contains 94 rules |
System Settingsgroup |
contains 65 rules |
Installing and Maintaining SoftwaregroupThe following sections contain information on
security-relevant choices during the initial operating system
installation process and the setup of software
updates. |
contains 9 rules |
Disk PartitioninggroupTo ensure separation and protection of data, there
are top-level system directories which should be placed on their
own physical partition or logical volume. The installer's default
partitioning scheme creates separate logical volumes for
/, /boot, and swap.
If starting with any of the default layouts, check the box to
"Review and modify partitioning." This allows for the easy creation
of additional logical volumes inside the volume group already
created, though it may require making /'s logical volume smaller to
create space. In general, using logical volumes is preferable to
using partitions because they can be more easily adjusted
later.If creating a custom layout, create the partitions mentioned in
the previous paragraph (which the installer will require anyway),
as well as separate ones described in the following sections.
If a system has already been installed, and the default
partitioning scheme was used, it is possible but nontrivial to
modify it to create separate logical volumes for the directories
listed above. The Logical Volume Manager (LVM) makes this possible.
See the LVM HOWTO at http://tldp.org/HOWTO/LVM-HOWTO/ for more
detailed information on LVM. |
contains 4 rules |
Ensure /tmp Located On Separate Partitionrule
The /tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM.
identifiers:
CCE-26435-8, DISA FSO RHEL-06-000001 references:
SC-32, 1208, Test attestation on 20120928 by MM |
Ensure /var Located On Separate PartitionruleThe /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM.
identifiers:
CCE-26639-5, DISA FSO RHEL-06-000002 references:
SC-32, 1208, Test attestation on 20120928 by MM |
Ensure /var/log Located On Separate Partitionrule
System logs are stored in the /var/log directory.
Ensure that it has its own partition or logical
volume at installation time, or migrate it using LVM.
identifiers:
CCE-26215-4, DISA FSO RHEL-06-000003 references:
AU-9, SC-32, 1208, Test attestation on 20120928 by MM |
Ensure /var/log/audit Located On Separate Partitionrule
Audit logs are stored in the /var/log/audit directory. Ensure that it
has its own partition or logical volume at installation time, or migrate it
later using LVM. Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon.
identifiers:
CCE-26436-6, DISA FSO RHEL-06-000004 references:
AU-4, AU-9, SC-32, 137, 138, 1208, Test attestation on 20120928 by MM |
Updating SoftwaregroupThe yum command line tool is used to install and
update software packages. The system also provides a graphical
software update tool in the System menu, in the Administration submenu,
called Software Update.
Red Hat Enterprise Linux systems contain an installed software catalog called
the RPM database, which records metadata of installed packages. Consistently using
yum or the graphical Software Update for all software installation
allows for insight into the current inventory of installed software on the system.
|
contains 4 rules |
Ensure Red Hat GPG Key Installedrule
To ensure the system can cryptographically verify base software
packages come from Red Hat (and to connect to the Red Hat Network to
receive them), the Red Hat GPG key must properly be installed.
To install the Red Hat GPG key, run:
$ sudo rhn_register
If the system is not connected to the Internet or an RHN Satellite,
then install the Red Hat GPG key from trusted media such as
the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted
in /media/cdrom, use the following command as the root user to import
it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
identifiers:
CCE-26506-6, DISA FSO RHEL-06-000008 references:
SI-7, MA-1(b), 351, Test attestation on 20120928 by MM Remediation script:# The two fingerprints below are retrieved from https://access.redhat.com/security/team/key
readonly REDHAT_RELEASE_2_FINGERPRINT="567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51"
readonly REDHAT_AUXILIARY_FINGERPRINT="43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 2FA6 58E0"
# Location of the key we would like to import (once it's integrity verified)
readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")")
# Verify /etc/pki/rpm-gpg directory permissions are safe
if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
then
# If they are safe, try to obtain fingerprints from the key file
# (to ensure there won't be e.g. CRC error)
IFS=$'\n' GPG_OUT=($(gpg --with-fingerprint "${REDHAT_RELEASE_KEY}"))
GPG_RESULT=$?
# No CRC error, safe to proceed
if [ "${GPG_RESULT}" -eq "0" ]
then
for ITEM in "${GPG_OUT[@]}"
do
# Filter just hexadecimal fingerprints from gpg's output from
# processing of a key file
RESULT=$(echo ${ITEM} | sed -n "s/[[:space:]]*Key fingerprint = \(.*\)/\1/p" | tr -s '[:space:]')
# If fingerprint matches Red Hat's release 2 or auxiliary key import the key
if [[ ${RESULT} ]] && ([[ ${RESULT} = "${REDHAT_RELEASE_2_FINGERPRINT}" ]] || \
[[ ${RESULT} = "${REDHAT_AUXILIARY_FINGERPRINT}" ]])
then
rpm --import "${REDHAT_RELEASE_KEY}"
fi
done
fi
fi
|
Ensure gpgcheck Enabled In Main Yum ConfigurationruleThe gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf in
the [main] section:
gpgcheck=1
identifiers:
CCE-26709-6, DISA FSO RHEL-06-000013 references:
SI-7, MA-1(b), 352, 663, Test attestation on 20120928 by MM |
Ensure gpgcheck Enabled For All Yum Package RepositoriesruleTo ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0
identifiers:
CCE-26647-8, DISA FSO RHEL-06-000015 references:
SI-7, MA-1(b), 352, 663, Test attestation on 20120928 by MM |
Ensure Software Patches InstalledruleIf the system is joined to the Red Hat Network, a Red Hat Satellite Server,
or a yum server, run the following command to install updates:
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages)
can be manually downloaded from the Red Hat Network and installed using rpm.
identifiers:
CCE-27635-2, DISA FSO RHEL-06-000011 references:
SI-2, MA-1(b), 1227, 1233, Test attestation on 20120928 by MM |
Software Integrity Checkinggroup
Both the AIDE (Advanced Intrusion Detection Environment)
software and the RPM package management system provide
mechanisms for verifying the integrity of installed software.
AIDE uses snapshots of file metadata (such as hashes) and compares these
to current system files in order to detect changes.
The RPM package management system can conduct integrity
checks by comparing information in its metadata database with
files installed on the system.
Integrity checking cannot prevent intrusions,
but can detect that they have occurred. Requirements
for software integrity checking may be highly dependent on
the environment in which the system will be used. Snapshot-based
approaches such as AIDE may induce considerable overhead
in the presence of frequent software updates.
|
contains 1 rule |
Verify Integrity with AIDEgroupAIDE conducts integrity checks by comparing information about
files with previously-gathered information. Ideally, the AIDE database is
created immediately after initial system configuration, and then again after any
software update. AIDE is highly configurable, with further configuration
information located in /usr/share/doc/aide-VERSION.
|
contains 1 rule |
Install AIDErule
Install the AIDE package with the command:
$ sudo yum install aide
identifiers:
CCE-27024-9, DISA FSO RHEL-06-000016 references:
CM-3(d), CM-3(e), CM-6(d), SC-28, SI-7, 1069, Test attestation on 20121024 by DS Remediation script:yum -y install aide
|
File Permissions and MasksgroupTraditional Unix security relies heavily on file and
directory permissions to prevent unauthorized users from reading or
modifying files to which they should not have access.
Several of the commands in this section search filesystems
for files or directories with certain characteristics, and are
intended to be run on every local partition on a given system.
When the variable PART appears in one of the commands below,
it means that the command is intended to be run repeatedly, with the
name of each local partition substituted for PART in turn.
The following command prints a list of all ext4 partitions on the local
system, which is the default filesystem for Red Hat Enterprise Linux
6 installations:
$ mount -t ext4 | awk '{print $3}'
For any systems that use a different
local filesystem type, modify this command as appropriate.
|
contains 19 rules |
Restrict Dynamic Mounting and Unmounting of
FilesystemsgroupLinux includes a number of facilities for the automated addition
and removal of filesystems on a running system. These facilities may be
necessary in many environments, but this capability also carries some risk -- whether direct
risk from allowing users to introduce arbitrary filesystems,
or risk that software flaws in the automated mount facility itself could
allow an attacker to compromise the system.
This command can be used to list the types of filesystems that are
available to the currently executing kernel:
$ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'
If these filesystems are not required then they can be explicitly disabled
in a configuratio file in /etc/modprobe.d.
|
contains 1 rule |
Disable the AutomounterruleThe autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
The autofs service can be disabled with the following command:
$ sudo chkconfig autofs off
identifiers:
CCE-26976-1, DISA FSO RHEL-06-000526 references:
AC-19(a), AC-19(d), AC-19(e), 1250, 85 Remediation script:#
# Disable autofs for all run levels
#
/sbin/chkconfig --level 0123456 autofs off
#
# Stop autofs if currently running
#
/sbin/service autofs stop
|
Verify Permissions on Important Files and
DirectoriesgroupPermissions for many files on a system must be set
restrictively to ensure sensitive information is properly protected.
