{"id":4046,"date":"2014-12-03T00:08:20","date_gmt":"2014-12-02T16:08:20","guid":{"rendered":"http:\/\/rmohan.com\/?p=4046"},"modified":"2014-12-03T00:08:20","modified_gmt":"2014-12-02T16:08:20","slug":"red-hat-enterprise-linux-6-security-tips-and-hardening","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=4046","title":{"rendered":"Red Hat Enterprise Linux 6 Security TIPS and Hardening"},"content":{"rendered":"

 <\/p>\n

Rules In Pre-release Final STIG for Red Hat Enterprise Linux 6<\/i><\/div>\n

 <\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
V-ID<\/td>\nCCI<\/td>\nCAT<\/td>\nTitle<\/td>\nDescription<\/td>\nCheck Procedures<\/td>\nFixtext<\/td>\n<\/tr>\n<\/thead>\n
RHEL-06-000001<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system must use a separate file system for \/tmp.<\/td>\nThe \/tmp<\/code> partition is used as temporary storage by many programs. Placing \/tmp<\/code> in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.<\/td>\nRun the following command to determine if \/tmp <\/code> is on its own partition or logical volume:<\/p>\n
$ mount | grep \"on \/tmp \"<\/pre>\n
If \/tmp <\/code> has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.<\/td>\n
The \/tmp<\/code> directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.<\/td>\n<\/tr>\n
RHEL-06-000002<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system must use a separate file system for \/var.<\/td>\nEnsuring that \/var<\/code> is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the \/var<\/code> directory to contain world-writable directories installed by other software packages.<\/td>\nRun the following command to determine if \/var <\/code> is on its own partition or logical volume:<\/p>\n
$ mount | grep \"on \/var \"<\/pre>\n
If \/var <\/code> has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.<\/td>\n
The \/var<\/code> directory is used by daemons and other system services to store frequently-changing data. Ensure that \/var<\/code> has its own partition or logical volume at installation time, or migrate it using LVM.<\/td>\n<\/tr>\n
RHEL-06-000003<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system must use a separate file system for \/var\/log.<\/td>\nPlacing \/var\/log<\/code> in its own partition enables better separation between log files and other files in \/var\/<\/code>.<\/td>\nRun the following command to determine if \/var\/log <\/code> is on its own partition or logical volume:<\/p>\n
$ mount | grep \"on \/var\/log \"<\/pre>\n
If \/var\/log <\/code> has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.<\/td>\n
System logs are stored in the \/var\/log<\/code> directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.<\/td>\n<\/tr>\n
RHEL-06-000004<\/td>\nCCI-000137<\/td>\nlow<\/td>\nThe system must use a separate file system for the system audit data path.<\/td>\nPlacing \/var\/log\/audit<\/code> in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.<\/td>\nRun the following command to determine if \/var\/log\/audit <\/code> is on its own partition or logical volume:<\/p>\n
$ mount | grep \"on \/var\/log\/audit \"<\/pre>\n
If \/var\/log\/audit <\/code> has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.<\/td>\n
Audit logs are stored in the \/var\/log\/audit<\/code> directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.<\/td>\n<\/tr>\n
RHEL-06-000005<\/td>\nCCI-000138<\/td>\nmedium<\/td>\nThe audit system must alert designated staff members when the audit storage volume approaches capacity.<\/td>\nNotifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.<\/td>\nInspect \/etc\/audit\/auditd.conf<\/code> and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: $ sudo grep space_left_action \/etc\/audit\/auditd.conf<\/code><\/p>\n
space_left_action<\/pre>\n
Acceptable values are email<\/code>, suspend<\/code>, single<\/code>, and halt<\/code>. If the system is not configured to send an email to the system administrator when disk space is starting to run low, this is a finding.<\/td>\n
The auditd<\/code> service can be configured to take an action when disk space starts<\/i> to run low. Edit the file \/etc\/audit\/auditd.conf<\/code>. Modify the following line, substituting ACTION<\/i> appropriately:<\/p>\n
space_left_action = ACTION<\/i><\/pre>\n
Possible values for ACTION<\/i> are described in the auditd.conf<\/code> man page. These include:<\/p>\n
    \n
  • ignore<\/code><\/li>\n
  • syslog<\/code><\/li>\n
  • email<\/code><\/li>\n
  • exec<\/code><\/li>\n
  • suspend<\/code><\/li>\n
  • single<\/code><\/li>\n
  • halt<\/code><\/li>\n<\/ul>\n
    Set this to email<\/code> (instead of the default, which is suspend<\/code>) as it is more likely to get prompt attention. Acceptable values also include suspend<\/code>, single<\/code>, and halt<\/code>.<\/td>\n<\/tr>\n
RHEL-06-000007<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system must use a separate file system for user home directories.<\/td>\nEnsuring that \/home<\/code> is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.<\/td>\nRun the following command to determine if \/home <\/code> is on its own partition or logical volume:<\/p>\n
