Download
| Alert*
|
CCE-95637-5
The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm. Rationale: The SHA-512 algorithm provides much stronger hashing than M ... CCE-95691-2 The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network. Rationale: Unless a system is specifically designated to act as a DNS server, it is recommended that the package be delet ... CCE-95022-0 Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration file /etc/pam.d/login. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will ... CCE-95031-1 The /etc/security/opasswd file stores the users old passwords and can be checked to ensure that users are not recycling recent passwords. Rationale: Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only ... CCE-95709-2 GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. The disable-user-list option controls is a list of users is displayed on the login screen. Rationale: Displaying the user list eliminates half of the Userid/Password equation that an unauthorize ... CCE-95106-1 The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive ... CCE-95648-2 The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Rationale: If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information. Fix ... CCE-95636-7 The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection. Rationale: To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of ss ... CCE-95613-6 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp. Fix: Run the follow ... CCE-95700-1 UsePAM Enables the Pluggable Authentication Module interface. If set to yes this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types. Rationale: When usePAM is set to ye ... CCE-95602-9 Sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy. Rationale: Sudo supports a plugin arch ... CCE-95603-7 Single user mode (rescue mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader. Rationale: Requiring authentication in single user mode (rescue mode) prevents an unauthorized user from rebooting the system into single user ... CCE-95701-9 The contents of /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Rationale: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization ... CCE-95690-4 The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network. The rpcbind service maps Remote Procedure Call (RPC) services to the ports on wh ... CCE-95614-4 The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp. Fix: Ru ... CCE-95604-5 The /var/log directory is used by system services to store log data. Rationale: There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data. ... CCE-95616-9 The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Rationale: Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In additio ... CCE-95638-3 The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user. Rationale: Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users. ... CCE-95615-1 The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. Rationale: Since the /var directory may contain world-writable files and directories, there is a risk of resource ex ... CCE-95680-5 The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability. Rationale: If ... CCE-95702-7 Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged /var/log/sudoers_log. Any time a command is ... CCE-95627-6 A Firewall package should be selected. Most firewall configuration utilities operate as a front end to nftables or iptables. Rationale: A Firewall package is required for firewall management and configuration. Fix: To install a firewall package run: apt ins ... CCE-95628-4 auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Rationale: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occu ... CCE-95605-2 The auditing daemon, auditd , stores log data in the /var/log/audit directory. Rationale: There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) ... CCE-92723-6 Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The packages tftp and atftp are both used to define and support a TFTP server. Rationale: TFTP does not support authentication nor do ... CCE-95692-0 The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files. Rationale ... CCE-95617-7 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp. ... CCE-95639-1 AppArmor profiles define what resources applications are able to access. Fix: Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Run the following command to set all profiles to complain mode: # aa-complain /etc/apparmor.d/* CCE-95681-3 The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses. Rationale: Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface. ... CCE-95703-5 The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP ... CCE-95621-9 AppArmor provides Mandatory Access Controls. Rationale: Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available. Fix: Run the following command to install apparmor: apt install apparmor apparmor-utils CCE-95644-1 The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information Rationale: If attackers can gain read access to the /etc/gshadow file, they can easily run a password ... CCE-92747-5 biosdevname is an external tool that works with the udev framework for naming devices. biosdevname uses three methods to determine NIC names: 1. PCI firmware spec.3.1 2. smbios (matches # after em to OEM # printed on board or housing) 3. PCI IRQ Routing Table (uses # of NIC position in the ... CCE-95655-7 The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group. Rationale: Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain r ... CCE-95632-6 GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. Rationale: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system a ... CCE-95667-2 Although the useradd program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually edit the /etc/passwd file and change the UID field. Rationale: Users must be assigned unique UIDs for accountability and to ensure appropriate access prot ... CCE-95645-8 The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate. Rationale: It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is prote ... CCE-95656-5 Any account with UID 0 has superuser privileges on the system. Rationale: This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5. ... CCE-95679-7 Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automat ... CCE-95633-4 The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational li ... CCE-95610-2 The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system. ... CCE-95668-0 Although the groupadd program will not let you create a duplicate Group ID (GID), it is possible for an administrator to manually edit the /etc/group file and change the GID field. Rationale: User groups must be assigned unique GIDs for accountability and to ensure appropriate ... CCE-95669-8 Although the useradd program will not let you create a duplicate user name, it is possible for an administrator to manually edit the /etc/passwd file and change the user name. Rationale: If a user is assigned a duplicate user name, it will create and have access to files with the f ... CCE-95646-6 The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. Rationale: If attackers can gain read access to the /etc/shadow file, they can easily run a passwo ... CCE-95600-3 USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a pe ... CCE-95657-3 An account with an empty password field means that anybody may log in as that user without providing a password. Rationale: All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. Fix: If any accounts in ... CCE-95635-9 The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Rationale: To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartup ... CCE-95634-2 SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into ... CCE-95611-0 The /tmp directory is a world-writable directory used for temporary storage by all users and some applications. Rationale: Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. I ... CCE-95647-4 The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else. Rationale: The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs ... CCE-95601-1 The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp. Fix: Run the fo ... CCE-95658-1 Users can be defined in /etc/passwd without a home directory or with a home directory that does not actually exist. Rationale: If the user's home directory does not exist or is unassigned, the user will be placed in "/" and will not be able to write any files or have ... CCE-95612-8 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp. Fix: ... CCE-95659-9 While the system administrator can establish secure permissions for users home directories, the users can easily override these. Rationale: Group or world-writable user home directories may enable malicious users to steal or modify other users data or to gain another user's system ... CCE-95640-9 Ensure all apparmor profiles are in enforce or complain mode. Rationale: Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any p ... CCE-95708-4 Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loop ... CCE-95651-6 An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authent ... CCE-95674-8 Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss. Rationale: Writing log data to disk will provide the ability to for ... CCE-95697-9 The cron daemon is used to execute batch jobs on the system. Rationale: While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them. Fix: ... CCE-95663-1 While the system administrator can establish secure permissions for users "dot" files, the users can easily override these. Rationale: Group or world-writable user configuration files may enable malicious users to steal or modify other user's data or to gain another us ... CCE-95686-2 Dovecot is an open source mail submission and transport server for Linux based systems. Rationale: Unless mail transport services are to be provided by this system, it is recommended that the service be disabled or deleted to reduce the potential attack surface. Note: Several IMAP ... CCE-95641-7 The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Rationale: If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading inform ... CCE-95652-4 The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms. Rationale: ... CCE-95675-5 autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives. Rationale: With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it thems ... CCE-95698-7 OpenSSH can use multiple MAC algorithms. Rationale: Ensuring only strong algorithms or site policy appropriate MAC algorithms should be used. The only strong MACs currently FIPS 140-2 approved are hmac-sha2-256 and hmac-sha2-512. Fix: Edit the /etc/ssh/sshd_config file to set the parameter as foll ... CCE-95687-0 HTTP or web servers provide the ability to host web site content. Rationale: Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface. Fix: Run the following command to disable apa ... CCE-95664-9 While the system administrator can establish secure permissions for users .netrc files, the users can easily override these. Rationale: .netrcfiles may contain unencrypted passwords that may be used to attack other systems. Fix: Making global modifications to user ... CCE-95642-5 The contents of the /etc/issue file are displayed to users prior to login for local terminals. Rationale: If the /etc/issue file does not have the correct ownership and permissions it could be modified by unauthorized users with incorrect or misleading information. Fix ... CCE-95653-2 The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms. Rationale: These ... CCE-95676-3 The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories ... CCE-95699-5 Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer o ... CCE-95665-6 chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. Rationale: If chrony is in use on the system proper configuration is vital to ensuring time synchronizat ... CCE-95688-8 Squid is a standard proxy server used in many distributions and environments. Rationale: If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface. Fix: Run the following command to disable HTTP ... CCE-95643-3 Rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files. Rationale: It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and p ... CCE-95620-1 Sudo can use a custom log file. Rationale: A sudo log file simplifies auditing of sudo commands. Fix: Edit the file /etc/sudoers or any file in /etc/sudoers.d and add the following : Defaults logfile=<path to custom file> CCE-95654-0 The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms. Rationale: These ... CCE-95677-1 The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system. Rationale: The SNMP server can communicate using SNMP v1, whi ... CCE-95631-8 Backlog limit represents the number of logs it will hold. Rationale: During boot if audit=1, then the backlog will hold specified number of records. If an insufficient limit allocated during boot, auditd records will be lost and potential malicious activity could go undetected. ... CCE-95666-4 Over time, system administration errors and changes can lead to groups being defined in /etc/passwd but not in /etc/group. Rationale: Groups defined in the /etc/passwd file but not in the /etc/group file pose a threat to system security since group permissions are not properly ma ... CCE-95689-6 The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database. Rationale: If the system will not need to act as an LDAP server, it is recommended that the soft ... CCE-95606-0 The /home directory is used to support disk storage needs of local users. Rationale: If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored un ... CCE-95670-6 Although the groupadd program will not let you create a duplicate group name, it is possible for an administrator to manually edit the /etc/group file and change the group name. Rationale: If a group is assigned a duplicate group name, it will create and have access to files with t ... CCE-95693-8 All users should have a password change date in the past. Rationale: If a users recorded password change date is in the future then they could bypass any set password expiration. Fix: Investigate any users with a password change date in the future and correct them. ... CCE-95618-5 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp. Fix: Run the ... CCE-95682-1 The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files. Rationale: FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run th ... CCE-95704-3 Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains ... CCE-95671-4 nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the /etc/nftables.conf file for a nftables file or files to include in the nftables ruleset. Rationale: A nftables ruleset containing the input, forwa ... CCE-95694-6 The default timeout variable determines the shell timeout for users. The timeout value is measured in seconds. Rationale: Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer ... CCE-95619-3 Sudo can be configured to run only from a psuedo-pty. Rationale: Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing. Fix: Edit the file /etc/sudoers or any file in /et ... CCE-95705-0 A default deny all policy on connections ensures that any unconfigured network usage will be rejected.With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. FIX: Make sur ... CCE-95660-7 While no .rhosts files are shipped by default, users can easily create them. Rationale: This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf . Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , they may hav ... CCE-95683-9 The nftables service allows for the loading of nftables rulesets during boot, or starting of the nftables service. Rationale: The nftables service restores the nftables rules from the rules files referenced in the /etc/sysconfig/nftables.conf file during boot or the starting of the ... CCE-95607-8 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Fix: Run the followin ... CCE-95706-8 A default deny all policy on connections ensures that any unconfigured network usage will be rejected.With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. FIX: Make sur ... CCE-95672-2 Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the rsyslog service provides a consistent means of log collection and export. Rationale: Storing log data on a remote hos ... CCE-95695-3 Turn on the auditd daemon to record system events. Rationale: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. Fix: Run the following command to enable aud ... CCE-95661-5 The .netrc file contains data for logging into a remote host for file transfers via FTP. Rationale: The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from ... CCE-95684-7 Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. Rationale: Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion. Fix: Run ... CCE-95608-6 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions. Fix: ... CCE-95707-6 Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loop ... CCE-95673-0 The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large. Rationale: Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing lo ... CCE-95696-1 Once the rsyslog package is installed it needs to be activated. Rationale: If the rsyslog service is not activated the system may default to the syslogd service or lack logging instead. Fix: Run the following command to enable rsyslog # systemctl --now enable rsyslo ... CCE-95650-8 An SSH private key is one of two files used in SSH public key authentication. In this authentication method, The possession of the private key is proof of identity. Only a private key that corresponds to a public key will be able to authenticate successfully. The private keys need to be stored and h ... CCE-95662-3 The .forward file specifies an email address to forward the user's mail to. Rationale: Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execu ... CCE-95685-4 System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Rationale: Time synchronization is important to support time sensi ... CCE-95609-4 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them. Fix: Run the following command to remount /dev/shm: # ... CCE-95068-3 Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open, openat) and truncation (truncate, ftruncate) of files. An audit log record will only be written if the user is a non- privileged user (auid > = 500), ... CCE-95045-1 In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private a ... CCE-95056-8 The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. Rationale: The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor auth ... CCE-95010-5 The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else. Rationale: The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable ... CCE-95033-7 The talk software makes it possible for users