This section discusses important
permission restrictions which can be verified
to ensure that no harmful discrepancies have
arisen. |
contains 16 rules |
Verify Permissions on Files with Local Account Information and CredentialsgroupThe default restrictive permissions for files which act as
important security databases such as passwd, shadow,
group, and gshadow files must be maintained. Many utilities
need read access to the passwd file in order to function properly, but
read access to the shadow file allows malicious attacks against system
passwords, and should never be enabled. |
contains 12 rules |
Verify User Who Owns shadow Filerule
To properly set the owner of /etc/shadow, run the command:
$ sudo chown root /etc/shadow
identifiers:
CCE-26947-2, DISA FSO RHEL-06-000033 references:
AC-6, 225, Test attestation on 20121026 by DS Remediation script:chown root /etc/shadow
|
Verify Group Who Owns shadow Filerule
To properly set the group owner of /etc/shadow, run the command:
$ sudo chgrp root /etc/shadow
identifiers:
CCE-26967-0, DISA FSO RHEL-06-000034 references:
AC-6, 225, Test attestation on 20121026 by DS Remediation script:chgrp root /etc/shadow
|
Verify Permissions on shadow Filerule
To properly set the permissions of /etc/shadow, run the command:
$ sudo chmod 0000 /etc/shadow
identifiers:
CCE-26992-8, DISA FSO RHEL-06-000035 references:
AC-6, 225, Test attestation on 20121026 by DS Remediation script:chmod 0000 /etc/shadow
|
Verify User Who Owns group Filerule
To properly set the owner of /etc/group, run the command:
$ sudo chown root /etc/group
identifiers:
CCE-26822-7, DISA FSO RHEL-06-000042 references:
AC-6, Test attestation on 20121026 by DS Remediation script:chown root /etc/group
|
Verify Group Who Owns group Filerule
To properly set the group owner of /etc/group, run the command:
$ sudo chgrp root /etc/group
identifiers:
CCE-26930-8, DISA FSO RHEL-06-000043 references:
AC-6, 225, Test attestation on 20121026 by DS Remediation script:chgrp root /etc/group
|
Verify Permissions on group Filerule
To properly set the permissions of /etc/group, run the command:
$ sudo chmod 644 /etc/group
identifiers:
CCE-26954-8, DISA FSO RHEL-06-000044 references:
AC-6, 225, Test attestation on 20121026 by DS Remediation script:chmod 644 /etc/group
|
Verify User Who Owns gshadow Filerule
To properly set the owner of /etc/gshadow, run the command:
$ sudo chown root /etc/gshadow
identifiers:
CCE-27026-4, DISA FSO RHEL-06-000036 references:
AC-6, 225, Test attestation on 20121026 by DS Remediation script:chown root /etc/gshadow
|
Verify Group Who Owns gshadow Filerule
To properly set the group owner of /etc/gshadow, run the command:
$ sudo chgrp root /etc/gshadow
identifiers:
CCE-26975-3, DISA FSO RHEL-06-000037 references:
AC-6, 225, Test attestation on 20121026 by DS Remediation script:chgrp root /etc/gshadow
|
Verify Permissions on gshadow Filerule
To properly set the permissions of /etc/gshadow, run the command:
$ sudo chmod 0000 /etc/gshadow
identifiers:
CCE-26951-4, DISA FSO RHEL-06-000038 references:
AC-6, 225, Test attestation on 20121026 by DS Remediation script:chmod 0000 /etc/gshadow
|
Verify User Who Owns passwd Filerule
To properly set the owner of /etc/passwd, run the command:
$ sudo chown root /etc/passwd
identifiers:
CCE-26953-0, DISA FSO RHEL-06-000039 references:
AC-6, 225, Test attestation on 20121026 by DS Remediation script:chown root /etc/passwd
|
Verify Group Who Owns passwd Filerule
To properly set the group owner of /etc/passwd, run the command:
$ sudo chgrp root /etc/passwd
identifiers:
CCE-26856-5, DISA FSO RHEL-06-000040 references:
AC-6, 225, Test attestation on 20121026 by DS Remediation script:chgrp root /etc/passwd
|
Verify Permissions on passwd Filerule
To properly set the permissions of /etc/passwd, run the command:
$ sudo chmod 0644 /etc/passwd
identifiers:
CCE-26868-0, DISA FSO RHEL-06-000041 references:
AC-6, 225, Test attestation on 20121026 by DS Remediation script:chmod 0644 /etc/passwd
|
Verify File Permissions Within Some Important DirectoriesgroupSome directories contain files whose confidentiality or integrity
is notably important and may also be susceptible to misconfiguration over time, particularly if
unpackaged software is installed. As such,
an argument exists to verify that files' permissions within these directories remain
configured correctly and restrictively.
|
contains 4 rules |
Verify that Shared Library Files Have Restrictive PermissionsruleSystem-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are
stored in /lib/modules. All files in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
$ sudo chmod go-w FILE
identifiers:
CCE-27381-3, DISA FSO RHEL-06-000045 references:
AC-6, 1499, Test attestation on 20121026 by DS Remediation script:DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
find $dirPath -perm /022 -type f -exec chmod go-w '{}' \;
done
|
Verify that Shared Library Files Have Root OwnershipruleSystem-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
owned by the root user. If the directory, or any file in these
directories, is found to be owned by a user other than root correct its
ownership with the following command:
$ sudo chown root FILE
identifiers:
CCE-27424-1, DISA FSO RHEL-06-000046 references:
AC-6, 1499, Test attestation on 20130914 by swells Remediation script:for LIBDIR in /usr/lib /usr/lib64 /lib /lib64
do
if [ -d $LIBDIR ]
then
find -L $LIBDIR \! -user root -exec chown root {} \;
fi
done
|
Verify that System Executables Have Restrictive Permissionsrule
System executables are stored in the following directories by default:
/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin
All files in these directories should not be group-writable or world-writable.
If any file FILE in these directories is found
to be group-writable or world-writable, correct its permission with the
following command:
$ sudo chmod go-w FILE
identifiers:
CCE-27289-8, DISA FSO RHEL-06-000047 references:
AC-6, 1499 Remediation script:DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin"
for dirPath in $DIRS; do
find $dirPath -perm /022 -exec chmod go-w '{}' \;
done
|
Verify that System Executables Have Root Ownershiprule
System executables are stored in the following directories by default:
/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin
All files in these directories should be owned by the root user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
$ sudo chown root FILE
identifiers:
CCE-27623-8, DISA FSO RHEL-06-000048 references:
AC-6, 1499 Remediation script:find /bin/ \
/usr/bin/ \
/usr/local/bin/ \
/sbin/ \
/usr/sbin/ \
/usr/local/sbin/ \
\! -user root -execdir chown root {} \;
|
Restrict Programs from Dangerous Execution PatternsgroupThe recommendations in this section are designed to
ensure that the system's features to protect against potentially
dangerous program execution are activated.
These protections are applied at the system initialization or
kernel level, and defend against certain types of badly-configured
or compromised programs. |
contains 2 rules |
Enable ExecShieldgroupExecShield describes kernel features that provide
protection against exploitation of memory corruption errors such as buffer
overflows. These features include random placement of the stack and other
memory regions, prevention of execution in memory that should only hold data,
and special handling of text buffers. These protections are enabled by default and
controlled through sysctl variables kernel.exec-shield and
kernel.randomize_va_space.
|
contains 2 rules |
Enable ExecShieldrule
To set the runtime status of the kernel.exec-shield kernel parameter,
run the following command:
$ sudo sysctl -w kernel.exec-shield=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
kernel.exec-shield = 1
identifiers:
CCE-27007-4, DISA FSO RHEL-06-000079 references:
SC-39, 2530, Test attestation on 20121024 by DS Remediation script:#
# Set runtime for kernel.exec-shield
#
/sbin/sysctl -q -n -w kernel.exec-shield=1
#
# If kernel.exec-shield present in /etc/sysctl.conf, change value to "1"
# else, add "kernel.exec-shield = 1" to /etc/sysctl.conf
#
if grep --silent ^kernel.exec-shield /etc/sysctl.conf ; then
sed -i 's/^kernel.exec-shield.*/kernel.exec-shield = 1/g' /etc/sysctl.conf
else
echo -e "\n# Set kernel.exec-shield to 1 per security requirements" >> /etc/sysctl.conf
echo "kernel.exec-shield = 1" >> /etc/sysctl.conf
fi
|
Enable Randomized Layout of Virtual Address Spacerule
To set the runtime status of the kernel.randomize_va_space kernel parameter,
run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
If this is not the system's default value, add the following line to /etc/sysctl.conf:
kernel.randomize_va_space = 2
identifiers:
CCE-26999-3, DISA FSO RHEL-06-000078 references:
SC-30(2), Test attestation on 20121024 by DS Remediation script:#
# Set runtime for kernel.randomize_va_space
#
/sbin/sysctl -q -n -w kernel.randomize_va_space=2
#
# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2"
# else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf
#
if grep --silent ^kernel.randomize_va_space /etc/sysctl.conf ; then
sed -i 's/^kernel.randomize_va_space.*/kernel.randomize_va_space = 2/g' /etc/sysctl.conf
else
echo -e "\n# Set kernel.randomize_va_space to 2 per security requirements" >> /etc/sysctl.conf
echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf
fi
|
SELinuxgroupSELinux is a feature of the Linux kernel which can be
used to guard against misconfigured or compromised programs.
SELinux enforces the idea that programs should be limited in what
files they can access and what actions they can take.
The default SELinux policy, as configured on Red Hat Enterprise Linux 6, has been
sufficiently developed and debugged that it should be usable on
almost any Red Hat machine with minimal configuration and a small
amount of system administrator training. This policy prevents
system services - including most of the common network-visible
services such as mail servers, FTP servers, and DNS servers - from
accessing files which those services have no valid reason to
access. This action alone prevents a huge amount of possible damage
from network attacks against services, from trojaned software, and
so forth.