$ mount | grep \"on \/home \"<\/pre>\n
If \/home <\/code> has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.<\/td>\n
If user home directories will be stored locally, create a separate partition for \/home<\/code> at installation time (or migrate it later using LVM). If \/home<\/code> will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.<\/td>\n<\/tr>\n
RHEL-06-000008<\/td>\nCCI-000352<\/td>\nhigh<\/td>\nVendor-provided cryptographic certificates must be installed to verify the integrity of system software.<\/td>\nThe Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.<\/td>\nTo ensure that the GPG key is installed, run:<\/p>\n
$ rpm -q --queryformat \"%{SUMMARY}\\n\" gpg-pubkey<\/pre>\n
The command should return the string below:<\/p>\n
gpg(Red Hat, Inc. (release key 2)  <security@redhat.com><\/pre>\n
If the Red Hat GPG Key is not installed, this is a finding.<\/td>\n
To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run:<\/p>\n
$ sudo rhn_register<\/pre>\n
If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in \/media\/cdrom<\/code>, use the following command as the root user to import it into the keyring:<\/p>\n
$ sudo rpm --import \/media\/cdrom\/RPM-GPG-KEY<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000009<\/td>\nCCI-000382<\/td>\nlow<\/td>\nThe Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.<\/td>\nAlthough systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the rhnsd<\/code> daemon can remain on.<\/td>\nTo check that the rhnsd<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig rhnsd<\/code> --list<\/pre>\n
Output should indicate the rhnsd<\/code> service has either not been installed, or has been disabled at all runlevels, as shown in the example below:<\/p>\n
# chkconfig rhnsd<\/code> --list\r\nrhnsd<\/code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off<\/pre>\n
Run the following command to verify rhnsd<\/code> is disabled through current runtime configuration:<\/p>\n
# service rhnsd status<\/pre>\n
If the service is disabled the command will return the following output:<\/p>\n
rhnsd is stopped<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. The rhnsd<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig rhnsd off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000011<\/td>\nCCI-001233<\/td>\nmedium<\/td>\nSystem security patches and updates must be installed and up-to-date.<\/td>\nInstalling software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.<\/td>\nIf the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server which provides updates, invoking the following command will indicate if updates are available:<\/p>\n
$ sudo yum check-update<\/pre>\n
If the system is not configured to update from one of these sources, run the following command to list when each package was last updated:<\/p>\n
$ rpm -qa -last<\/pre>\n
Compare this to Red Hat Security Advisories (RHSA) listed at https:\/\/access.redhat.com\/security\/updates\/active\/ to determine if the system is missing applicable updates. If updates are not installed, this is a finding.<\/td>\n
If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates:<\/p>\n
$ sudo yum update<\/pre>\n
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm<\/code>.<\/td>\n<\/tr>\n
RHEL-06-000013<\/td>\nCCI-000663<\/td>\nmedium<\/td>\nThe system package management tool must cryptographically verify the authenticity of system software packages during installation.<\/td>\nEnsuring the validity of packages’ cryptographic signatures prior to installation ensures the authenticity of the software and protects against malicious tampering.<\/td>\nTo determine whether yum<\/code> is configured to use gpgcheck<\/code>, inspect \/etc\/yum.conf<\/code> and ensure the following appears in the [main]<\/code> section:<\/p>\n
gpgcheck=1<\/pre>\n
A value of 1<\/code> indicates that gpgcheck<\/code> is enabled. Absence of a gpgcheck<\/code> line or a setting of 0<\/code> indicates that it is disabled. If GPG checking is not enabled, this is a finding.<\/td>\n
The gpgcheck<\/code> option controls whether RPM packages’ signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in \/etc\/yum.conf<\/code> in the [main]<\/code> section:<\/p>\n
gpgcheck=1<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000015<\/td>\nCCI-000663<\/td>\nlow<\/td>\nThe system package management tool must cryptographically verify the authenticity of all software packages during installation.<\/td>\nEnsuring all packages’ cryptographic signatures are valid prior to installation ensures the authenticity of the software and protects against malicious tampering.<\/td>\nTo determine whether yum<\/code> has been configured to disable gpgcheck<\/code> for any repos, inspect all files in \/etc\/yum.repos.d<\/code> and ensure the following does not appear in any sections:<\/p>\n
