is running a firewall.
3.5. SNMP Server
The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP were well-known for weak security, such as plaintext transmission of the community string (used for authentication) and usage of easily-guessable choices for the community string.
link | previous | next | up | toc | home
3.5.1. Disable SNMP Server if Possible
The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but is not needed, the software should be disabled and removed.
link | previous | next | up | toc | home
3.5.1.a. Disable snmpd Service
The snmpd
service can be disabled with the following command:
$ sudo systemctl disable snmpd.service
Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed.
3.5.1.b. Uninstall net-snmp Package
The net-snmp
package provides the snmpd service.
The net-snmp
package can be removed with the following command:
$ sudo yum erase net-snmp
If there is no need to run SNMP server software, removing the package provides a safeguard against its activation.
Remediation script
if rpm -qa | grep -q net-snmp; then
yum -y remove net-snmp
fi
3.5.2. Configure SNMP Server if Necessary
If it is necessary to run the snmpd agent on the system, some best practices should be followed to minimize the security risk from the installation. The multiple security models implemented by SNMP cannot be fully covered here so only the following general configuration advice can be offered:
-
use only SNMP version 3 security models and enable the use of authentication and encryption
-
write access to the MIB (Management Information Base) should be allowed only if necessary
-
all access to the MIB should be restricted following a principle of least privilege
-
network access should be limited to the maximum extent possible including restricting to expected network addresses both in the configuration files and in the system firewall rules
-
ensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management stations
-
ensure that permissions on the
snmpd.conf
configuration file (by default, in/etc/snmp
) are 640 or more restrictive -
ensure that any MIB files' permissions are also 640 or more restrictive
link | previous | next | up | toc | home
3.5.2.a. Configure SNMP Service to Use Only SNMPv3 or Newer
Edit /etc/snmp/snmpd.conf
, removing any references to rocommunity
, rwcommunity
, or com2sec
.
Upon doing that, restart the SNMP service:
# service snmpd restart
Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information.
3.5.2.b. Ensure Default Password Is Not Used
Edit /etc/snmp/snmpd.conf
, remove default community string public
.
Upon doing that, restart the SNMP service:
# service snmpd restart
Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system.
3.6. NFS and RPC
The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NFS and its dependencies, and then details steps which should be taken to secure NFS's configuration. This section is relevant to machines operating as NFS clients, as well as to those operating as NFS servers.
link | previous | next | up | toc | home
3.6.1. Disable All NFS Services if Possible
If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable subsystems required by NFS.
The steps in this section will prevent a machine from operating as either an NFS client or an NFS server. Only perform these steps on machines which do not need NFS at all.
link | previous | next | up | toc | home
3.6.1.1. Disable Services Used Only by NFS
If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd.
All of these daemons run with elevated privileges, and many listen for network
connections. If they are not needed, they should be disabled to improve system
security posture.
link | previous | next | up | toc | home
3.6.1.1.a. Disable Network File System Lock Service (nfslock)
The Network File System Lock (nfslock) service starts the required
remote procedure call (RPC) processes which allow clients to lock files on the
server. If the local machine is not configured to mount NFS filesystems then
this service should be disabled.
The nfslock
service can be disabled with the following command:
$ sudo systemctl disable nfslock.service
3.6.1.1.b. Disable Secure RPC Client Service (rpcgssd)
The rpcgssd service manages RPCSEC GSS contexts required to secure protocols
that use RPC (most often Kerberos and NFS). The rpcgssd service is the
client-side of RPCSEC GSS. If the system does not require secure RPC then this
service should be disabled.
The rpcgssd
service can be disabled with the following command:
$ sudo systemctl disable rpcgssd.service
3.6.1.1.c. Disable RPC ID Mapping Service (rpcidmapd)
The rpcidmapd service is used to map user names and groups to UID
and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then
this service should be disabled.
The rpcidmapd
service can be disabled with the following command:
$ sudo systemctl disable rpcidmapd.service
3.6.1.2. Disable netfs if Possible
To determine if any network filesystems handled by netfs are currently mounted on the system execute the following command:
# mount -t nfs,nfs4,smbfs,cifs,ncpfs
If the command did not return any output then disable netfs.
link | previous | next | up | toc | home
3.6.1.2.a. Disable Network File Systems (netfs)
The netfs script manages the boot-time mounting of several types
of networked filesystems, of which NFS and Samba are the most common. If these
filesystem types are not in use, the script can be disabled, protecting the
system somewhat against accidental or malicious changes to /etc/fstab
and against flaws in the netfs script itself.