This guide recommends that SELinux be enabled using the
default (targeted) policy on every Red Hat system, unless that
system has unusual requirements which make a stronger policy
appropriate.
|
contains 4 rules |
Ensure SELinux Not Disabled in /etc/grub.confruleSELinux can be disabled at boot time by an argument in
/etc/grub.conf.
Remove any instances of selinux=0 from the kernel arguments in that
file to prevent SELinux from being disabled at boot.
identifiers:
CCE-26956-3, DISA FSO RHEL-06-000017 references:
AC-3, AC-3(3), AC-6, AU-9, 22, 32, Test attestation on 20121024 by DS Remediation script:sed -i --follow-symlinks "s/selinux=0//gI" /etc/grub.conf
sed -i --follow-symlinks "s/enforcing=0//gI" /etc/grub.conf
|
Ensure SELinux State is EnforcingruleThe SELinux state should be set to enforcing at
system boot time. In the file /etc/selinux/config, add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX=enforcing
identifiers:
CCE-26969-6, DISA FSO RHEL-06-000020 references:
AC-3, AC-3(3), AC-4, AC-6, AU-9, 22, 32, 26, Test attestation on 20121024 by DS Remediation script:var_selinux_state="enforcing"
grep -q ^SELINUX= /etc/selinux/config && \
sed -i "s/SELINUX=.*/SELINUX=$var_selinux_state/g" /etc/selinux/config
if ! [ $? -eq 0 ]; then
echo "SELINUX=$var_selinux_state" >> /etc/selinux/config
fi
|
Configure SELinux PolicyruleThe SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config:
SELINUXTYPE=targeted
Other policies, such as mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
identifiers:
CCE-26875-5, DISA FSO RHEL-06-000023 references:
AC-3, AC-3(3), AC-4, AC-6, AU-9, 22, 32, Test attestation on 20121024 by DS Remediation script:var_selinux_policy_name="targeted"
grep -q ^SELINUXTYPE /etc/selinux/config && \
sed -i "s/SELINUXTYPE=.*/SELINUXTYPE=$var_selinux_policy_name/g" /etc/selinux/config
if ! [ $? -eq 0 ]; then
echo "SELINUXTYPE=$var_selinux_policy_name" >> /etc/selinux/config
fi
|
Ensure No Device Files are Unlabeled by SELinuxruleDevice files, which are used for communication with important
system resources, should be labeled with proper SELinux types. If any device
files carry the SELinux type unlabeled_t, investigate the cause and
correct the file's context.
identifiers:
CCE-26774-0, DISA FSO RHEL-06-000025 references:
AC-6, AU-9, CM-7, 22, 32, Test attestation on 20121024 by DS |
Account and Access ControlgroupIn traditional Unix security, if an attacker gains
shell access to a certain login account, they can perform any action
or access any file to which that account has access. Therefore,
making it more difficult for unauthorized people to gain shell
access to accounts, particularly to privileged accounts, is a
necessary part of securing a system. This section introduces
mechanisms for restricting access to accounts under
Red Hat Enterprise Linux 6. |
contains 24 rules |
Protect Accounts by Restricting Password-Based LogingroupConventionally, Unix shell accounts are accessed by
providing a username and password to a login program, which tests
these values for correctness using the /etc/passwd and
/etc/shadow files. Password-based login is vulnerable to
guessing of weak passwords, and to sniffing and man-in-the-middle
attacks against passwords entered over a network or at an insecure
console. Therefore, mechanisms for accessing accounts by entering
usernames and passwords should be restricted to those which are
operationally necessary. |
contains 8 rules |
Restrict Root Loginsgroup
Direct root logins should be allowed only for emergency use.
In normal situations, the administrator should access the system
via a unique unprivileged account, and then use su or sudo to execute
privileged commands. Discouraging administrators from accessing the
root account directly ensures an audit trail in organizations with
multiple administrators. Locking down the channels through which
root can connect directly also reduces opportunities for
password-guessing against the root account. The login program
uses the file /etc/securetty to determine which interfaces
should allow root logins.
The virtual devices /dev/console
and /dev/tty* represent the system consoles (accessible via
the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default
installation). The default securetty file also contains /dev/vc/*.
These are likely to be deprecated in most environments, but may be retained
for compatibility. Root should also be prohibited from connecting
via network protocols. Other sections of this document
include guidance describing how to prevent root from logging in via SSH.
|
contains 2 rules |
Ensure that System Accounts Do Not Run a Shell Upon Loginrule
Some accounts are not associated with a human
user of the system, and exist to perform some administrative
function. Should an attacker be able to log into these accounts,
they should not be granted access to a shell.
The login shell for each local account is stored in the last field of each line
in /etc/passwd. System accounts are those user accounts with a user ID less than
500. The user ID is stored in the third field.
If any system account SYSACCT (other than root) has a login shell,
disable it with the command:
$ sudo usermod -s /sbin/nologin SYSACCT
identifiers:
CCE-26966-2 references:
AC-2, 178, Test attestation on 20121024 by DS |
Verify Only Root Has UID 0rule
If any account other than root has a UID of 0,
this misconfiguration should be investigated and the
accounts other than root should be removed or have their UID changed.
identifiers:
CCE-26971-2, DISA FSO RHEL-06-000032 references:
AC-6, IA-2(1), 366, Test attestation on 20121024 by DS Remediation script:awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs passwd -l
|
Verify Proper Storage and Existence of Password
Hashesgroup
By default, password hashes for local accounts are stored
in the second field (colon-separated) in
/etc/shadow. This file should be readable only by
processes running with root credentials, preventing users from
casually accessing others' password hashes and attempting
to crack them.
However, it remains possible to misconfigure the system
and store password hashes
in world-readable files such as /etc/passwd, or
to even store passwords themselves in plaintext on the system.
Using system-provided tools for password change/creation
should allow administrators to avoid such misconfiguration.
|
contains 2 rules |
Prevent Log In to Accounts With Empty PasswordruleIf an account is configured for password authentication
but does not have an assigned password, it may be possible to log
onto the account without authentication. Remove any instances of the nullok
option in /etc/pam.d/system-auth to
prevent logins with empty passwords.
identifiers:
CCE-27038-9, DISA FSO RHEL-06-000030 references:
IA-5(b), IA-5(c), IA-5(1)(a), Test attestation on 20121024 by DS Remediation script:sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/system-auth
|
Verify All Account Password Hashes are Shadowedrule
If any password hashes are stored in /etc/passwd (in the second field,
instead of an x), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.
identifiers:
CCE-26476-2, DISA FSO RHEL-06-000031 references:
IA-5(h), 201, Test attestation on 20121024 by DS |
Set Password Expiration ParametersgroupThe file /etc/login.defs controls several
password-related settings. Programs such as passwd,
su, and
login consult /etc/login.defs to determine
behavior with regard to password aging, expiration warnings,
and length. See the man page login.defs(5) for more information.
Users should be forced to change their passwords, in order to
decrease the utility of compromised passwords. However, the need to
change passwords often should be balanced against the risk that
users will reuse or write down passwords if forced to change them
too often. Forcing password changes every 90-360 days, depending on
the environment, is recommended. Set the appropriate value as
PASS_MAX_DAYS and apply it to existing accounts with the
-M flag.
The PASS_MIN_DAYS (-m) setting prevents password
changes for 7 days after the first change, to discourage password
cycling. If you use this setting, train users to contact an administrator
for an emergency password change in case a new password becomes
compromised. The PASS_WARN_AGE (-W) setting gives
users 7 days of warnings at login time that their passwords are about to expire.
For example, for each existing human user USER, expiration parameters
could be adjusted to a 180 day maximum password age, 7 day minimum password
age, and 7 day warning period with the following command:
$ sudo chage -M 180 -m 7 -W 7 USER
|
contains 4 rules |
Set Password Minimum Length in login.defsruleTo specify password length requirements for new accounts,
edit the file /etc/login.defs and add or correct the following
lines:
PASS_MIN_LEN 6
The DoD requirement is 14.
The FISMA requirement is 12.
If a program consults /etc/login.defs and also another PAM module
(such as pam_cracklib) during a password change operation,
then the most restrictive must be satisfied. See PAM section
for more information about enforcing password quality requirements.
identifiers:
CCE-27002-5, DISA FSO RHEL-06-000050 references:
IA-5(f), IA-5(1)(a), 205, Test attestation on 20121026 by DS Remediation script:var_accounts_password_minlen_login_defs="6"
grep -q ^PASS_MIN_LEN /etc/login.defs && \
sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN $var_accounts_password_minlen_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
echo "PASS_MIN_LEN $var_accounts_password_minlen_login_defs" >> /etc/login.defs
fi
|
Set Password Minimum AgeruleTo specify password minimum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MIN_DAYS 7
A value of 1 day is considered for sufficient for many
environments.