gpgcheck=0<\/pre>\n
A value of 0<\/code> indicates that gpgcheck<\/code> has been disabled for that repo. If GPG checking is disabled, this is a finding.<\/td>\n
To ensure signature checking is not disabled for any repos, remove any lines from files in \/etc\/yum.repos.d<\/code> of the form:<\/p>\n
gpgcheck=0<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000016<\/td>\nCCI-001069<\/td>\nmedium<\/td>\nA file integrity tool must be installed.<\/td>\nThe AIDE package must be installed if it is to be available for integrity checking.<\/td>\nRun the following command to determine if the aide<\/code> package is installed:<\/p>\n
# rpm -q aide<\/pre>\n
If the package is not installed, this is a finding.<\/td>\n
Install the AIDE package with the command:<\/p>\n
$ sudo yum install aide<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000017<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must use a Linux Security Module at boot time.<\/td>\nDisabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.<\/td>\nInspect \/etc\/grub.conf<\/code> for any instances of selinux=0<\/code> in the kernel boot arguments. Presence of selinux=0<\/code> indicates that SELinux is disabled at boot time. If SELinux is disabled at boot time, this is a finding.<\/td>\nSELinux can be disabled at boot time by an argument in \/etc\/grub.conf<\/code>. Remove any instances of selinux=0<\/code> from the kernel arguments in that file to prevent SELinux from being disabled at boot.<\/td>\n<\/tr>\n
RHEL-06-000018<\/td>\nCCI-001069<\/td>\nmedium<\/td>\nA file integrity baseline must be created.<\/td>\nFor AIDE to be effective, an initial database of “known-good” information about files must be captured and it should be able to be verified against the installed files.<\/td>\nTo find the location of the AIDE databse file, run the following command:<\/p>\n
$ sudo ls -l DBDIR<\/i>\/database_file_name<\/i><\/pre>\n
If there is no database file, this is a finding.<\/td>\n
Run the following command to generate a new database:<\/p>\n
$ sudo \/usr\/sbin\/aide --init<\/pre>\n
By default, the database will be written to the file \/var\/lib\/aide\/aide.db.new.gz<\/code>. Storing the database, the configuration file \/etc\/aide.conf<\/code>, and the binary \/usr\/sbin\/aide<\/code> (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows:<\/p>\n
$ sudo cp \/var\/lib\/aide\/aide.db.new.gz \/var\/lib\/aide\/aide.db.gz<\/pre>\n
To initiate a manual check, run the following command:<\/p>\n
$ sudo \/usr\/sbin\/aide --check<\/pre>\n
If this check produces any unexpected output, investigate.<\/td>\n<\/tr>\n
RHEL-06-000019<\/td>\nCCI-001436<\/td>\nhigh<\/td>\nThere must be no .rhosts or hosts.equiv files on the system.<\/td>\nTrust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.<\/td>\nThe existence of the file \/etc\/hosts.equiv<\/code> or a file named .rhosts<\/code> inside a user home directory indicates the presence of an Rsh trust relationship. If these files exist, this is a finding.<\/td>\nThe files \/etc\/hosts.equiv<\/code> and ~\/.rhosts<\/code> (in each user’s home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location:<\/p>\n
$ sudo rm \/etc\/hosts.equiv<\/pre>\n
$ rm ~\/.rhosts<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000020<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must use a Linux Security Module configured to enforce limits on system services.<\/td>\nSetting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.<\/td>\nCheck the file \/etc\/selinux\/config<\/code> and ensure the following line appears:<\/p>\n
SELINUX=enforcing<\/pre>\n
If SELINUX is not set to enforcing, this is a finding.<\/td>\n
The SELinux state should be set to <\/code> at system boot time. In the file \/etc\/selinux\/config<\/code>, add or correct the following line to configure the system to boot into enforcing mode:<\/p>\n
SELINUX=<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000023<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system must use a Linux Security Module configured to limit the privileges of system services.<\/td>\nSetting the SELinux policy to targeted<\/code> or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.<\/td>\nCheck the file \/etc\/selinux\/config<\/code> and ensure the following line appears:<\/p>\n
SELINUXTYPE=targeted<\/pre>\n
If it does not, this is a finding.<\/td>\n
The SELinux targeted<\/code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in \/etc\/selinux\/config<\/code>:<\/p>\n
SELINUXTYPE=<\/pre>\n
Other policies, such as mls<\/code>, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.<\/td>\n<\/tr>\n
RHEL-06-000025<\/td>\nCCI-000366<\/td>\nlow<\/td>\nAll device files must be monitored by the system Linux Security Module.<\/td>\nIf a device file carries the SELinux type unlabeled_t<\/code>, then SELinux cannot properly restrict access to the device file.<\/td>\nTo check for unlabeled device files, run the following command:<\/p>\n