The netfs
service can be disabled with the following command:
$ sudo systemctl disable netfs.service
3.6.2. Configure All Machines which Use NFS
The steps in this section are appropriate for all machines which run NFS, whether they operate as clients or as servers.
link | previous | next | up | toc | home
3.6.2.1. Make Each Machine a Client or a Server, not Both
If NFS must be used, it should be deployed in the simplest configuration possible to avoid maintainability problems which may lead to unnecessary security exposure. Due to the reliability and security problems caused by NFS (specially NFSv3 and NFSv2), it is not a good idea for machines which act as NFS servers to also mount filesystems via NFS. At the least, crossed mounts (the situation in which each of two servers mounts a filesystem from the other) should never be used.
3.6.2.2. Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)
Firewalling should be done at each host and at the border
firewalls to protect the NFS daemons from remote access, since NFS servers
should never be accessible from outside the organization. However, by default
for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port
dynamically at service startup time. Dynamic ports cannot be protected by port
filtering firewalls such as iptables.
Therefore, restrict each service to always use a given port, so that
firewalling can be done effectively. Note that, because of the way RPC is
implemented, it is not possible to disable the RPC Bind service even if ports
are assigned statically to all RPC services.
In NFSv4, the mounting and locking protocols have been incorporated into the
protocol, and the server listens on the the well-known TCP port 2049. As such,
NFSv4 does not need to interact with the rpcbind, lockd, and rpc.statd
daemons, which can and should be disabled in a pure NFSv4 environment. The
rpc.mountd
daemon is still required on the NFS server to setup
exports, but is not involved in any over-the-wire operations.
link | previous | next | up | toc | home
3.6.2.2.a. Configure lockd to use static TCP port
Configure the lockd
daemon to use a static TCP port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file /etc/sysconfig/nfs
. Add or correct the following line:
LOCKD_TCPPORT=lockd-port
Where lockd-port
is a port which is not used by any other service on
your network.
Restrict service to always use a given port, so that firewalling can be done effectively.
3.6.2.2.b. Configure lockd to use static UDP port
Configure the lockd
daemon to use a static UDP port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file /etc/sysconfig/nfs
. Add or correct the following line:
LOCKD_UDPPORT=lockd-port
Where lockd-port
is a port which is not used by any other service on
your network.
Restricting services to always use a given port enables firewalling to be done more effectively.
3.6.2.2.c. Configure statd to use static port
Configure the statd
daemon to use a static port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file /etc/sysconfig/nfs
. Add or correct the following line:
STATD_PORT=statd-port
Where statd-port
is a port which is not used by any other service on your network.
Restricting services to always use a given port enables firewalling to be done more effectively.
3.6.2.2.d. Configure mountd to use static port
Configure the mountd
daemon to use a static port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file /etc/sysconfig/nfs
. Add or correct the following line:
MOUNTD_PORT=statd-port
Where mountd-port
is a port which is not used by any other service on your network.
Restricting services to always use a given port enables firewalling to be done more effectively.
3.6.3. Configure NFS Clients
The steps in this section are appropriate for machines which operate as NFS clients.
link | previous | next | up | toc | home
3.6.3.1. Disable NFS Server Daemons
There is no need to run the NFS server daemons nfs
and
rpcsvcgssd
except on a small number of properly secured machines
designated as NFS servers. Ensure that these daemons are turned off on
clients.
link | previous | next | up | toc | home
3.6.3.1.a. Specify UID and GID for Anonymous NFS Connections
To specify the UID and GID for remote root users, edit the /etc/exports
file and add the following for each export:
anonuid=-1
anongid=-1
Specifying the anonymous UID and GID as -1 ensures that the remote root user is mapped to a local account which has no permissions on the system.
3.6.3.1.b. Disable Network File System (nfs)
The Network File System (NFS) service allows remote hosts to mount
and interact with shared filesystems on the local machine. If the local machine
is not designated as a NFS server then this service should be disabled.
The nfs
service can be disabled with the following command:
$ sudo systemctl disable nfs.service
Unnecessary services should be disabled to decrease the attack surface of the system.
3.6.3.1.c. Disable Secure RPC Server Service (rpcsvcgssd)
The rpcsvcgssd service manages RPCSEC GSS contexts required to
secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd
service is the server-side of RPCSEC GSS. If the system does not require secure
RPC then this service should be disabled.
The rpcsvcgssd
service can be disabled with the following command:
$ sudo systemctl disable rpcsvcgssd.service
Unnecessary services should be disabled to decrease the attack surface of the system.