The DoD requirement is 1.
identifiers:
CCE-27013-2, DISA FSO RHEL-06-000051 references:
IA-5(f), IA-5(1)(d), 198, Test attestation on 20121026 by DS Remediation script:var_accounts_minimum_age_login_defs="7"
grep -q ^PASS_MIN_DAYS /etc/login.defs && \
sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
echo "PASS_MIN_DAYS $var_accounts_minimum_age_login_defs" >> /etc/login.defs
fi
|
Set Password Maximum AgeruleTo specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYS 60
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
identifiers:
CCE-26985-2, DISA FSO RHEL-06-000053 references:
IA-5(f), IA-5(g), IA-5(1)(d), 180, 199, 76, Test attestation on 20121026 by DS Remediation script:var_accounts_maximum_age_login_defs="60"
grep -q ^PASS_MAX_DAYS /etc/login.defs && \
sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs
fi
|
Set Password Warning AgeruleTo specify how many days prior to password
expiration that a warning will be issued to users,
edit the file /etc/login.defs and add or correct
the following line:
PASS_WARN_AGE 7
The DoD requirement is 7.
identifiers:
CCE-26988-6, DISA FSO RHEL-06-000054 references:
AC-2(2), IA-5(f), Test attestation on 20121026 by DS Remediation script:var_accounts_password_warn_age_login_defs="7"
grep -q ^PASS_WARN_AGE /etc/login.defs && \
sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE $var_accounts_password_warn_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
echo "PASS_WARN_AGE $var_accounts_password_warn_age_login_defs" >> /etc/login.defs
fi
|
Protect Accounts by Configuring PAMgroupPAM, or Pluggable Authentication Modules, is a system
which implements modular authentication for Linux programs. PAM provides
a flexible and configurable architecture for authentication, and it should be configured
to minimize exposure to unnecessary risk. This section contains
guidance on how to accomplish that.
PAM is implemented as a set of shared objects which are
loaded and invoked whenever an application wishes to authenticate a
user. Typically, the application must be running as root in order
to take advantage of PAM, because PAM's modules often need to be able
to access sensitive stores of account information, such as /etc/shadow.
Traditional privileged network listeners
(e.g. sshd) or SUID programs (e.g. sudo) already meet this
requirement. An SUID root application, userhelper, is provided so
that programs which are not SUID or privileged themselves can still
take advantage of PAM.
PAM looks in the directory /etc/pam.d for
application-specific configuration information. For instance, if
the program login attempts to authenticate a user, then PAM's
libraries follow the instructions in the file /etc/pam.d/login
to determine what actions should be taken.
One very important file in /etc/pam.d is
/etc/pam.d/system-auth. This file, which is included by
many other PAM configuration files, defines 'default' system authentication
measures. Modifying this file is a good way to make far-reaching
authentication changes, for instance when implementing a
centralized authentication service. |
contains 11 rules |
Set Password Quality RequirementsgroupThe default pam_cracklib PAM module provides strength
checking for passwords. It performs a number of checks, such as
making sure passwords are not similar to dictionary words, are of
at least a certain length, are not the previous password reversed,
and are not simply a change of case from the previous password. It
can also require passwords to be in certain character classes.
The pam_passwdqc PAM module also provides the ability to enforce
stringent password strength requirements. It is provided
in an RPM of the same name.
The man pages pam_cracklib(8) and pam_passwdqc(8)
provide information on the capabilities and configuration of
each. |
contains 6 rules |
Set Password Quality Requirements, if using
pam_cracklibgroupThe pam_cracklib PAM module can be configured to meet
requirements for a variety of policies.
For example, to configure pam_cracklib to require at least one uppercase
character, lowercase character, digit, and other (special)
character, locate the following line in /etc/pam.d/system-auth:
password requisite pam_cracklib.so try_first_pass retry=3
and then alter it to read:
password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth.
The arguments can be modified to ensure compliance with
your organization's security policy. Discussion of each parameter follows.
|
contains 6 rules |
Set Password Retry Prompts Permitted Per-SessionruleTo configure the number of retry prompts that are permitted per-session:
Edit the pam_cracklib.so statement in /etc/pam.d/system-auth to
show retry=3, or a lower value if site policy is more restrictive.
The DoD requirement is a maximum of 3 prompts per session.
identifiers:
CCE-27123-9 references:
IA-5(c), 1092, Test attestation on 20121024 by DS |
Set Password Strength Minimum Digit CharactersruleThe pam_cracklib module's dcredit parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each digit.
Add dcredit=-1 after pam_cracklib.so to require use of a digit in passwords.
identifiers:
CCE-26374-9, DISA FSO RHEL-06-000056 references:
IA-5(b), IA-5(c), 194, 194, Test attestation on 20121024 by DS Remediation script:var_password_pam_dcredit="1"
if grep -q "dcredit=" /etc/pam.d/system-auth; then
sed -i --follow-symlink "s/\(dcredit *= *\).*/\1$var_password_pam_dcredit/" /etc/pam.d/system-auth
else
sed -i --follow-symlink "/pam_cracklib.so/ s/$/ dcredit=$var_password_pam_dcredit/" /etc/pam.d/system-auth
fi
|
Set Password Strength Minimum Uppercase CharactersruleThe pam_cracklib module's ucredit= parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each uppercase character.
Add ucredit=-1 after pam_cracklib.so to require use of an upper case character in passwords.
identifiers:
CCE-26601-5, DISA FSO RHEL-06-000057 references:
IA-5(b), IA-5(c), IA-5(1)(a), 192, Test attestation on 20121024 by DS Remediation script:var_password_pam_ucredit="2"
if grep -q "ucredit=" /etc/pam.d/system-auth; then
sed -i --follow-symlink "s/\(ucredit *= *\).*/\1$var_password_pam_ucredit/" /etc/pam.d/system-auth
else
sed -i --follow-symlink "/pam_cracklib.so/ s/$/ ucredit=$var_password_pam_ucredit/" /etc/pam.d/system-auth
fi
|
Set Password Strength Minimum Special CharactersruleThe pam_cracklib module's ocredit= parameter controls requirements for
usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to
contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each special character.
Add ocredit=2 after pam_cracklib.so to require use of a special character in passwords.
identifiers:
CCE-26409-3, DISA FSO RHEL-06-000058 references:
IA-5(b), IA-5(c), IA-5(1)(a), 1619, 266, Test attestation on 20121024 by DS Remediation script:var_password_pam_ocredit="2"
if grep -q "ocredit=" /etc/pam.d/system-auth; then
sed -i --follow-symlink "s/\(ocredit *= *\).*/\1$var_password_pam_ocredit/" /etc/pam.d/system-auth
else
sed -i --follow-symlink "/pam_cracklib.so/ s/$/ ocredit=$var_password_pam_ocredit/" /etc/pam.d/system-auth
fi
|
Set Password Strength Minimum Lowercase CharactersruleThe pam_cracklib module's lcredit= parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each lowercase character.
Add lcredit=-1 after pam_cracklib.so to require use of a lowercase character in passwords.
identifiers:
CCE-26631-2, DISA FSO RHEL-06-000059 references:
IA-5(b), IA-5(c), IA-5(1)(a), 193, Test attestation on 20121024 by DS Remediation script:var_password_pam_lcredit="2"
if grep -q "lcredit=" /etc/pam.d/system-auth; then
sed -i --follow-symlink "s/\(lcredit *= *\).*/\1$var_password_pam_lcredit/" /etc/pam.d/system-auth
else
sed -i --follow-symlink "/pam_cracklib.so/ s/$/ lcredit=$var_password_pam_lcredit/" /etc/pam.d/system-auth
fi
|
Set Password Strength Minimum Different CharactersruleThe pam_cracklib module's difok parameter controls requirements for
usage of different characters during a password change.
Add difok=3 after pam_cracklib.so to require differing
characters when changing passwords. The DoD requirement is 4.
identifiers:
CCE-26615-5, DISA FSO RHEL-06-000060 references:
IA-5(b), IA-5(c), IA-5(1)(b), 195, Test attestation on 20121024 by DS Remediation script:var_password_pam_difok="3"
if grep -q "difok=" /etc/pam.d/system-auth; then
sed -i --follow-symlink "s/\(difok *= *\).*/\1$var_password_pam_difok/" /etc/pam.d/system-auth
else
sed -i --follow-symlink "/pam_cracklib.so/ s/$/ difok=$var_password_pam_difok/" /etc/pam.d/system-auth
fi
|
Set Lockouts for Failed Password AttemptsgroupThe pam_faillock PAM module provides the capability to
lock out user accounts after a number of failed login attempts. Its
documentation is available in
/usr/share/doc/pam-VERSION/txts/README.pam_faillock.
