Download
| Alert*
|
CCE-90524-0
The '.netrc' files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any '.netrc' files should be ... CCE-90526-5 The 'rsyslog' daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to '/etc/rsyslog.conf' to enable reception of messages over TCP: $ModLoad imtcp $InputTCPServerRun 514 CCE-90420-1 The pam_pwquality module's 'ucredit=' parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length cre ... CCE-90405-2 To configure the system to prevent the 'cramfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d': CCE-90426-8 To configure the system to prevent the 'jffs2' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d': CCE-90434-2 Edit the file '/etc/postfix/main.cf' to ensure that only the following 'inet_interfaces' line appears: 'inet_interfaces = localhost' CCE-90492-0 If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. CCE-90427-6 To configure the system to prevent the 'udf' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d': CCE-90482-1 To set the runtime status of the kernel.exec-shield kernel parameter, run the following command: # sysctl -w kernel.exec-shield=1 If this is not the system"s default value, add the following line to /etc/sysctl.conf : kernel.exec-shield = 1 CCE-90565-3 The 'rsh-server' package can be uninstalled with the following command: '$ sudo yum erase rsh-server' CCE-90507-5 Disable Print Server Capabilities setting should be configured appropriately. CCE-90438-3 To configure rsyslog to send logs to a remote log server, open '/etc/rsyslog.conf' and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs t ... CCE-90408-6 The pam_pwquality module's 'dcredit' parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify ... CCE-90429-2 The <xhtml:code>noexec</xhtml:code> mount option can be used to prevent binaries from being executed out of <xhtml:code>/tmp</xhtml:code> . Add the ... CCE-90490-4 To properly set the owner of '/etc/gshadow', run the command: CCE-90560-4 The 'xinetd' package can be uninstalled with the following command: '$ sudo yum erase xinetd' CCE-90467-2 If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. CCE-90556-2 The 'tftp-server' package can be removed with the following command: '$ sudo yum erase tftp-server' CCE-90478-9 To set the runtime status of the 'kernel.randomize_va_space' kernel parameter, run the following command: CCE-90509-1 To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using 'pam_faillock.so', modify the content of both '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' as follows: add the following line immediately 'be ... CCE-90491-2 To set the runtime status of the 'net.ipv4.conf.all.accept_redirects' kernel parameter, run the following command: CCE-90532-3 Remove Rsh Trust Files setting should be configured appropriately. CCE-90582-8 Sendmail is not the default mail transfer agent and is not installed by default. The 'sendmail' package can be removed with the following command: '$ sudo yum erase sendmail' CCE-90430-0 Do not allow users to reuse recent passwords. This can be accomplished by using the 'remember' option for the 'pam_unix' PAM module. In the file '/etc/pam.d/system-auth', append 'remember=5' to the line which refers to the 'pam_unix.so' module, as shown: 'password sufficient pam_unix.so CCE-90503-4 To set the runtime status of the 'net.ipv4.conf.all.log_martians' kernel parameter, run the following command: CCE-90463-1 To properly set the permissions of '/etc/group', run the command: CCE-90529-9 The 'auditd' service can be configured to take an action when disk space CCE-90514-1 Add or correct the following configuration options within the 'vsftpd' configuration file, located at '/etc/vsftpd/vsftpd.conf': xferlog_enable=YES xferlog_std_format=NO log_ftp_protocol=YES CCE-90451-6 If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. CCE-90448-2 The <xhtml:code>nodev</xhtml:code> mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the <xhtm ... CCE-90409-4 To configure the system to prevent the 'squashfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d': CCE-90453-2 To set the runtime status of the 'net.ipv4.icmp_echo_ignore_broadcasts' kernel parameter, run the following command: CCE-90569-5 If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The 'dhcp' package can be removed with the following command: '$ sudo yum erase dhcp' CCE-90457-3 Configure the system