3.6.3.2. Mount Remote Filesystems with Restrictive Options
Edit the file /etc/fstab
. For each filesystem whose type
(column 3) is nfs
or nfs4
, add the text
,nodev,nosuid
to the list of mount options in column 4. If
appropriate, also add ,noexec
.
See the section titled "Restrict Partition Mount Options" for a description of
the effects of these options. In general, execution of files mounted via NFS
should be considered risky because of the possibility that an adversary could
intercept the request and substitute a malicious file. Allowing setuid files to
be executed from remote servers is particularly risky, both for this reason and
because it requires the clients to extend root-level trust to the NFS
server.
link | previous | next | up | toc | home
3.6.3.2.a. Mount Remote Filesystems with nodev
Add the nodev
option to the fourth column of
/etc/fstab
for the line which controls mounting of
any NFS mounts.
Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.
3.6.3.2.b. Mount Remote Filesystems with nosuid
Add the nosuid
option to the fourth column of
/etc/fstab
for the line which controls mounting of
any NFS mounts.
NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.
3.6.4. Configure NFS Servers
The steps in this section are appropriate for machines which operate as NFS servers.
link | previous | next | up | toc | home
3.6.4.a. Use Root-Squashing on All Exports
If a filesystem is exported using root squashing, requests from root on the client
are considered to be unprivileged (mapped to a user such as nobody). This provides some mild
protection against remote abuse of an NFS server. Root squashing is enabled by default, and
should not be disabled.
Ensure that no line in /etc/exports
contains the option no_root_squash
.
If the NFS server allows root access to local file systems from remote hosts, this access could be used to compromise the system.
3.6.4.b. Restrict NFS Clients to Privileged Ports
By default, the server NFS implementation requires that all client requests be made
from ports less than 1024. If your organization has control over machines connected to its
network, and if NFS requests are prohibited at the border firewall, this offers some protection
against malicious requests from unprivileged users. Therefore, the default should not be changed.
To ensure that the default has not been changed, ensure no line in
/etc/exports
contains the option insecure
.
Allowing client requests to be made from ports higher than 1024 could allow a unprivileged user to initiate an NFS connection. If the unprivileged user account has been compromised, an attacker could gain access to data on the NFS server.
3.6.4.c. Ensure Insecure File Locking is Not Allowed
By default the NFS server requires secure file-lock requests,
which require credentials from the client in order to lock a file. Most NFS
clients send credentials with file lock requests, however, there are a few
clients that do not send credentials when requesting a file-lock, allowing the
client to only be able to lock world-readable files. To get around this, the
insecure_locks
option can be used so these clients can access the
desired export. This poses a security risk by potentially allowing the client
access to data for which it does not have authorization.
Remove any instances of the
insecure_locks
option from the file /etc/exports
.
Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.
References
- 764. URL: <http://iase.disa.mil/stigs/cci/Pages/index.aspx>.
3.6.4.4. Configure the Exports File Restrictively
Linux's NFS implementation uses the file /etc/exports
to control what filesystems
and directories may be accessed via NFS. (See the exports(5)
manpage for more information about the
format of this file.)
The syntax of the exports
file is not necessarily checked fully on reload, and syntax errors
can leave your NFS configuration more open than intended. Therefore, exercise caution when modifying
the file.
The syntax of each line in /etc/exports
is:
/DIR host1(opt1,opt2) host2(opt3)
where /DIR
is a directory or filesystem to export, hostN
is an IP address, netblock,
hostname, domain, or netgroup to which to export, and optN
is an option.
3.6.4.5. Use Access Lists to Enforce Authorization Restrictions
When configuring NFS exports, ensure that each export line in /etc/exports
contains
a list of hosts which are allowed to access that export. If no hosts are specified on an export line,
then that export is available to any remote host which requests it. All lines of the exports file should
specify the hosts (or subnets, if needed) which are allowed to access the exported directory, so that
unknown or remote hosts will be denied.
Authorized hosts can be specified in several different formats:
-
Name or alias that is recognized by the resolver
-
Fully qualified domain name
-
IP address
-
IP subnets in the format
address/netmask
oraddress/CIDR
3.6.4.6. Export Filesystems Read-Only if Possible
If a filesystem is being exported so that users can view the files in a convenient
fashion, but there is no need for users to edit those files, exporting the filesystem read-only
removes an attack vector against the server. The default filesystem export mode is ro
,
so do not specify rw
without a good reason.
Rule Selection
Based on profile: Common Profile for General-Purpose Fedora Systems (common)
This profile contains items common to general-purpose Fedora installations.
Colophon
Red Hat and Fedora are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.