$ sudo ls -RZ \/dev | grep unlabeled_t<\/pre>\n
It should produce no output in a well-configured system. If there is output, this is a finding.<\/td>\n
Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type unlabeled_t<\/code>, investigate the cause and correct the file’s context.<\/td>\n<\/tr>\n
RHEL-06-000027<\/td>\nCCI-000770<\/td>\nmedium<\/td>\nThe system must prevent the root account from logging in from virtual consoles.<\/td>\nPreventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.<\/td>\nTo check for virtual console entries which permit root login, run the following command:<\/p>\n
$ sudo grep ^vc\/[0-9] \/etc\/securetty<\/pre>\n
If any output is returned, then root logins over virtual console devices is permitted. If root login over virtual console devices is permitted, this is a finding.<\/td>\n
To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in \/etc\/securetty<\/code>:<\/p>\n
vc\/1\r\nvc\/2\r\nvc\/3\r\nvc\/4<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000028<\/td>\nCCI-000770<\/td>\nlow<\/td>\nThe system must prevent the root account from logging in from serial consoles.<\/td>\nPreventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.<\/td>\nTo check for serial port entries which permit root login, run the following command:<\/p>\n
$ sudo grep ^ttyS\/[0-9] \/etc\/securetty<\/pre>\n
If any output is returned, then root login over serial ports is permitted. If root login over serial ports is permitted, this is a finding.<\/td>\n
To restrict root logins on serial ports, ensure lines of this form do not appear in \/etc\/securetty<\/code>:<\/p>\n
ttyS0\r\nttyS1<\/pre>\n
<\/td>\n<\/tr>\n
RHEL-06-000030<\/td>\nCCI-000366<\/td>\nhigh<\/td>\nThe system must not have accounts configured with blank or null passwords.<\/td>\nIf an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.<\/td>\nTo verify that null passwords cannot be used, run the following command:<\/p>\n
$ grep nullok \/etc\/pam.d\/system-auth<\/pre>\n
If this produces any output, it may be possible to log into accounts with empty passwords. If NULL passwords can be used, this is a finding.<\/td>\n
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok<\/code> option in \/etc\/pam.d\/system-auth<\/code> to prevent logins with empty passwords.<\/td>\n<\/tr>\n
RHEL-06-000031<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe \/etc\/passwd file must not contain password hashes.<\/td>\nThe hashes for all user account passwords should be stored in the file \/etc\/shadow<\/code> and never in \/etc\/passwd<\/code>, which is readable by all users.<\/td>\nTo check that no password hashes are stored in \/etc\/passwd<\/code>, run the following command:<\/p>\n
$ awk -F: '($2 != \"x\") {print}' \/etc\/passwd<\/pre>\n
If it produces any output, then a password hash is stored in \/etc\/passwd<\/code>. If any stored hashes are found in \/etc\/passwd, this is a finding.<\/td>\n
If any password hashes are stored in \/etc\/passwd<\/code> (in the second field, instead of an x<\/code>), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.<\/td>\n<\/tr>\n
RHEL-06-000032<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe root account must be the only account having a UID of 0.<\/td>\nAn account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.<\/td>\nTo list all password file entries for accounts with UID 0, run the following command:<\/p>\n
$ awk -F: '($3 == \"0\") {print}' \/etc\/passwd<\/pre>\n
This should print only one line, for the user root. If any account other than root has a UID of 0, this is a finding.<\/td>\n
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.<\/td>\n<\/tr>\n
RHEL-06-000033<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe \/etc\/shadow file must be owned by root.<\/td>\nThe \/etc\/shadow<\/code> file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.<\/td>\nTo check the ownership of \/etc\/shadow<\/code>, run the command:<\/p>\n
$ ls -lL \/etc\/shadow<\/pre>\n
If properly configured, the output should indicate the following owner: root<\/code> If it does not, this is a finding.<\/td>\n
To properly set the owner of \/etc\/shadow<\/code>, run the command:<\/p>\n
# chown root\/etc\/shadow<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000034<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe \/etc\/shadow file must be group-owned by root.<\/td>\nThe \/etc\/shadow<\/code> file stores password hashes. Protection of this file is critical for system security.<\/td>\nTo check the group ownership of \/etc\/shadow<\/code>, run the command:<\/p>\n
$ ls -lL \/etc\/shadow<\/pre>\n
If properly configured, the output should indicate the following group-owner. root<\/code> If it does not, this is a finding.<\/td>\n
To properly set the group owner of \/etc\/shadow<\/code>, run the command:<\/p>\n