to send and receive messages across systems through a terminal session. Rationale: The software presents a security risk as it uses unencrypted protocols for communication. Fix: Uninstall the talk package: # apt-get purge talk CCE-95079-0 Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail. Rationale: The ... CCE-95044-4 The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0. Rationale: Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward p ... CCE-95067-5 The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems. Options Explained: disable - would disable the module. disable with error logged - would disable the module and log whenever module is inserted. enable ... CCE-95021-2 The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication. Rationale: Setting this parameter forces users to enter a password when authenticating with ssh. Fix: Edit the /etc/ssh/sshd_config file to set the parameter ... CCE-95055-0 Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters Rationale: Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changi ... CCE-95032-9 The file /etc/securetty contains a list of valid terminals that may be logged in directly as root. Rationale: Since the system console has special properties to handle emergency situations, it is important to ensure that the console is in a physically secure location and that unauthorized consoles ... CCE-95047-7 This setting disables the systems ability to accept router advertisements Rationale: It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trus ... CCE-95001-4 Normally, auditd will hold 4 logs of maximum log file size before deleting older log files. Rationale: In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history. CCE-95012-1 The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user a ... CCE-95035-2 The rsh package contains the client commands for the rsh services. Rationale: These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inad ... CCE-95058-4 When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will i ... CCE-95046-9 The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options. * retr ... CCE-95023-8 The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Rationale: Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non ... CCE-95069-1 User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 35 or more days be disabled. Rationale: Inactive accounts pose a threat to system security since the users are not logging in to notice failed l ... CCE-95011-3 In some installations, AIDE is not installed automatically. Rationale: Ensure AIDE is installed to make use of the file integrity features to monitor critical files for changes that could affect the security of the system. CCE-95057-6 Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup. Rationale: Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected. CCE-95034-5 The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate. Rationale: It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, ... CCE-95064-2 Set the system flag to force randomized virtual memory region placement. Disabled = No ASLR (Memory address would not be randomizaed) Conservative Randomization == Randomize addresses for Stack, Heap, Shared Libs, PIE, mmap(), VDRO Full Randomization = Conservative Randomization + memory managed ... CCE-95041-0 Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory. Rationale: Changes to files in this directory could indicate that an unauthorized u ... CCE-95087-3 Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and ... CCE-95098-0 The /etc/hosts.deny file contains network information that is used by many system applications and therefore must be readable for these applications to operate. Rationale: It is critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it is protected by ... CCE-95052-7 Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the ... CCE-95075-8 ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects. Rationale: An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt ... CCE-95040-2 The rsyslog package is a third party package that provides many enhancements to syslog, such as multi-threading, TCP communication, message filtering and data base support. Rationale: The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log ... CCE-95063-4 When enabled, this feature logs packets with un-routable source addresses to the kernel log. Rationale: Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server. Fix: Set the net.ipv4.conf.all ... CCE-95086-5 Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and ta ... CCE-95074-1 The PermitUserEnvironment option allows users to present environment options to the ssh daemon. Rationale: Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executin ... CCE-95097-2 The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices. Options Explained: disable - would disable the module. disable with error logged - would disable the module and log whenever module is inserted. enable - would enable the module ... CCE-95051-9 The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. Options Explained: disable - would disable the module. disable with error logged - would disable the module and log whenever module is inserted. enable - would enable th ... CCE-95089-9 The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 60 days. Rationale: The window of opportunity for an attacker to leverage compromised ... CCE-95066-7 There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. ... CCE-95020-4 The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation. Options Explained: disable - would disable the module. disable with error logged - wo ... CCE-95043-6 By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port. Rationale: The guidance in the sect ... CCE-95054-3 Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of ... CCE-95077-4 The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user ... CCE-95710-0 X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays. Rationale: XDMCP is inherently insecure. 1. XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered ... CCE-95065-9 The /etc/shadow file contains the one-way cipher text passwords for each user defined in the /etc/passwd file. The command below sets the user and group ownership of the file to root. UID - User Identifier is a number assigned by Linux to each user on the system. This number is used to identify the ... CCE-95088-1 The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure. Rationale: Setting the MaxAuthTries parameter to a low nu ... CCE-95042-8 The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a d ... CCE-95030-3 This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic. Rationale: It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes w ... CCE-95076-6 ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system wil ... CCE-95053-5 The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings. Rationale: Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system Fix: Edit the /etc/ssh/sshd_config file t ... CCE-95099-8 The X Window system provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Window system is typically used on desktops where users login, but not on servers where users typically do not login. Note: The patch can lead to log ... CCE-95083-2 The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image. Options Explained: disable - would disable the module. disable with error logged - would disable the module an ... CCE-95060-0 The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days. Rationale: By ... CCE-95105-3 The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file. Rationale: The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the se ... CCE-91182-6 The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file. Rationale: The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to th ... CCE-95007-1 The /etc/passwd file contains a list of all the valid userIDs defined in the system, but not the passwords. The command below sets the owner and group of the file to root. UID - User Identifier is a number assigned by Linux to each user on the system. This number is used to identify the user to the ... CCE-95018-8 The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image. Options Explained: disable - would disable the module. disable with error logged - wou ... CCE-95071-7 Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure. Rationale: It is still possible for even known gateways to be compromised. Sett ... CCE-95094-9 Set the owner and group of your boot loaders config file to the root user. These instructions default to GRUB stored at /boot/grub/grub.cfg. Rationale: Setting the owner and group to root prevents non-root users from changing the file. CCE-95104-6 Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to ... CCE-95029-5 Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only u ... CCE-95006-3 Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages. Rationale: Some routers (and some attackers) will send responses that violate RFC-1122 an ... CCE-95093-1 The Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. NTP can be configured to be a client and/or a server. Rationale: It is recommended that physical ... CCE-95017-0 Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribu ... CCE-95070-9 Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a ... CCE-95009-7 The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root. Rationale: The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- priliveged users, but needs to be readable as this informati ... CCE-95062-6 Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses. Rationale: Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your ho ... CCE-95085-7 Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.n ... CCE-95050-1 Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6. Rationale: If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system. Fix: Create or edit the file /etc/sysctl.conf and add the following lines and run sysctl -p ... CCE-95073-3 The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to us ... CCE-95107-9 This variable limits the types of ciphers that SSH can use during communication. Rationale: Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses that allowed recovery of up ... CCE-95084-0 Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started. Rationale: It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost. Fix: Set ... CCE-99444-2 Description: Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages ... CCE-95061-8 TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it. In the past, services that were called from inetd and xinetd supported the use of tcp wrappers. As inetd and xinetd have been falling in disuse, any service that can support tcp wrappers ... CCE-95072-5 The INFO parameter specifices that record login and logout activity will be logged. Rationale: SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is ... CCE-95008-9 The /etc/hosts.allow file contains networking information that is used by many applications and therefore must be readable for these applications to operate. Rationale: It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by d ... CCE-95019-6 The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. UID - User Identifier is a number assigned by Linux to each user on the system. This number is used to ... CCE-95095-6 This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root ... CCE-95101-2 The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2. Rationale: Even though the .rhosts files ... CCE-95003-0 Set system audit so that audit rules cannot be modified with auditctl. Setting the flag -e 2 forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Rationale: In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide mal ... CCE-95049-3 The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in- sequence delivery. Options Explained: disa ... CCE-95090-7 The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab, but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead ed ... CCE-95014-7 Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown and reboot events. All audit records will be tagged w ... CCE-95037-8 The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats. Optio ... CCE-95100-4 SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure. Rationale: SSH v1 suffers from insecurities that do not affect SSH v2. Fix: Edit the /etc/ssh/sshd_config file to set the param ... CCE-95048-5 The auditd daemon can be configured to halt the system when