boot firmware (historically called BIOS on PC systems) to disallow booting from USB drives. CCE-90508-3 Disable Printer Browsing Entirely if Possible setting should be configured appropriately. CCE-90558-8 The 'squid' package can be removed with the following command: '$ sudo yum erase squid' CCE-90444-1 To configure the system to lock out accounts after a number of incorrect login attempts using 'pam_faillock.so', modify the content of both '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' as follows: add the following line immediately 'before' the 'pam_unix.so' statement in the 'AUTH' sect ... CCE-90456-5 To set the runtime status of the 'net.ipv4.conf.default.rp_filter' kernel parameter, run the following command: CCE-90468-0 Add the <xhtml:code>nosuid</xhtml:code> option to the fourth column of <xhtml:code>/etc/fstab</xhtml:code> for the line which controls ... CCE-90489-6 Set User/Group Owner on bootloader config (Scored) Set the owner and group of your boot loaders config file to the root user. These instructions default to GRUB stored at /boot/grub/grub.cfg. CCE-90450-8 To properly set the permissions of '/etc/passwd', run the command: CCE-90577-8 In '/etc/libuser.conf', add or correct the following line in its '[defaults]' section to ensure the system will use the SHA-512 algorithm for password hashing: 'crypt_style = sha512' CCE-90433-4 The <xhtml:code>nosuid</xhtml:code> mount option can be used to prevent execution of setuid programs in <xhtml:code>/run/shm</xhtml:code> . The suid/sgid permissions should not be required in these world-writable directories. ... CCE-90563-8 The 'dovecot' package can be uninstalled with the following command: '$ sudo yum erase dovecot' CCE-90452-4 The SELinux 'targeted' policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in '/etc/selinux/config': 'SELINUXTYPE=targeted' Other policies, such as 'mls', provide additio ... CCE-90511-7 Is there a mission-critical reason for users to upload files via FTP? If not, edit the vsftpd configuration file to add or correct the following configuration options: 'write_enable=NO' If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions as ... CCE-90443-3 To set the runtime status of the 'net.ipv4.conf.default.secure_redirects' kernel parameter, run the following command: CCE-90498-7 To restrict root logins on serial ports, ensure lines of this form do not appear in '/etc/securetty': ttyS0 ttyS1 CCE-90583-6 To allow clients to make encrypted connections the 'ssl' flag in Dovecot's configuration file needs to be set to 'yes'. Edit '/etc/dovecot/conf.d/10-ssl.conf' and add or correct the following line: 'ssl = yes' CCE-90441-7 Ensure that none of the directories in root's path is equal to a single '.' character, or that it contains any instances that lead to relative path traversal, such as '..' or beginning a path without the slash ('/') character. Also ensure that there are no "empty&quo ... CCE-90416-9 To configure the system to prevent the 'freevxfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d': CCE-90462-3 To properly set the owner of '/etc/passwd', run the command: CCE-90431-8 The <xhtml:code>nosuid</xhtml:code> mount option can be used to prevent execution of setuid programs in <xhtml:code>/tmp</xhtml:code> . The suid/sgid perm ... CCE-90542-2 Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file '/etc/audit/auditd.conf'. Add or modify the following line, substituting the correct value for CCE-90407-8 To ensure the default umask controlled by '/etc/login.defs' is set properly, add or correct the 'UMASK' setting in '/etc/login.defs' to read as follows: 'UMASK 077 CCE-90531-5 The 'auditd' service can be configured to send email to a designated account in certain situations. Add or correct the following line in '/etc/audit/auditd.conf' to ensure that administrators are notified via email for those situations: 'action_mail_acct = root' CCE-90439-1 The 'rsyslog' daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are CCE-90475-5 To properly set the permissions of '/etc/shadow', run the command: CCE-90406-0 To configure the system to prevent the 'hfsplus' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d': CCE-90574-5 Ensure a copy of a trusted CA certificate has been placed in the file '/etc/pki/tls/CA/cacert.pem'. Configure LDAP to enforce TLS use and to trust certificates signed by that CA. First, edit