# chgrp root\/etc\/shadow<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000035<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe \/etc\/shadow file must have mode 0000.<\/td>\nThe \/etc\/shadow<\/code> file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.<\/td>\nTo check the permissions of \/etc\/shadow<\/code>, run the command:<\/p>\n
$ ls -l \/etc\/shadow<\/pre>\n
If properly configured, the output should indicate the following permissions: ----------<\/code> If it does not, this is a finding.<\/td>\n
To properly set the permissions of \/etc\/shadow<\/code>, run the command:<\/p>\n
# chmod 0000\/etc\/shadow<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000036<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe \/etc\/gshadow file must be owned by root.<\/td>\nThe \/etc\/gshadow<\/code> file contains group password hashes. Protection of this file is critical for system security.<\/td>\nTo check the ownership of \/etc\/gshadow<\/code>, run the command:<\/p>\n
$ ls -lL \/etc\/gshadow<\/pre>\n
If properly configured, the output should indicate the following owner: root<\/code> If it does not, this is a finding.<\/td>\n
To properly set the owner of \/etc\/gshadow<\/code>, run the command:<\/p>\n
# chown root\/etc\/gshadow<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000037<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe \/etc\/gshadow file must be group-owned by root.<\/td>\nThe \/etc\/gshadow<\/code> file contains group password hashes. Protection of this file is critical for system security.<\/td>\nTo check the group ownership of \/etc\/gshadow<\/code>, run the command:<\/p>\n
$ ls -lL \/etc\/gshadow<\/pre>\n
If properly configured, the output should indicate the following group-owner. root<\/code> If it does not, this is a finding.<\/td>\n
To properly set the group owner of \/etc\/gshadow<\/code>, run the command:<\/p>\n
# chgrp root\/etc\/gshadow<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000038<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe \/etc\/gshadow file must have mode 0000.<\/td>\nThe \/etc\/gshadow<\/code> file contains group password hashes. Protection of this file is critical for system security.<\/td>\nTo check the permissions of \/etc\/gshadow<\/code>, run the command:<\/p>\n
$ ls -l \/etc\/gshadow<\/pre>\n
If properly configured, the output should indicate the following permissions: ----------<\/code> If it does not, this is a finding.<\/td>\n
To properly set the permissions of \/etc\/gshadow<\/code>, run the command:<\/p>\n
# chmod 0000\/etc\/gshadow<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000039<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe \/etc\/passwd file must be owned by root.<\/td>\nThe \/etc\/passwd<\/code> file contains information about the users that are configured on the system. Protection of this file is critical for system security.<\/td>\nTo check the ownership of \/etc\/passwd<\/code>, run the command:<\/p>\n
$ ls -lL \/etc\/passwd<\/pre>\n
If properly configured, the output should indicate the following owner: root<\/code> If it does not, this is a finding.<\/td>\n
To properly set the owner of \/etc\/passwd<\/code>, run the command:<\/p>\n
# chown root\/etc\/passwd<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000040<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe \/etc\/passwd file must be group-owned by root.<\/td>\nThe \/etc\/passwd<\/code> file contains information about the users that are configured on the system. Protection of this file is critical for system security.<\/td>\nTo check the group ownership of \/etc\/passwd<\/code>, run the command:<\/p>\n
$ ls -lL \/etc\/passwd<\/pre>\n
If properly configured, the output should indicate the following group-owner. root<\/code> If it does not, this is a finding.<\/td>\n
To properly set the group owner of \/etc\/passwd<\/code>, run the command:<\/p>\n
# chgrp root\/etc\/passwd<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000041<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe \/etc\/passwd file must have mode 0644 or less permissive.<\/td>\nIf the \/etc\/passwd<\/code> file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.<\/td>\nTo check the permissions of \/etc\/passwd<\/code>, run the command:<\/p>\n
$ ls -l \/etc\/passwd<\/pre>\n
If properly configured, the output should indicate the following permissions: -rw-r--r--<\/code> If it does not, this is a finding.<\/td>\n
To properly set the permissions of \/etc\/passwd<\/code>, run the command:<\/p>\n
# chmod 0644\/etc\/passwd<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000042<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe \/etc\/group file must be owned by root.<\/td>\nThe \/etc\/group<\/code> file contains information regarding groups that are configured on the system. Protection of this file is important for system security.<\/td>\nTo check the ownership of \/etc\/group<\/code>, run the command:<\/p>\n
$ ls -lL \/etc\/group<\/pre>\n
If properly configured, the output should indicate the following owner: root<\/code> If it does not, this is a finding.<\/td>\n