|
contains 2 rules |
Set Deny For Failed Password Attemptsrule
To configure the system to lock out accounts after a number of incorrect login
attempts using pam_faillock.so, modify the content of both
/etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
Add the following line immediately before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny=5 unlock_time=604800 fail_interval=900 Add the following line immediately after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny=5 unlock_time=604800 fail_interval=900 Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.so
identifiers:
CCE-26844-1, DISA FSO RHEL-06-000061 references:
AC-7(a), 44 Remediation script:var_accounts_passwords_pam_faillock_deny="5"
AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"
for pamFile in "${AUTH_FILES[@]}"
do
# pam_faillock.so already present?
if grep -q "^auth.*pam_faillock.so.*" $pamFile; then
# pam_faillock.so present, deny directive present?
if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then
# both pam_faillock.so & deny present, just correct deny directive value
sed -i --follow-symlink "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
# pam_faillock.so present, but deny directive not yet
else
# append correct deny value to appropriate places
sed -i --follow-symlink "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
fi
# pam_faillock.so not present yet
else
# insert pam_faillock.so preauth & authfail rows with proper value of the 'deny' option
sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
sed -i --follow-symlink "/^account.*required.*pam_unix.so/i account required pam_faillock.so" $pamFile
fi
done
|
Limit Password ReuseruleDo not allow users to reuse recent passwords. This can
be accomplished by using the remember option for the pam_unix PAM
module. In the file /etc/pam.d/system-auth, append remember=5 to the
line which refers to the pam_unix.so module, as shown:
password sufficient pam_unix.so existing_options remember=5
The DoD STIG requirement is 5 passwords. identifiers:
CCE-26741-9, DISA FSO RHEL-06-000274 references:
IA-5(f), IA-5(1)(e), 200, Test attestation on 20121024 by DS Remediation script:var_password_pam_unix_remember="5"
if grep -q "remember=" /etc/pam.d/system-auth; then
sed -i --follow-symlink "s/\(remember *= *\).*/\1$var_password_pam_unix_remember/" /etc/pam.d/system-auth
else
sed -i --follow-symlink "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth
fi
|
Set Password Hashing AlgorithmgroupThe system's default algorithm for storing password hashes in
/etc/shadow is SHA-512. This can be configured in several
locations. |
contains 3 rules |
Set Password Hashing Algorithm in /etc/pam.d/system-authrule
In /etc/pam.d/system-auth, the password section of
the file controls which PAM modules execute during a password change.
Set the pam_unix.so module in the
password section to include the argument sha512, as shown below:
password sufficient pam_unix.so sha512 other arguments...
This will help ensure when local users change their passwords, hashes for the new
passwords will be generated using the SHA-512 algorithm.
This is the default.
identifiers:
CCE-26303-8, DISA FSO RHEL-06-000062 references:
IA-5(b), IA-5(c), IA-5(1)(c), IA-7, 803, Test attestation on 20121024 by DS Remediation script:if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" /etc/pam.d/system-auth; then
sed -i --follow-symlink "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" /etc/pam.d/system-auth
fi
|
Set Password Hashing Algorithm in /etc/login.defsrule
In /etc/login.defs, add or correct the following line to ensure
the system will use SHA-512 as the hashing algorithm:
ENCRYPT_METHOD SHA512
identifiers:
CCE-27228-6, DISA FSO RHEL-06-000063 references:
IA-5(b), IA-5(c), IA-5(1)(c), IA-7, 803, Test attestation on 20121024 by DS Remediation script:if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then
sed -i 's/^ENCRYPT_METHOD.*/ENCRYPT_METHOD SHA512/g' /etc/login.defs
else
echo "" >> /etc/login.defs
echo "ENCRYPT_METHOD SHA512" >> /etc/login.defs
fi
|
Set Password Hashing Algorithm in /etc/libuser.confrule
In /etc/libuser.conf, add or correct the following line in its
[defaults] section to ensure the system will use the SHA-512
algorithm for password hashing:
crypt_style = sha512
identifiers:
CCE-27229-4, DISA FSO RHEL-06-000064 references:
IA-5(b), IA-5(c), IA-5(1)(c), IA-7, 803, Test attestation on 20121026 by DS |
Protect Physical Console AccessgroupIt is impossible to fully protect a system from an
attacker with physical access, so securing the space in which the
system is located should be considered a necessary step. However,
there are some steps which, if taken, make it more difficult for an
attacker to quickly or undetectably modify a system from its
console. |
contains 5 rules |
Set Boot Loader PasswordgroupDuring the boot process, the boot loader is
responsible for starting the execution of the kernel and passing
options to it. The boot loader allows for the selection of
different kernels - possibly on different partitions or media.
The default Red Hat Enterprise Linux boot loader for x86 systems is called GRUB.
Options it can pass to the kernel include single-user mode, which
provides root access without any authentication, and the ability to
disable SELinux. To prevent local users from modifying the boot
parameters and endangering security, protect the boot loader configuration
with a password and ensure its configuration file's permissions
are set properly.
|
contains 4 rules |
Verify /etc/grub.conf User OwnershipruleThe file /etc/grub.conf should
be owned by the root user to prevent destruction
or modification of the file.
To properly set the owner of /etc/grub.conf, run the command:
$ sudo chown root /etc/grub.conf
identifiers:
CCE-26995-1, DISA FSO RHEL-06-000065 references:
AC-6(7), 225, Test attestation on 20121026 by DS Remediation script:chown root /etc/grub.conf
|
Verify /etc/grub.conf Group OwnershipruleThe file /etc/grub.conf should
be group-owned by the root group to prevent
destruction or modification of the file.
To properly set the group owner of /etc/grub.conf, run the command:
$ sudo chgrp root /etc/grub.conf
identifiers:
CCE-27022-3, DISA FSO RHEL-06-000066 references:
AC-6(7), 225, Test attestation on 20121026 by DS Remediation script:chgrp root /etc/grub.conf
|
Verify /boot/grub/grub.conf PermissionsruleFile permissions for /boot/grub/grub.conf should be set to 600, which
is the default.
To properly set the permissions of /boot/grub/grub.conf, run the command:
$ sudo chmod 600 /boot/grub/grub.conf
identifiers:
CCE-26949-8, DISA FSO RHEL-06-000067 references:
AC-6(7), 225, Test attestation on 20121026 by DS Remediation script:chmod 600 /boot/grub/grub.conf
|
Set Boot Loader PasswordruleThe grub boot loader should have password protection
enabled to protect boot-time settings.
To do so, select a password and then generate a hash from it by running the following command:
$ grub-crypt --sha-512
When prompted to enter a password, insert the following line into /etc/grub.conf
immediately after the header comments. (Use the output from grub-crypt as the
value of password-hash):
password --encrypted password-hash
NOTE: To meet FISMA Moderate, the bootloader password MUST differ from the root password.
identifiers:
CCE-26911-8, DISA FSO RHEL-06-000068 references:
IA-2(1), IA-5(e) AC-3, 213, Test attestation on 20121026 by DS |
Require Authentication for Single User ModeruleSingle-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
To require entry of the root password even if the system is
started in single-user mode, add or correct the following line in the
file /etc/sysconfig/init:
SINGLE=/sbin/sulogin
identifiers:
CCE-27040-5, DISA FSO RHEL-06-000069 references:
IA-2(1), AC-3, 213, Test attestation on 20121024 by DS Remediation script:grep -q ^SINGLE /etc/sysconfig/init && \
sed -i "s/SINGLE.*/SINGLE=\/sbin\/sulogin/g" /etc/sysconfig/init
if ! [ $? -eq 0 ]; then
echo "SINGLE=/sbin/sulogin" >> /etc/sysconfig/init
fi
|
Network Configuration and FirewallsgroupMost machines must be connected to a network of some
sort, and this brings with it the substantial risk of network
attack. This section discusses the security impact of decisions
about networking which must be made when configuring a system.
This section also discusses firewalls, network access
controls, and other network security frameworks, which allow
system-level rules to be written that can limit an attackers' ability
to connect to your system. These rules can specify that network
traffic should be allowed or denied from certain IP addresses,
hosts, and networks. The rules can also specify which of the
system's network services are available to particular hosts or
networks. |
contains 8 rules |
IPv6groupThe system includes support for Internet Protocol
version 6. A major and often-mentioned improvement over IPv4 is its
enormous increase in the number of available addresses. Another
important feature is its support for automatic configuration of
many network settings. |
contains 1 rule |
Disable Support for IPv6 Unless Neededgroup
Despite configuration that suggests support for IPv6 has
been disabled, link-local IPv6 address auto-configuration occurs
even when only an IPv4 address is assigned. The only way to
effectively prevent execution of the IPv6 networking stack is to
instruct the system not to activate the IPv6 kernel module.
|
contains 1 rule |
Disable IPv6 Networking Support Automatic LoadingruleTo prevent the IPv6 kernel module (ipv6) from binding to the
IPv6 networking stack, add the following line to
/etc/modprobe.d/disabled.conf (or another file in
/etc/modprobe.d):
options ipv6 disable=1
This permits the IPv6 module to be loaded (and thus satisfy other modules that
depend on it), while disabling support for the IPv6 protocol.
identifiers:
CCE-27153-6, DISA FSO RHEL-06-000098 references:
CM-7, 1551, Test attestation on 20121024 by DS Remediation script:
# Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack
echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf
# Since according to: https://access.redhat.com/solutions/72733
# "ipv6 disable=1" options doesn't always disable the IPv6 networking stack from
# loading, instruct also sysctl configuration to disable IPv6 according to:
# https://access.redhat.com/solutions/8709#rhel6disable
declare -a IPV6_SETTINGS=("net.ipv6.conf.all.disable_ipv6" "net.ipv6.conf.default.disable_ipv6")
for setting in ${IPV6_SETTINGS[@]}
do
# Set runtime =1 for setting
/sbin/sysctl -q -n -w "$setting=1"
# If setting is present in /etc/sysctl.conf, change value to "1"
# else, add "$setting = 1" to /etc/sysctl.conf
if grep -q ^"$setting" /etc/sysctl.conf ; then
sed -i "s/^$setting.*/$setting = 1/g" /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set $setting = 1 per security requirements" >> /etc/sysctl.conf
echo "$setting = 1" >> /etc/sysctl.conf
fi
done
|
iptables and ip6tablesgroupA host-based firewall called netfilter is included as
part of the Linux kernel distributed with the system. It is
activated by default. This firewall is controlled by the program
iptables, and the entire capability is frequently referred to by
this name. An analogous program called ip6tables handles filtering
for IPv6.