the file '/etc/pam_ldap.conf', and add or correct either of the following lines: 'tls_cacertdir /etc/pki/tl ... CCE-90455-7 Set Boot Loader Password (Scored) Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters CCE-90437-5 To configure the system to prevent the 'hfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d': CCE-90512-5 To configure the number of retry prompts that are permitted per-session: Edit the 'pam_pwquality.so' statement in '/etc/pam.d/system-auth' to show 'retry=3', or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session. CCE-90458-1 To properly set the group owner of '/etc/group', run the command: CCE-90471-4 To set the runtime status of the 'net.ipv4.conf.all.rp_filter' kernel parameter, run the following command: CCE-90487-0 To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the 'usb-storage' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe. ... CCE-90547-1 The 'vsftpd' package can be removed with the following command: '$ sudo yum erase vsftpd' CCE-90413-6 The Datagram Congestion Control Protocol (DCCP) is Arelatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the 'dccp' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d': CCE-90403-7 The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the 'rds' kernel module from being loaded, add the following line to a file in the direc ... CCE-90499-5 To set the runtime status of the 'net.ipv4.tcp_syncookies' kernel parameter, run the following command: CCE-90536-4 Restrict Access to Kernel Message Buffer setting should be configured appropriately. CCE-90517-4 Disable IPv6 Networking Support Automatic Loading setting should be configured appropriately. CCE-90501-8 Deactivating wireless network interfaces should prevent normal usage of the wireless capability. <br xmlns="http://www.w3.org/1999/xhtml"/> <br xmlns="http://www.w3.org/1999/xhtml"/> ... CCE-90483-9 All USB support can be disabled by adding the <xhtml:code>nousb</xhtml:code> argument to the kernel's boot loader configuration. To do so, append "nousb" to the kernel line in <xhtml:code>/boot/grub/grub.cfg</xhtml:code> ... CCE-90476-3 To set the runtime status of the 'net.ipv4.icmp_ignore_bogus_error_responses' kernel parameter, run the following command: CCE-90472-2 To set the runtime status of the 'net.ipv4.conf.default.accept_source_route' kernel parameter, run the following command: CCE-90549-7 Rsyslog is installed by default. The 'rsyslog' package can be installed with the following command: '$ sudo yum install rsyslog' CCE-90479-7 To set the runtime status of the 'net.ipv4.conf.default.send_redirects' kernel parameter, run the following command: CCE-90546-3 The 'net-snmp' package provides the snmpd service. The 'net-snmp' package can be removed with the following command: '$ sudo yum erase net-snmp' CCE-90461-5 To properly set the permissions of '/etc/gshadow', run the command: CCE-90410-2 The pam_pwquality module's 'ocredit=' parameter controls requirements for usage of special (or &amp;quot;other&amp;quot;) characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquali ... CCE-90423-5 The pam_pwquality module's 'lcredit' parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length cred ... CCE-90562-0 To remove the 'bind' package, which contains the 'named' service, run the following command: '$ sudo yum erase bind' CCE-90506-7 To specify a remote NTP server for time synchronization, edit the file '/etc/ntp.conf'. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for CCE-90459-9 To properly set the owner of '/etc/shadow', run the command: CCE-90505-9 Add the <xhtml:code>nodev</xhtml:code> option to the fourth column of <xhtml:code>/etc/fstab</xhtml:code> for the line which controls ... CCE-90502-6 By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall configuration. Edit the files '/etc/sysconfig/iptables' and '/etc/sysconfig/ip6tables' (if IPv6 is in use). In each file, locate and delete the line: ' ... CCE-90415-1 The <xhtml:code>nosuid</xhtml:code> mount option can be used to prevent execution of setuid programs in <xhtml:code>/run/shm</xhtml:code> . The suid/sgid permissions should not be required in these world-writable directories. ... CCE-90504-2 If SplitHosts is set, Logwatch will separate entries by hostname. This makes the report longer but significantly more usable. If it is not set, then Logwatch will not report which host generated a