To properly set the owner of \/etc\/group<\/code>, run the command:<\/p>\n
# chown root\/etc\/group<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000043<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe \/etc\/group file must be group-owned by root.<\/td>\nThe \/etc\/group<\/code> file contains information regarding groups that are configured on the system. Protection of this file is important for system security.<\/td>\nTo check the group ownership of \/etc\/group<\/code>, run the command:<\/p>\n
$ ls -lL \/etc\/group<\/pre>\n
If properly configured, the output should indicate the following group-owner. root<\/code> If it does not, this is a finding.<\/td>\n
To properly set the group owner of \/etc\/group<\/code>, run the command:<\/p>\n
# chgrp root\/etc\/group<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000044<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe \/etc\/group file must have mode 0644 or less permissive.<\/td>\nThe \/etc\/group<\/code> file contains information regarding groups that are configured on the system. Protection of this file is important for system security.<\/td>\nTo check the permissions of \/etc\/group<\/code>, run the command:<\/p>\n
$ ls -l \/etc\/group<\/pre>\n
If properly configured, the output should indicate the following permissions: -rw-r--r--<\/code> If it does not, this is a finding.<\/td>\n
To properly set the permissions of \/etc\/group<\/code>, run the command:<\/p>\n
# chmod 644\/etc\/group<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000045<\/td>\nCCI-001499<\/td>\nmedium<\/td>\nLibrary files must have mode 0755 or less permissive.<\/td>\nFiles from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system.<\/td>\nShared libraries are stored in the following directories:<\/p>\n
\/lib\r\n\/lib64\r\n\/usr\/lib\r\n\/usr\/lib64\r\n<\/pre>\n
To find shared libraries that are group-writable or world-writable, run the following command for each directory DIR<\/i> which contains shared libraries:<\/p>\n
$ sudo find -L DIR<\/i> -perm \/022 -type f<\/pre>\n
If any of these files are group-writable or world-writable, this is a finding.<\/td>\n
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:<\/p>\n
\/lib\r\n\/lib64\r\n\/usr\/lib\r\n\/usr\/lib64\r\n<\/pre>\n
Kernel modules, which can be added to the kernel during runtime, are stored in \/lib\/modules<\/code>. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:<\/p>\n
$ sudo chmod go-w FILE<\/i><\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000046<\/td>\nCCI-001499<\/td>\nmedium<\/td>\nLibrary files must be owned by root.<\/td>\nFiles from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.<\/td>\nShared libraries are stored in the following directories:<\/p>\n
\/lib\r\n\/lib64\r\n\/usr\/lib\r\n\/usr\/lib64\r\n<\/pre>\n
For each of these directories, run the following command to find files not owned by root:<\/p>\n
$ sudo find -L $DIR<\/i> \\! -user root -exec chown root {} \\;<\/pre>\n
If any of these files are not owned by root, this is a finding.<\/td>\n
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:<\/p>\n
\/lib\r\n\/lib64\r\n\/usr\/lib\r\n\/usr\/lib64\r\n<\/pre>\n
Kernel modules, which can be added to the kernel during runtime, are also stored in \/lib\/modules<\/code>. All files in these directories should be owned by the root<\/code> user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command:<\/p>\n
$ sudo chown root FILE<\/i><\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000047<\/td>\nCCI-001499<\/td>\nmedium<\/td>\nAll system command files must have mode 0755 or less permissive.<\/td>\nSystem binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.<\/td>\nSystem executables are stored in the following directories by default:<\/p>\n
\/bin\r\n\/usr\/bin\r\n\/usr\/local\/bin\r\n\/sbin\r\n\/usr\/sbin\r\n\/usr\/local\/sbin<\/pre>\n
To find system executables that are group-writable or world-writable, run the following command for each directory DIR<\/i> which contains system executables:<\/p>\n
$ sudo find -L DIR<\/i> -perm \/022 -type f<\/pre>\n
If any system executables are found to be group or world writable, this is a finding.<\/td>\n
System executables are stored in the following directories by default:<\/p>\n
\/bin\r\n\/usr\/bin\r\n\/usr\/local\/bin\r\n\/sbin\r\n\/usr\/sbin\r\n\/usr\/local\/sbin<\/pre>\n
All files in these directories should not be group-writable or world-writable. If any file FILE<\/i> in these directories is found to be group-writable or world-writable, correct its permission with the following command:<\/p>\n
$ sudo chmod go-w FILE<\/i><\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000048<\/td>\nCCI-001499<\/td>\nmedium<\/td>\nAll system command files must be owned by root.<\/td>\nSystem binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.<\/td>\nSystem executables are stored in the following directories by default:<\/p>\n
\/bin\r\n\/usr\/bin\r\n\/usr\/local\/bin\r\n\/sbin\r\n\/usr\/sbin\r\n\/usr\/local\/sbin<\/pre>\n