Unlike TCP Wrappers, which depends on the network server
program to support and respect the rules written, netfilter
filtering occurs at the kernel level, before a program can even
process the data from the network packet. As such, any program on
the system is affected by the rules written.
This section provides basic information about strengthening
the iptables and ip6tables configurations included with the system.
For more complete information that may allow the construction of a
sophisticated ruleset tailored to your environment, please consult
the references at the end of this section. |
contains 3 rules |
Inspect and Activate Default RulesgroupView the currently-enforced iptables rules by running
the command:
$ sudo iptables -nL --line-numbers
The command is analogous for ip6tables.
If the firewall does not appear to be active (i.e., no rules
appear), activate it and ensure that it starts at boot by issuing
the following commands (and analogously for ip6tables):
$ sudo service iptables restart
The default iptables rules are:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
The ip6tables default rules are essentially the same. |
contains 2 rules |
Verify ip6tables Enabled if Using IPv6rule
The ip6tables service can be enabled with the following command:
$ sudo chkconfig --level 2345 ip6tables on
identifiers:
CCE-27006-6, DISA FSO RHEL-06-000103 references:
AC-4, CA-3(c), CM-7, 32, 66, 1115, 1118, 1092, 1117, 1098, 1100, 1097, 1414, Test attestation on 20121024 by DS Remediation script:#
# Enable ip6tables for all run levels
#
/sbin/chkconfig --level 0123456 ip6tables on
#
# Start ip6tables if not currently running
#
/sbin/service ip6tables start
|
Verify iptables Enabledrule
The iptables service can be enabled with the following command:
$ sudo chkconfig --level 2345 iptables on
identifiers:
CCE-27018-1, DISA FSO RHEL-06-000117 references:
AC-4, CA-3(c), CM-7, 32, 66, 1115, 1118, 1092, 1117, 1098, 1100, 1097, 1414, Test attestation on 20121024 by DS Remediation script:#
# Enable iptables for all run levels
#
/sbin/chkconfig --level 0123456 iptables on
#
# Start iptables if not currently running
#
/sbin/service iptables start
|
Strengthen the Default RulesetgroupThe default rules can be strengthened. The system
scripts that activate the firewall rules expect them to be defined
in the configuration files iptables and ip6tables in the directory
/etc/sysconfig. Many of the lines in these files are similar
to the command line arguments that would be provided to the programs
/sbin/iptables or /sbin/ip6tables - but some are quite
different.
The following recommendations describe how to strengthen the
default ruleset configuration file. An alternative to editing this
configuration file is to create a shell script that makes calls to
the iptables program to load in rules, and then invokes service
iptables save to write those loaded rules to
/etc/sysconfig/iptables.
The following alterations can be made directly to
/etc/sysconfig/iptables and /etc/sysconfig/ip6tables.
Instructions apply to both unless otherwise noted. Language and address
conventions for regular iptables are used throughout this section;
configuration for ip6tables will be either analogous or explicitly
covered. |
contains 1 rule |
Set Default iptables Policy for Incoming PacketsruleTo set the default policy to DROP (instead of ACCEPT) for
the built-in INPUT chain which processes incoming packets,
add or correct the following line in
/etc/sysconfig/iptables:
:INPUT DROP [0:0]
identifiers:
CCE-26444-0, DISA FSO RHEL-06-000120 references:
CM-7, 66, 1109, 1154, 1414 Remediation script:sed -i 's/^:INPUT ACCEPT.*/:INPUT DROP [0:0]/g' /etc/sysconfig/iptables
|
Uncommon Network ProtocolsgroupThe system includes support for several network
protocols which are not commonly used. Although security vulnerabilities
in kernel networking code are not frequently
discovered, the consequences can be dramatic. Ensuring uncommon
network protocols are disabled reduces the system's risk to attacks
targeted at its implementation of those protocols. |
contains 4 rules |
Disable DCCP Supportrule
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the dccp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install dccp /bin/true
identifiers:
CCE-26448-1, DISA FSO RHEL-06-000124 references:
CM-7, 382, Test attestation on 20121024 by DS Remediation script:echo "install dccp /bin/true" > /etc/modprobe.d/dccp.conf
|
Disable SCTP Supportrule
The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the sctp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install sctp /bin/true
identifiers:
CCE-26410-1, DISA FSO RHEL-06-000125 references:
CM-7, 382, Test attestation on 20121024 by DS Remediation script:echo "install sctp /bin/true" > /etc/modprobe.d/sctp.conf
|
Disable RDS Supportrule
The Reliable Datagram Sockets (RDS) protocol is a transport
layer protocol designed to provide reliable high- bandwidth,
low-latency communications between nodes in a cluster.
To configure the system to prevent the rds
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install rds /bin/true
identifiers:
CCE-26239-4, DISA FSO RHEL-06-000126 references:
CM-7, 382, Test attestation on 20121024 by DS Remediation script:echo "install rds /bin/true" > /etc/modprobe.d/rds.conf
|
Disable TIPC Supportrule
The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the tipc
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install tipc /bin/true
identifiers:
CCE-26696-5, DISA FSO RHEL-06-000127 references:
CM-7, 382, Test attestation on 20121024 by DS Remediation script:echo "install tipc /bin/true" > /etc/modprobe.d/tipc.conf
|
System Accounting with auditdgroupThe audit service provides substantial capabilities
for recording system activities. By default, the service audits about
SELinux AVC denials and certain types of security-relevant events
such as system logins, account modifications, and authentication
events performed by programs such as sudo.
Under its default configuration, auditd has modest disk space
requirements, and should not noticeably impact system performance.
Government networks often have substantial auditing
requirements and auditd can be configured to meet these
requirements.
Examining some example audit records demonstrates how the Linux audit system
satisfies common requirements.
The following example from Fedora Documentation available at
http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html
shows the substantial amount of information captured in a
two typical "raw" audit messages, followed by a breakdown of the most important
fields. In this example the message is SELinux-related and reports an AVC
denial (and the associated system call) that occurred when the Apache HTTP
Server attempted to access the /var/www/html/file1 file (labeled with
the samba_share_t type):
type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd"
path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13
a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd"
exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
msg=audit(1226874073.147:96)The number in parentheses is the unformatted time stamp (Epoch time)
for the event, which can be converted to standard time by using the
date command.
{ getattr }The item in braces indicates the permission that was denied. getattr
indicates the source process was trying to read the target file's status information.
This occurs before reading files. This action is denied due to the file being
accessed having the wrong label. Commonly seen permissions include getattr,
read, and write.comm="httpd"The executable that launched the process. The full path of the executable is
found in the exe= section of the system call (SYSCALL) message,
which in this case, is exe="/usr/sbin/httpd".
path="/var/www/html/file1"The path to the object (target) the process attempted to access.
scontext="unconfined_u:system_r:httpd_t:s0"The SELinux context of the process that attempted the denied action. In
this case, it is the SELinux context of the Apache HTTP Server, which is running
in the httpd_t domain.
tcontext="unconfined_u:object_r:samba_share_t:s0"The SELinux context of the object (target) the process attempted to access.
In this case, it is the SELinux context of file1. Note: the samba_share_t
type is not accessible to processes running in the httpd_t domain. From the system call (SYSCALL) message, two items are of interest:
success=no: indicates whether the denial (AVC) was enforced or not.
success=no indicates the system call was not successful (SELinux denied
access). success=yes indicates the system call was successful - this can
be seen for permissive domains or unconfined domains, such as initrc_t
and kernel_t.
exe="/usr/sbin/httpd": the full path to the executable that launched
the process, which in this case, is exe="/usr/sbin/httpd".
|
contains 1 rule |
Configure auditd Rules for Comprehensive AuditinggroupThe auditd program can perform comprehensive
monitoring of system activity. This section describes recommended
configuration settings for comprehensive auditing, but a full
description of the auditing system's capabilities is beyond the
scope of this guide. The mailing list linux-audit@redhat.com exists
to facilitate community discussion of the auditing system.
The audit subsystem supports extensive collection of events, including:
Tracing of arbitrary system calls (identified by name or number)
on entry or exit.Filtering by PID, UID, call success, system call argument (with
some limitations), etc.Monitoring of specific files for modifications to the file's
contents or metadata.
Auditing rules at startup are controlled by the file /etc/audit/audit.rules.
Add rules to it to meet the auditing requirements for your organization.
Each line in /etc/audit/audit.rules represents a series of arguments
that can be passed to auditctl and can be individually tested
during runtime. See documentation in /usr/share/doc/audit-VERSION and
in the related man pages for more details.
If copying any example audit rulesets from /usr/share/doc/audit-VERSION,
be sure to comment out the
lines containing arch= which are not appropriate for your system's
architecture. Then review and understand the following rules,
ensuring rules are activated as needed for the appropriate
architecture.