given log entry, and that information is almost always necessary SplitHosts = yes CCE-90567-9 The 'telnet-server' package can be uninstalled with the following command: '$ sudo yum erase telnet-server' CCE-90553-9 To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in '/etc/ssh/sshd_config': 'PermitEmptyPasswords no' Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themse ... CCE-90515-8 Edit the vsftpd configuration file, which resides at '/etc/vsftpd/vsftpd.conf' by default. Add or correct the following configuration options: 'banner_file=/etc/issue' CCE-90537-2 Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. The DoD requirement is 10. To set the number of co ... CCE-90470-6 To properly set the group owner of '/etc/gshadow', run the command: CCE-90411-0 The Stream Control Transmission Protocol (SCTP) is Atransport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the 'sctp' kernel module from being loaded, add the following lin ... CCE-90571-1 The 'httpd' package can be removed with the following command: '$ sudo yum erase httpd' CCE-90435-9 To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument <xhtml:code>audit=1</xhtml:code> to the kernel line in <xhtml:code>/boot/grub/grub.cfg</xhtml:code> , in the manner below: ... CCE-90469-8 To configure the system login banner: Edit '/etc/issue'. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use ... CCE-90555-4 Description: Instruct users to begin new terminal sessions with the following command: '$ tmux' The console can now be locked with the following key combination: 'ctrl+a x' To enable console screen locking, install the 'tmux' package: '$ sudo yum install tmux' CCE-90465-6 To properly set the group owner of '/etc/shadow', run the command: CCE-90527-3 The 'rsyslog' daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to '/etc/rsyslog.conf' to enable reception of messages over UDP: $ModLoad imudp $UDPServerRun 514 CCE-90428-4 The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in Acluster. To configure the system to prevent the 'tipc' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d': CCE-90497-9 To set the runtime status of the 'fs.suid_dumpable' kernel parameter, run the following command: CCE-90481-3 To set the runtime status of the 'net.ipv4.conf.all.send_redirects' kernel parameter, run the following command: CCE-90530-7 The 'auditd' service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file '/etc/audit/auditd.conf'. Add or modify the following line, substituting CCE-90528-1 The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by 'auditd', add or correct the line in '/etc/audit/auditd.conf': 'max_log_file_action = ACTION' Possible values for CCE-90440-9 To properly set the owner of '/etc/group', run the command: CCE-90493-8 To disable core dumps for all users, add the following line to '/etc/security/limits.conf': '* hard core 0' CCE-90445-8 To set the runtime status of the 'net.ipv4.conf.all.secure_redirects' kernel parameter, run the following command: CCE-90519-0 To set the runtime status of the 'net.ipv6.conf.default.accept_ra' kernel parameter, run the following command: CCE-90525-7 In '/etc/login.defs', add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: 'ENCRYPT_METHOD SHA512' CCE-90486-2 To set the runtime status of the 'net.ipv4.conf.default.accept_redirects' kernel parameter, run the following command: CCE-90464-9 Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell. The login shell for each local account is stored in the last field of each line i ... CCE-90494-6 Disable Automounting (Scored) autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives. CCE-90572-9 To prevent Dovecot from attempting plaintext authentication of clients, edit '/etc/dovecot/conf.d/10-auth.conf' and add or correct the following line: 'disable_plaintext_auth = yes' CCE-90421-9 The pam_pwquality module's 'difok' parameter controls requirements for usage of different characters during a password change. Modify the 'difok' setting in '/etc/security/pwquality.conf' to require differing characters when changing passwords. The DoD requirement is '4'. CCE-90538-0 In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time period. For every temporary and emergency account, run the following command to set an expiration date on it, substituting <xhtml:code> <i ... CCE-90541-4 Determine how many log files 'auditd' should retain