To find system executables that are not owned by root<\/code>, run the following command for each directory DIR<\/i> which contains system executables:<\/p>\n
$ sudo find DIR\/<\/i> \\! -user root<\/pre>\n
If any system executables are found to not be owned by root, this is a finding.<\/td>\n
System executables are stored in the following directories by default:<\/p>\n
\/bin\r\n\/usr\/bin\r\n\/usr\/local\/bin\r\n\/sbin\r\n\/usr\/sbin\r\n\/usr\/local\/sbin<\/pre>\n
All files in these directories should be owned by the root<\/code> user. If any file FILE<\/i> in these directories is found to be owned by a user other than root, correct its ownership with the following command:<\/p>\n
$ sudo chown root FILE<\/i><\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000050<\/td>\nCCI-000205<\/td>\nmedium<\/td>\nThe system must require passwords to contain a minimum of 14 characters.<\/td>\nRequiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.<\/td>\nTo check the minimum password length, run the command:<\/p>\n
$ grep PASS_MIN_LEN \/etc\/login.defs<\/pre>\n
The DoD requirement is 14<\/code>. If it is not set to the required value, this is a finding.<\/td>\n
To specify password length requirements for new accounts, edit the file \/etc\/login.defs<\/code> and add or correct the following lines:<\/p>\n
PASS_MIN_LEN<\/pre>\n
The DoD requirement is 14<\/code>. The FISMA requirement is 12<\/code>. If a program consults \/etc\/login.defs<\/code> and also another PAM module (such as pam_cracklib<\/code>) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements.<\/td>\n<\/tr>\n
RHEL-06-000051<\/td>\nCCI-000198<\/td>\nmedium<\/td>\nUsers must not be able to change passwords more than once every 24 hours.<\/td>\nSetting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.<\/td>\nTo check the minimum password age, run the command:<\/p>\n
$ grep PASS_MIN_DAYS \/etc\/login.defs<\/pre>\n
The DoD and FISMA requirement is 1. If it is not set to the required value, this is a finding.<\/td>\n
To specify password minimum age for new accounts, edit the file \/etc\/login.defs<\/code> and add or correct the following line:<\/p>\n
PASS_MIN_DAYS <\/i><\/pre>\n
A value of 1 day is considered for sufficient for many environments. The DoD requirement is 1.<\/td>\n<\/tr>\n
RHEL-06-000053<\/td>\nCCI-000199<\/td>\nmedium<\/td>\nUser passwords must be changed at least every 60 days.<\/td>\nSetting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.<\/td>\nTo check the maximum password age, run the command:<\/p>\n
$ grep PASS_MAX_DAYS \/etc\/login.defs<\/pre>\n
The DoD and FISMA requirement is 60. A value of 180 days is sufficient for many environments. If it is not set to the required value, this is a finding.<\/td>\n
To specify password maximum age for new accounts, edit the file \/etc\/login.defs<\/code> and add or correct the following line:<\/p>\n
PASS_MAX_DAYS <\/i><\/pre>\n
A value of 180 days is sufficient for many environments. The DoD requirement is 60.<\/td>\n<\/tr>\n
RHEL-06-000054<\/td>\nCCI-000366<\/td>\nlow<\/td>\nUsers must be warned 7 days in advance of password expiration.<\/td>\nSetting the password warning age enables users to make the change at a practical time.<\/td>\nTo check the password warning age, run the command:<\/p>\n
$ grep PASS_WARN_AGE \/etc\/login.defs<\/pre>\n
The DoD requirement is 7. If it is not set to the required value, this is a finding.<\/td>\n
To specify how many days prior to password expiration that a warning will be issued to users, edit the file \/etc\/login.defs<\/code> and add or correct the following line:<\/p>\n
PASS_WARN_AGE <\/i><\/pre>\n
The DoD requirement is 7.<\/td>\n<\/tr>\n
RHEL-06-000056<\/td>\nCCI-000194<\/td>\nlow<\/td>\nThe system must require passwords to contain at least one numeric character.<\/td>\nRequiring digits makes password guessing attacks more difficult by ensuring a larger search space.<\/td>\nTo check how many digits are required in a password, run the following command:<\/p>\n
$ grep pam_cracklib \/etc\/pam.d\/system-auth<\/pre>\n
The dcredit<\/code> parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as dcredit=-1<\/code>. If dcredit is not found or not set to the required value, this is a finding.<\/td>\n
The pam_cracklib module’s dcredit<\/code> parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add dcredit=-1<\/code> after pam_cracklib.so to require use of a digit in passwords.<\/td>\n<\/tr>\n
RHEL-06-000057<\/td>\nCCI-000192<\/td>\nlow<\/td>\nThe system must require passwords to contain at least one uppercase alphabetic character.<\/td>\nRequiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.<\/td>\nTo check how many uppercase characters are required in a password, run the following command:<\/p>\n
$ grep pam_cracklib \/etc\/pam.d\/system-auth<\/pre>\n
The ucredit<\/code> parameter (as a negative number) will indicate how many uppercase characters are required. The DoD and FISMA require at least one uppercase character in a password. This would appear as ucredit=-1<\/code>. If ucredit is not found or not set to the required value, this is a finding.<\/td>\n
