Download
| Alert*
CCE-92892-9
Set Permissions on /etc/ssh/sshd_config The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root. CCE-92890-3 Verify User/Group Ownership on /etc/shadow The /etc/shadow file contains the one-way cipher text passwords for each user defined in the /etc/passwd file. The command below sets the user and group ownership of the file to root. CCE-92891-1 Verify User/Group Ownership on /etc/passwd The /etc/passwd file contains a list of all the valid userIDs defined in the system, but not the passwords. The command below sets the owner and group of the file to root. CCE-92887-9 Set SSH Protocol to 2 SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure. CCE-92888-7 Disable SSH Root Login The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. CCE-92889-5 Verify Permissions on /etc/shadow The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. CCE-92883-8 Disable IPv6 Router Advertisements This setting disables the systems ability to accept router advertisements CCE-92884-6 Set Password Creation Requirement Parameters Using pam_cracklib The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The fo ... CCE-92886-1 Verify User/Group Ownership on /etc/group The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else. CCE-92881-2 Set Lockout for Failed Password Attempts Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration file /etc/pam.d/login. The second set of changes are applied to the program specific PAM configuration file. The second set of changes ... CCE-92885-3 The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 60 days. Rationale: The window of opportunity for an attacker to leverage compromised ... CCE-92882-0 The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days. Rationale: By ... |