After reviewing all the rules, reading the following sections, and
editing as needed, the new rules can be activated as follows:
$ sudo service auditd restart
|
contains 1 rule |
System Audit Logs Must Have Mode 0640 or Less Permissiverule
Change the mode of the audit log files with the following command:
$ sudo chmod 0640 audit_file
identifiers:
CCE-27243-5, DISA FSO RHEL-06-000383 references:
AC-6, AU-1(b), AU-9, IR-5, 166, Test attestation on 20121024 by DS Remediation script:chmod -R 640 /var/log/audit/*
chmod 640 /etc/audit/audit.rules
|
Servicesgroup
The best protection against vulnerable software is running less software. This section describes how to review
the software which Red Hat Enterprise Linux 6 installs on a system and disable software which is not needed. It
then enumerates the software packages installed on a default Red Hat Enterprise Linux 6 system and provides guidance about which
ones can be safely disabled.
Red Hat Enterprise Linux 6 provides a convenient minimal install option that essentially installs the bare necessities for a functional
system. When building Red Hat Enterprise Linux 6 servers, it is highly recommended to select the minimal packages and then build up
the system from there.
|
contains 29 rules |
Obsolete ServicesgroupThis section discusses a number of network-visible
services which have historically caused problems for system
security, and for which disabling or severely limiting the service
has been the best available guidance for some time. As a result of
this, many of these services are not installed as part of Red Hat Enterprise Linux 6
by default.
Organizations which are running these services should
switch to more secure equivalents as soon as possible.
If it remains absolutely necessary to run one of
these services for legacy reasons, care should be taken to restrict
the service as much as possible, for instance by configuring host
firewall software such as iptables to restrict access to the
vulnerable service to only those remote hosts which have a known
need to use it. |
contains 12 rules |
XinetdgroupThe xinetd service acts as a dedicated listener for some
network services (mostly, obsolete ones) and can be used to provide access
controls and perform some logging. It has been largely obsoleted by other
features, and it is not installed by default. The older Inetd service
is not even available as part of Red Hat Enterprise Linux 6. |
contains 2 rules |
Disable xinetd Servicerule
The xinetd service can be disabled with the following command:
$ sudo chkconfig xinetd off
identifiers:
CCE-27046-2, DISA FSO RHEL-06-000203 references:
CM-7, 305, Test attestation on 20121026 by DS |
Uninstall xinetd PackageruleThe xinetd package can be uninstalled with the following command:
$ sudo yum erase xinetd
identifiers:
CCE-27005-8, DISA FSO RHEL-06-000204 references:
CM-7, 305, Test attestation on 20121026 by DS Remediation script:if rpm -qa | grep -q xinetd; then
yum -y remove xinetd
fi
|
TelnetgroupThe telnet protocol does not provide confidentiality or integrity
for information transmitted on the network. This includes authentication
information such as passwords. Organizations which use telnet should be
actively working to migrate to a more secure protocol. |
contains 2 rules |
Disable telnet Servicerule
The telnet service can be disabled with the following command:
$ sudo chkconfig telnet off
identifiers:
CCE-26836-7, DISA FSO RHEL-06-000211 references:
CM-7, IA-5(1)(c), 68, 1436, 197, 877, 888, Test attestation on 20121026 by DS |
Uninstall telnet-server PackageruleThe telnet-server package can be uninstalled with
the following command:
$ sudo yum erase telnet-server identifiers:
CCE-27073-6, DISA FSO RHEL-06-000206 references:
CM-7, 305, 381, Test attestation on 20121026 by DS Remediation script:if rpm -qa | grep -q telnet-server; then
yum -y remove telnet-server
fi
|
Rlogin, Rsh, and RexecgroupThe Berkeley r-commands are legacy services which
allow cleartext remote access and have an insecure trust
model. |
contains 4 rules |
Uninstall rsh-server PackageruleThe rsh-server package can be uninstalled with
the following command:
$ sudo yum erase rsh-server
identifiers:
CCE-27062-9, DISA FSO RHEL-06-000213 references:
CM-7, 305, 381, Test attestation on 20121026 by DS Remediation script:yum -y erase rsh-server
|
Disable rexec ServiceruleThe rexec service, which is available with
the rsh-server package and runs as a service through xinetd,
should be disabled.
The rexec service can be disabled with the following command:
$ sudo chkconfig rexec off
identifiers:
CCE-27208-8, DISA FSO RHEL-06-000216 references:
CM-7, 68, 1436, Test attestation on 20121026 by DS |
Disable rsh ServiceruleThe rsh service, which is available with
the rsh-server package and runs as a service through xinetd,
should be disabled.
The rsh service can be disabled with the following command:
$ sudo chkconfig rsh off
identifiers:
CCE-26994-4, DISA FSO RHEL-06-000214 references:
CM-7, IA-5(1)(c), 68, 1436, Test attestation on 20121026 by DS |
Disable rlogin ServiceruleThe rlogin service, which is available with
the rsh-server package and runs as a service through xinetd,
should be disabled.
The rlogin service can be disabled with the following command:
$ sudo chkconfig rlogin off
identifiers:
CCE-26865-6, DISA FSO RHEL-06-000218 references:
CM-7, IA-5(1)(c), 1436, Test attestation on 20121026 by DS |
NISgroupThe Network Information Service (NIS), also known as 'Yellow
Pages' (YP), and its successor NIS+ have been made obsolete by
Kerberos, LDAP, and other modern centralized authentication
services. NIS should not be used because it suffers from security
problems inherent in its design, such as inadequate protection of
important authentication information. |
contains 2 rules |
Uninstall ypserv PackageruleThe ypserv package can be uninstalled with
the following command:
$ sudo yum erase ypserv
identifiers:
CCE-27079-3, DISA FSO RHEL-06-000220 references:
CM-7, 305, 381, Test attestation on 20121026 by DS Remediation script:if rpm -qa | grep -q ypserv; then
yum -y remove ypserv
fi
|
Disable ypbind ServiceruleThe ypbind service, which allows the system to act as a client in
a NIS or NIS+ domain, should be disabled.
The ypbind service can be disabled with the following command:
$ sudo chkconfig ypbind off
identifiers:
CCE-26894-6, DISA FSO RHEL-06-000221 references:
CM-7, 305, Test attestation on 20121026 by DS |
TFTP Servergroup
TFTP is a lightweight version of the FTP protocol which has
traditionally been used to configure networking equipment. However,
TFTP provides little security, and modern versions of networking
operating systems frequently support configuration via SSH or other
more secure protocols. A TFTP server should be run only if no more
secure method of supporting existing equipment can be
found. |
contains 2 rules |
Disable tftp ServiceruleThe tftp service should be disabled.
The tftp service can be disabled with the following command:
$ sudo chkconfig tftp off
identifiers:
CCE-27055-3, DISA FSO RHEL-06-000223 references:
CM-7, 1436, Test attestation on 20121026 by DS Remediation script:#
# Disable tftp for all run levels
#
/sbin/chkconfig --level 0123456 tftp off
#
# Stop tftp if currently running
#
/sbin/service tftp stop
|
Uninstall tftp-server Packagerule
The tftp-server package can be removed with the following command:
$ sudo yum erase tftp-server
identifiers:
CCE-26946-4, DISA FSO RHEL-06-000222 references:
CM-7, 305, Test attestation on 20121026 by DS |
Base ServicesgroupThis section addresses the base services that are installed on a
Red Hat Enterprise Linux 6 default installation which are not covered in other
sections. Some of these services listen on the network and
should be treated with particular discretion. Other services are local
system utilities that may or may not be extraneous. In general, system services
should be disabled if not required. |
contains 5 rules |
Disable Automatic Bug Reporting Tool (abrtd)ruleThe Automatic Bug Reporting Tool (abrtd) daemon collects
and reports crash data when an application crash is detected. Using a variety
of plugins, abrtd can email crash reports to system administrators, log crash
reports to files, or forward crash reports to a centralized issue tracking
system such as RHTSupport.
The abrtd service can be disabled with the following command:
$ sudo chkconfig abrtd off
identifiers:
CCE-27247-6, DISA FSO RHEL-06-000261 references:
CM-7, 381 Remediation script:#
# Disable abrtd for all run levels
#
/sbin/chkconfig --level 0123456 abrtd off
#
# Stop abrtd if currently running
#
/sbin/service abrtd stop
|
Disable ntpdate Service (ntpdate)ruleThe ntpdate service sets the local hardware clock by polling NTP servers
when the system boots. It synchronizes to the NTP servers listed in
/etc/ntp/step-tickers or /etc/ntp.conf
and then sets the local hardware clock to the newly synchronized
system time.
The ntpdate service can be disabled with the following command:
$ sudo chkconfig ntpdate off
identifiers:
CCE-27256-7, DISA FSO RHEL-06-000265 references:
CM-7, 382, Test attestation on 20121024 by DS |
Disable Odd Job Daemon (oddjobd)ruleThe oddjobd service exists to provide an interface and
access control mechanism through which
specified privileged tasks can run tasks for unprivileged client
applications. Communication with oddjobd through the system message bus.
The oddjobd service can be disabled with the following command:
$ sudo chkconfig oddjobd off
identifiers:
CCE-27257-5, DISA FSO RHEL-06-000266 references:
CM-7, 381, Test attestation on 20121024 by DS Remediation script:#
# Disable oddjobd for all run levels
#
/sbin/chkconfig --level 0123456 oddjobd off
#
# Stop oddjobd if currently running
#
/sbin/service oddjobd stop
|
Disable Apache Qpid (qpidd)ruleThe qpidd service provides high speed, secure,
guaranteed delivery services. It is an implementation of the Advanced Message
Queuing Protocol. By default the qpidd service will bind to port 5672 and
listen for connection attempts.