when it rotates logs. Edit the file '/etc/audit/auditd.conf'. Add or modify the following line, substituting CCE-90566-1 Only SSH protocol version 2 connections should be permitted. The default setting in '/etc/ssh/sshd_config' is correct, and can be verified by ensuring that the following line appears: 'Protocol 2' CCE-90585-1 The root user should never be allowed to login to Asystem directly over a network. To disable root login via SSH, add or correct the following line in '/etc/ssh/sshd_config': 'PermitRootLogin no' CCE-90447-4 To properly set the group owner of '/etc/passwd', run the command: CCE-90568-7 SSH's cryptographic host-based authentication is more secure than '.rhosts' authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following line in '/etc/ssh/sshd_config': 'Host ... CCE-90466-4 The SELinux state should be set to 'enforcing' at system boot time. In the file '/etc/selinux/config', add or correct the following line to configure the system to boot into enforcing mode: 'SELINUX=enforcing' CCE-90432-6 The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate '/etc/modprobe.d' configuration file to prevent the loading of the Bluetooth module: 'install bluetooth /bin/true' CCE-90500-0 The <xhtml:code>nosuid</xhtml:code> mount option prevents set-user-identifier (suid) and set-group-identifier (sgid) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file resp ... CCE-90520-8 To set the runtime status of the 'net.ipv6.conf.default.accept_redirects' kernel parameter, run the following command: CCE-90581-0 This option tells Dovecot where to find the the mail server's SSL Certificate. Edit '/etc/dovecot/conf.d/10-ssl.conf' and add or correct the following line ( CCE-90480-5 To specify password length requirements for new accounts, edit the file '/etc/login.defs' and add or correct the following lines: 'PASS_MIN_LEN 14 CCE-90570-3 SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via '.rhosts' files. To ensure this behavior is disabled, add or correct the following line in '/etc/ssh/sshd_config': 'IgnoreRhosts yes' CCE-90422-7 The <xhtml:code>noexec</xhtml:code> mount option can be used to prevent binaries from being executed out of <xhtml:code>/run/shm</xhtml:code> . It can be dangerous to allow the execution of binaries from world-writable temporary ... CCE-90454-0 To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on th ... CCE-90540-6 Edit '/etc/postfix/main.cf', and add or correct the following line, substituting some other wording for the banner information if you prefer: 'smtpd_banner = $myhostname ESMTP' CCE-90522-4 Configure Logwatch HostLimit Line setting should be configured appropriately. CCE-90449-0 To set the runtime status of the 'net.ipv4.ip_forward' kernel parameter, run the following command: CCE-90561-2 In some installations, AIDE is not installed automatically. Rationale: Ensure AIDE is installed to make use of the file integrity features to monitor critical files for changes that could affect the security of the system. CCE-90446-6 The file /etc/securetty contains a list of valid terminals that may be logged in directly as root. Rationale: Since the system console has special properties to handle emergency situations, it is important to ensure that the console is in a physically secure location and that unauthorized consoles ... CCE-90485-4 The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageable large. The file /etc/logrotate.d/rsyslog is the configuration file used to rotate log files created by rsyslog. Rationale: By keeping the log files smaller and ... CCE-90473-0 The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 60 days. Rationale: The window of opportunity for an attacker to leverage compromised ... CCE-90484-7 The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days. Rationale: By ... CCE-90543-0 By default, the system includes the following line in <xhtml:code>/etc/init/control-alt-delete.conf</xhtml:code> to reboot the system when the Ctrl-Alt-Del key sequence is pressed: <pre xmlns="http://www.w3.org/1999/xhtml">exec /sbin/sh ... CCE-90474-8 The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days. Rationale: Providing an advance warning that a password will be expiring g ... CCE-90414-4 If any password hashes are stored in '/etc/passwd' (in the second field, instead of an 'x'), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely. |