the audit logs are full. Rationale: In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the systems availability. CCE-95002-2 The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures ... CCE-95025-3 There are a number of accounts provided with Ubuntu that are used to manage applications and are not intended to provide an interactive shell. Rationale: It is important to make sure that accounts that are not being used by regular users are locked to prevent them from being used to provide an inte ... CCE-95013-9 The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems. Options Explained: disable - would disable the module. disable with error logged - would disable the module and log whenever module is inserted. enable - would ena ... CCE-95036-0 The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. Rationale: Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of use ... CCE-95059-2 Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user. Rationale: It is highly unusual for a n ... CCE-95081-6 The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems. Options Explained: disable - would disable the module. disable with error logged - would disable the module and log whenever module is inserted. enable - would enable the module. Rationale: ... CCE-95103-8 The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su co ... CCE-95005-5 The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead. Rationale: Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root acce ... CCE-95028-7 The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. Rationale: If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking pro ... CCE-95039-4 The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days. Rationale: Providing an advance warning that a password will be expiring g ... CCE-95080-8 The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed. Rationale: Banners are used to warn connecting users of the particular sites policy regarding connection. Consult with your legal department f ... CCE-95004-8 The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageable large. The file /etc/logrotate.d/rsyslog is the configuration file used to rotate log files created by rsyslog. Rationale: By keeping the log files smaller and ... CCE-95027-9 IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall. ufw was developed to ease IPtables firewall configuration. Rationale: IPtables provides extra protection for the Linux system by limiting communicatio ... CCE-95038-6 The prelinking feature changes binaries in an attempt to decrease their startup time. Rationale: The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a com ... CCE-95015-4 The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else. Groups in Linux are defined by GIDs (group IDs). Just like with UIDs, the first 100 GIDs are usually reserved for system use. The ... CCE-95711-8 Description: The ptrace() system call provides a means by which one process (the "tracer") may observe and control the execution of another process (the "tracee"), and examine and change the tracee's memory and registers. Rationale: If one application is compromised, it would be ... CCE-95737-3 Description: Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Rationale:Protecting the integrity of the tools u ... CCE-95721-7 Description:Journald includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageably large. The file /etc/systemd/journald.conf is the configuration file used to specify how logs generated by Journald should be rotated. Rationale: By ... CCE-95719-1 Description:Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management. Rationale: Storing log data on a remote host protects log integrity from local attacks. If an ... CCE-95723-3 Description:The operating system must generate audit records for successful/unsuccessful uses of the chcon command.Rationale:The chcon command is used to change file security context. Without generating audit records that are specific to the security and mission needs of the organization, it would b ... CCE-95724-1 Description:The operating system must generate audit records for successful/unsuccessful uses of the setfacl command.Rationale:This utility sets Access Control Lists (ACLs) of files and directories. Without generating audit records that are specific to the security and mission needs of the organizat ... CCE-95725-8 Description:The operating system must generate audit records for successful/unsuccessful uses of the chacl command.Rationale:chacl changes the ACL(s) for a file or directory. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficu ... CCE-95736-5 Description: Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Rationale: Protecting audit information includes ... CCE-95742-3 Description: The autorun-never setting allows the GNOME Desktop Display Manager to disable autorun through GDM. By using the lockdown mode in dconf, you can prevent users from changing specific settings. To lock down a dconf key or subpath, create a locks subdirectory in the keyfile directory. The f ... CCE-95731-6 Description: Audit configuration files control auditd and what events are audited. Rationale: Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events ... CCE-95720-9 Description:Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. Note: * The same package, systemd-journal-remote, is used for both sending logs to remote hosts and receiving incoming logs. * With regards ... CCE-95738-1 /etc/shells is a text file which contains the full pathnames of valid login shells. This file is consulted by chsh and available to be queried by other programs. Rationale: It is critical to ensure that the /etc/shells file is protected from unauthorized access. Although it is protected by defa ... CCE-95727-4 Description: Audit log files contain information about the system and system activity. Rationale: Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality.Remediation: Run the following command to set permission on audit log files:ch ... CCE-95729-0 Description: Audit log files contain information about the system and system activity. Rationale: Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality.Remediation: Set the log_group parameter under /etc/audit/auditd.conf file ... CCE-95726-6 Description:The