The qpidd service can be disabled with the following command:
$ sudo chkconfig qpidd off
identifiers:
CCE-26928-2, DISA FSO RHEL-06-000267 references:
CM-7, 382 Remediation script:#
# Disable qpidd for all run levels
#
/sbin/chkconfig --level 0123456 qpidd off
#
# Stop qpidd if currently running
#
/sbin/service qpidd stop
|
Disable Network Router Discovery Daemon (rdisc)ruleThe rdisc service implements the client side of the ICMP
Internet Router Discovery Protocol (IRDP), which allows discovery of routers on
the local subnet. If a router is discovered then the local routing table is
updated with a corresponding default route. By default this daemon is disabled.
The rdisc service can be disabled with the following command:
$ sudo chkconfig rdisc off
identifiers:
CCE-27261-7, DISA FSO RHEL-06-000268 references:
AC-4, CM-7, 382, Test attestation on 20121024 by DS Remediation script:#
# Disable rdisc for all run levels
#
/sbin/chkconfig --level 0123456 rdisc off
#
# Stop rdisc if currently running
#
/sbin/service rdisc stop
|
Cron and At DaemonsgroupThe cron and at services are used to allow commands to
be executed at a later time. The cron service is required by almost
all systems to perform necessary maintenance tasks, while at may or
may not be required on a given system. Both daemons should be
configured defensively. |
contains 1 rule |
Disable At Service (atd)ruleThe at and batch commands can be used to
schedule tasks that are meant to be executed only once. This allows delayed
execution in a manner similar to cron, except that it is not
recurring. The daemon atd keeps track of tasks scheduled via
at and batch, and executes them at the specified time.
The atd service can be disabled with the following command:
$ sudo chkconfig atd off
identifiers:
CCE-27249-2, DISA FSO RHEL-06-000262 references:
CM-7, 381 Remediation script:#
# Disable atd for all run levels
#
/sbin/chkconfig --level 0123456 atd off
#
# Stop atd if currently running
#
/sbin/service atd stop
|
SSH ServergroupThe SSH protocol is recommended for remote login and
remote file transfer. SSH provides confidentiality and integrity
for data exchanged between two systems, as well as server
authentication, through the use of public key cryptography. The
implementation included with the system is called OpenSSH, and more
detailed documentation is available from its website,
http://www.openssh.org. Its server program is called sshd and
provided by the RPM package openssh-server. |
contains 10 rules |
Configure OpenSSH Server if NecessarygroupIf the system needs to act as an SSH server, then
certain changes should be made to the OpenSSH daemon configuration
file /etc/ssh/sshd_config. The following recommendations can be
applied to this file. See the sshd_config(5) man page for more
detailed information. |
contains 10 rules |
Allow Only SSH Protocol 2ruleOnly SSH protocol version 2 connections should be
permitted. The default setting in
/etc/ssh/sshd_config is correct, and can be
verified by ensuring that the following
line appears:
Protocol 2
identifiers:
CCE-27072-8, DISA FSO RHEL-06-000227 references:
AC-3(10), IA-5(1)(c), 776, 774, 1436, Test attestation on 20121024 by DS Remediation script:grep -qi ^Protocol /etc/ssh/sshd_config && \
sed -i "s/Protocol.*/Protocol 2/gI" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
echo "Protocol 2" >> /etc/ssh/sshd_config
fi
|
Set SSH Idle Timeout IntervalruleSSH allows administrators to set an idle timeout
interval.
After this interval has passed, the idle user will be
automatically logged out.
To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as
follows:
ClientAliveInterval 5
The timeout interval is given in seconds. To have a timeout
of 15 minutes, set interval to 900.
If a shorter timeout has already been set for the login
shell, that value will preempt any SSH
setting made here. Keep in mind that some processes may stop SSH
from correctly detecting that the user is idle.
identifiers:
CCE-26919-1, DISA FSO RHEL-06-000230 references:
AC-2(5), SA-8, 879, 1133, Test attestation on 20121024 by DS Remediation script:sshd_idle_timeout_value="5"
grep -q ^ClientAliveInterval /etc/ssh/sshd_config && \
sed -i "s/ClientAliveInterval.*/ClientAliveInterval $sshd_idle_timeout_value/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
echo "ClientAliveInterval $sshd_idle_timeout_value" >> /etc/ssh/sshd_config
fi
|
Set SSH Client Alive CountruleTo ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set,
edit /etc/ssh/sshd_config as
follows:
ClientAliveCountMax 0
identifiers:
CCE-26282-4, DISA FSO RHEL-06-000231 references:
AC-2(5), SA-8, 879, 1133, Test attestation on 20121024 by DS Remediation script:grep -q ^ClientAliveCountMax /etc/ssh/sshd_config && \
sed -i "s/ClientAliveCountMax.*/ClientAliveCountMax 0/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
fi
|
Disable SSH Support for .rhosts FilesruleSSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts files.
To ensure this behavior is disabled, add or correct the
following line in /etc/ssh/sshd_config:
IgnoreRhosts yes
identifiers:
CCE-27124-7, DISA FSO RHEL-06-000234 references:
AC-3, 765, 766 Remediation script:grep -q ^IgnoreRhosts /etc/ssh/sshd_config && \
sed -i "s/IgnoreRhosts.*/IgnoreRhosts yes/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config
fi
|
Disable Host-Based AuthenticationruleSSH's cryptographic host-based authentication is
more secure than .rhosts authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
To disable host-based authentication, add or correct the
following line in /etc/ssh/sshd_config:
HostbasedAuthentication no
identifiers:
CCE-27091-8, DISA FSO RHEL-06-000236 references:
AC-3, 765, 766, Test attestation on 20121024 by DS Remediation script:grep -q ^HostbasedAuthentication /etc/ssh/sshd_config && \
sed -i "s/HostbasedAuthentication.*/HostbasedAuthentication no/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config
fi
|
Disable SSH Root LoginruleThe root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in /etc/ssh/sshd_config:
PermitRootLogin no
identifiers:
CCE-27100-7, DISA FSO RHEL-06-000237 references:
AC-3, AC-6(2), IA-2(1), 770, Test attestation on 20121024 by DS Remediation script:
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# PermitRootLogin directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]*PermitRootLogin[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
then
# Append 'PermitRootLogin no' at the end of $SSHD_CONFIG
echo -e "\nPermitRootLogin no" >> $SSHD_CONFIG
# Case: PermitRootLogin directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of PermitRootLogin directive
sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
then
# Prepend 'PermitRootLogin no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG
# Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of PermitRootLogin directive
sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG
# Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'PermitRootLogin no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG
fi
fi
|
Disable SSH Access via Empty PasswordsruleTo explicitly disallow remote login from accounts with
empty passwords, add or correct the following line in
/etc/ssh/sshd_config:
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords.
identifiers:
CCE-26887-0, DISA FSO RHEL-06-000239 references:
AC-3, 765, 766, Test attestation on 20121024 by DS Remediation script:grep -q ^PermitEmptyPasswords /etc/ssh/sshd_config && \
sed -i "s/PermitEmptyPasswords.*/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config
fi
|
Enable SSH Warning Bannerrule
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in /etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an
appropriate system-wide warning banner.
identifiers:
CCE-27112-2, DISA FSO RHEL-06-000240 references:
AC-8(a), 48, Test attestation on 20121024 by DS Remediation script:grep -q ^Banner /etc/ssh/sshd_config && \
sed -i "s/Banner.*/Banner \/etc\/issue/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
echo "Banner /etc/issue" >> /etc/ssh/sshd_config
fi
|
Do Not Allow SSH Environment OptionsruleTo ensure users are not able to present
environment options to the SSH daemon, add or correct the following line
in /etc/ssh/sshd_config:
PermitUserEnvironment no
identifiers:
CCE-27201-3, DISA FSO RHEL-06-000241 references:
1414, Test attestation on 20121024 by DS Remediation script:grep -q ^PermitUserEnvironment /etc/ssh/sshd_config && \
sed -i "s/PermitUserEnvironment.*/PermitUserEnvironment no/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config
fi
|
Use Only Approved CiphersruleLimit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The man page sshd_config(5) contains a list of supported ciphers.
identifiers:
CCE-26555-3, DISA FSO RHEL-06-000243 references:
AC-3, AC-17(2), SI-7, IA-5(1)(c), IA-7, 803, 1144, 1145, 1146, Test attestation on 20121024 by DS Remediation script:grep -q ^Ciphers /etc/ssh/sshd_config && \
sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc" >> /etc/ssh/sshd_config
fi
|
Avahi ServergroupThe Avahi daemon implements the DNS Service Discovery
and Multicast DNS protocols, which provide service and host
discovery on a network. It allows a system to automatically
identify resources on the network, such as printers or web servers.
This capability is also known as mDNSresponder and is a major part
of Zeroconf networking. |
contains 1 rule |
Disable Avahi Server if PossiblegroupBecause the Avahi daemon service keeps an open network
port, it is subject to network attacks.
Disabling it can reduce the system's vulnerability to such attacks.
|
contains 1 rule |
Disable Avahi Server Softwarerule
The avahi-daemon service can be disabled with the following command:
$ sudo chkconfig avahi-daemon off
identifiers:
CCE-27087-6, DISA FSO RHEL-06-000246 references:
CM-7, 366 |