Download
| Alert*
|
CCE-91970-4
The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root. Rationale: The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- priliveged users, but needs to be readable as this informati ... CCE-91944-9 This setting disables the systems ability to accept router advertisements Rationale: It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trus ... CCE-91988-6 The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else. Rationale: The /etc/group file needs to be protected from unauthorized changes by non-priliveged users, but needs to be readable ... CCE-91987-8 The /etc/shadow file contains the one-way cipher text passwords for each user defined in the /etc/passwd file. The command below sets the user and group ownership of the file to root. Rationale: If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking progr ... CCE-91986-0 The /etc/passwd file contains a list of all the valid userIDs defined in the system, but not the passwords. The command below sets the owner and group of the file to root. Rationale: The /etc/passwd file needs to be protected from unauthorized changes by non-priliveged users, but needs to be readab ... CCE-91984-5 The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. Rationale: If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking pro ... CCE-91966-2 The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options. * retr ... CCE-91967-0 Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration file /etc/pam.d/login. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will ... CCE-92018-1 SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure. Rationale: SSH v1 suffers from insecurities that do not affect SSH v2. CCE-91973-8 The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Rationale: Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non ... CCE-91977-9 The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 60 days. Rationale: The window of opportunity for an attacker to leverage compromised ... CCE-91978-7 The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days. Rationale: By ... |
