Download
| Alert*
|
CCE-94493-4
The 'gpgcheck' option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in '/etc/yum.conf' in the '[main]' section: 'gpgcheck=1' CCE-92600-6 To ensure the SSH idle timeout occurs precisely when the 'ClientAliveCountMax' is set, edit '/etc/ssh/sshd_config' as follows: 'ClientAliveCountMax 0' CCE-92378-9 To properly set the group owner of '/etc/group', run the command: CCE-92562-8 SSH's cryptographic host-based authentication is more secure than '.rhosts' authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following line in '/etc/ssh/sshd_config': 'Host ... CCE-92520-6 To configure the system to prevent the 'jffs2' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d': CCE-92485-2 To properly set the owner of '/etc/shadow', run the command: CCE-92446-4 To properly set the permissions of '/etc/passwd', run the command: CCE-92619-6 To properly set the owner of '/etc/group', run the command: CCE-92580-0 The SELinux state should be set to 'enforcing' at system boot time. In the file '/etc/selinux/config', add or correct the following line to configure the system to boot into enforcing mode: 'SELINUX=enforcing' CCE-92599-0 To properly set the group owner of '/etc/gshadow', run the command: CCE-92507-3 To configure the system to prevent the 'freevxfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d': CCE-92452-2 To properly set the owner of '/etc/gshadow', run the command: CCE-92410-0 If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d': '-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules' If the system is 64 ... CCE-92529-7 Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in '/etc/ssh/sshd_config' demonstrates use of FIPS-approved ciphers: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc, ... CCE-92414-2 To properly set the group owner of '/etc/passwd', run the command: CCE-92430-8 To specify password length requirements for new accounts, edit the file '/etc/login.defs' and add or correct the following lines: 'PASS_MIN_LEN 14 CCE-92413-4 To configure the system to prevent the 'cramfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d': CCE-92484-5 The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days. Rationale: By ... CCE-92538-8 The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 60 days. Rationale: The window of opportunity for an attacker to leverage compromised ... |