operating system must generate audit records for successful/unsuccessful uses of the usermod command.Rationale:The usermod command modifies the system account files to reflect the changes that are specified on the command line. Without generating audit records that are specific to th ... CCE-95714-2 Description: systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network Rationale:systemd-timesyncd needs to be enabled and running in order to synchronize the system to a timeserver. Time synchronization is important to support time sensitive security me ... CCE-95730-8 Description: The audit log directory contains audit log files. Rationale: Audit information includes all information including: audit records, audit settings and audit reports. This information is needed to successfully audit system activity. This information must be protected from unauthorized mo ... CCE-95718-3 Description:Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management. Rationale:Storing log data on a remote host protects log integrity from local attacks. If an a ... CCE-95712-6 Description: dnsmasq is a lightweight tool that provides DNS caching, DNS forwarding and DHCP (Dynamic Host Configuration Protocol) services.Rationale: Unless a system is specifically designated to act as a DNS caching, DNS forwarding and/or DHCP server, it is recommended that the package be removed ... CCE-95735-7 Description: Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Rationale: Protecting audit information includes ... CCE-95713-4 Description: systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network NTP A space-separated list of NTP server host names or IP addresses. During runtime this list is combined with any per-interface NTP servers acquired from systemd-networkd.service( ... CCE-95740-7 Bluetooth is a short-range wireless technology standard that is used for exchanging data between devices over short distances. It employs UHF radio waves in the ISM bands, from 2.402 GHz to 2.48 GHz. It is mainly used as an alternative to wire connections. Rationale: An attacker may be able to fin ... CCE-95741-5 Description: The autorun-never setting allows the GNOME Desktop Display Manager to disable autorun through GDM. Rationale: Malware on removable media may taking advantage of Autorun features when the media is inserted into a system and execute. Fix: Edit or create the file /etc/dconf/db/local.d/00- ... CCE-95728-2 Description: Audit log files contain information about the system and system activity. Rationale: Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality.Remediation: Run the following command to configure the audit log files to ... CCE-95734-0 Description: Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Rationale: Protecting audit information includes ... CCE-99460-8 Description: The `nosuid` mount option specifies that the filesystem cannot contain `setuid` files. Rationale: Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them. Audit: Verify that the `nosuid` option ... CCE-99462-4 The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log. Fix: Run the following comma ... CCE-99473-1 Without reauthentication, users may access resources or perform tasks for which they do not have authorization. CCE-95622-7 Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Rationale: AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden. Note: Thi ... CCE-99461-6 Description: The `nodev` mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log . Audit: Verify that th ... CCE-99464-0 Description: The `nosuid` mount option specifies that the filesystem cannot contain `setuid` files. Rationale: Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them. Audit: Verify that the `nosuid` option ... CCE-99475-6 Sudo caches used credentials for a default of 15 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies. If the value is set to an integer less than 0, the user's time stamp will not expire and the user w ... CCE-99463-2 Description: The `nosuid` mount option specifies that the filesystem cannot contain `setuid` files. Rationale: Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them. Audit: Verify that the `nosuid` option ... CCE-99474-9 Without reauthentication, users may access resources or perform tasks for which they do not have authorization. CCE-99454-1 Description: By default GNOME automatically mounts removable media when inserted as a convenience to the user. By using the lockdown mode in dconf, you can prevent users from changing specific settings. To lock down a dconf key or subpath, create a locks subdirectory in the keyfile d ... CCE-99453-3 Description: By default GNOME automatically mounts removable media when inserted as a convenience to the user. Rationale: With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked perm ... CCE-99456-6 Description: GNOME Desktop Manager can make the screen lock automatically whenever the user is idle for some amount of time. Rationale: Setting a lock-out value reduces the window of opportunity for unauthorized user access to another user's session that has been left unatte ... CCE-99455-8 Description: GNOME Desktop Manager can make the screen lock automatically whenever the user is idle for some amount of time. By using the lockdown mode in dconf, you can prevent users from changing specific settings. To lock down a dconf key or subpath, create a locks subdirectory in the keyf ... CCE-95092-3 A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user. Rationale: ... CCE-99459-0 Description: The `nodev` mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var . Audit: Verify that the `nodev ... CCE-95715-9 Description: The pwquality difok option sets the number of characters in a password that must not be present in the old password.Rationale:Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the eff ... CCE-95716-7 The pwquality dictcheck option sets whether to check for the words from the cracklib dictionary. Rationale: If the operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, a ... CCE-95717-5 The pwquality maxrepeat option sets the maximum number of allowed same consecutive characters in a new password. Rationale: Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a ... CCE-99451-7 To properly set the permissions of '/etc/gshadow', run the command: CCE-90414-4 If any password hashes are stored in '/etc/passwd' (in the second field, instead of an 'x'), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely. CCE-95739-9 /etc/security/opasswd and it's backup /etc/security/opasswd.old hold user's previous passwords if pam_unix or pam_pwhistory is in use on the system. Rationale: It is critical to ensure that /etc/security/opasswd is protected from unauthorized access. Although it is protected by default, the file p ... CCE-95757-1 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... CCE-95759-7 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... CCE-95790-2 The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all software components after updated versions have been installed. Previous versions of software components that are not removed from the information system after updates have been installed may be exploited b ... CCE-95766-2 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be de ... CCE-95765-4 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... CCE-95767-0 Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. Fix : Set "use_mappers=pwent" in "/etc/pam_pkcs11/pam_pkcs11.conf" or, if there is already ... CCE-95768-8 In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users ... CCE-95779-5 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The apparmor_parser command is used as a general tool to ... CCE-95763-9 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... CCE-95764-7 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... CCE-95781-1 The Ubuntu operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. Configure the Ubuntu operating system to ... CCE-95760-5 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... CCE-95758-9 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The chsh command allows you to change the login shell of ... CCE-95789-4 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The sudoedit command is used to edit files with elevated ... CCE-95785-2 Linux has a special directory for storing logs called /var/log. This directory contains logs from the OS itself, services, and various applications running on the system. Only authorized personnel should be aware of logs and the details of the logs. It is critical to ensure that the /var/log directo ... CCE-95794-4 The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. Fixtext: Configure the Ubuntu operating system to do certificate status checking for multifactor authentication. Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pa ... CCE-95753-0 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The chfn command allows you to change a user’s nam ... CCE-95780-3 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The fdisk command is an interactive tool that is used to ... CCE-95770-4 When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment va ... CCE-95783-7 Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.The Ubuntu operating system must synchronize in ... CCE-95769-6 Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Fixtext: Add or update "pam_pkcs11.so" in "/etc/pam.d/common-auth" to match th ... CCE-95795-1 Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). Configure the Ubuntu operating system, for PKI-based authentication, to use local revocation data when unable to access the network to ... CCE-95774-6 The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a ... CCE-95782-9 It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional at ... CCE-95755-5 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... CCE-95796-9 Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filt ... CCE-95786-0 The /var/log/syslog file on Linux systems contains system messages logged by various services and the kernel. Only authorized personnel should be aware of logs and the details of the logs. It is critical to ensure that the /var/log/syslog directory is protected from unauthorized access. Although it ... CCE-95793-6 Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructu ... CCE-95756-3 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... CCE-95761-3 Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to ... CCE-95773-8 It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional at ... CCE-95762-1 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... CCE-95752-2 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components w ... CCE-95788-6 If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to Ubuntu operating systems with ... CCE-95754-8 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... CCE-95778-7 Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account. Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. Fixtext: Edit the fil ... CCE-95787-8 If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. If an account is configured for password authentication but does not have an assigned password, it may be pos ... CCE-95784-5 The operating system must display the date and time of the last successful account logon upon logon. Rationale: Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. Fixtext: Add the following line to the top of ... CCE-95791-0 Description: The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic pro ... CCE-95792-8 The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in ac ... CCE-95625-0 The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol. Rationale: The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal crede ... CCE-95626-8 The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database. Rationale: If the system will not need to act as an LDAP client, it is recommended that the softwa ... CCE-95678-9 The rsyncd service can be used to synchronize files between systems over network links. Rationale: The rsyncd service presents a security risk as it uses unencrypted protocols for communication. Fix: Run the following command to disable rsync # systemctl --now disa ... CCE-95623-5 The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. Rationale: If there are no xinetd service ... CCE-95624-3 The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. Rationale: If there are no inetd services required, it is recommended that the daemon be removed. Fix: Run the following command to uninstall openbsd-i ... |