The pam_cracklib module’s ucredit=<\/code> parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add ucredit=-1<\/code> after pam_cracklib.so to require use of an upper case character in passwords.<\/td>\n<\/tr>\n
RHEL-06-000058<\/td>\nCCI-001619<\/td>\nlow<\/td>\nThe system must require passwords to contain at least one special character.<\/td>\nRequiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.<\/td>\nTo check how many special characters are required in a password, run the following command:<\/p>\n
$ grep pam_cracklib \/etc\/pam.d\/system-auth<\/pre>\n
The ocredit<\/code> parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one special character in a password. This would appear as ocredit=-1<\/code>. If ocredit is not found or not set to the required value, this is a finding.<\/td>\n
The pam_cracklib module’s ocredit=<\/code> parameter controls requirements for usage of special (or “other”) characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Add ocredit=<\/code> after pam_cracklib.so to require use of a special character in passwords.<\/td>\n<\/tr>\n
RHEL-06-000059<\/td>\nCCI-000193<\/td>\nlow<\/td>\nThe system must require passwords to contain at least one lowercase alphabetic character.<\/td>\nRequiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.<\/td>\nTo check how many lowercase characters are required in a password, run the following command:<\/p>\n
$ grep pam_cracklib \/etc\/pam.d\/system-auth<\/pre>\n
The lcredit<\/code> parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one lowercase character in a password. This would appear as lcredit=-1<\/code>. If lcredit is not found or not set to the required value, this is a finding.<\/td>\n
The pam_cracklib module’s lcredit=<\/code> parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add lcredit=-1<\/code> after pam_cracklib.so to require use of a lowercase character in passwords.<\/td>\n<\/tr>\n
RHEL-06-000060<\/td>\nCCI-000195<\/td>\nlow<\/td>\nThe system must require at least four characters be changed between the old and new passwords during a password change.<\/td>\nRequiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.<\/td>\nTo check how many characters must differ during a password change, run the following command:<\/p>\n
$ grep pam_cracklib \/etc\/pam.d\/system-auth<\/pre>\n
The difok<\/code> parameter will indicate how many characters must differ. The DoD requires four characters differ during a password change. This would appear as difok=4<\/code>. If difok is not found or not set to the required value, this is a finding.<\/td>\n
The pam_cracklib module’s difok<\/code> parameter controls requirements for usage of different characters during a password change. Add difok=<\/i><\/code> after pam_cracklib.so to require differing characters when changing passwords. The DoD requirement is 4<\/code>.<\/td>\n<\/tr>\n
RHEL-06-000061<\/td>\nCCI-000044<\/td>\nmedium<\/td>\nThe system must disable accounts after three consecutive unsuccessful login attempts.<\/td>\nLocking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.<\/td>\nTo ensure the failed password attempt policy is configured correctly, run the following command:<\/p>\n
$ grep pam_faillock \/etc\/pam.d\/system-auth<\/pre>\n
The output should show deny=3<\/code>. If that is not the case, this is a finding.<\/td>\n
To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so<\/code>:<\/p>\n

Add the following lines immediately below the pam_unix.so<\/code> statement in AUTH<\/code> section of both \/etc\/pam.d\/system-auth<\/code> and \/etc\/pam.d\/password-auth:<\/p>\n

auth [default=die] pam_faillock.so authfail deny= unlock_time=604800 fail_interval=900<\/pre>\n
auth required pam_faillock.so authsucc deny= unlock_time=604800 fail_interval=900<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000062<\/td>\nCCI-000803<\/td>\nmedium<\/td>\nThe system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).<\/td>\nUsing a stronger hashing algorithm makes password cracking attacks more difficult.<\/td>\nInspect the password<\/code> section of \/etc\/pam.d\/system-auth<\/code> and ensure that the pam_unix.so<\/code> module includes the argument sha512<\/code>:<\/p>\n
$ grep sha512 \/etc\/pam.d\/system-auth<\/pre>\n
If it does not, this is a finding.<\/td>\n
In \/etc\/pam.d\/system-auth<\/code>, the password<\/code> section of the file controls which PAM modules execute during a password change. Set the pam_unix.so<\/code> module in the password<\/code> section to include the argument sha512<\/code>, as shown below:<\/p>\n
password    sufficient    pam_unix.so sha512 other arguments...<\/i><\/pre>\n
This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.<\/td>\n<\/tr>\n
RHEL-06-000063<\/td>\nCCI-000803<\/td>\nmedium<\/td>\nThe system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).<\/td>\nUsing a stronger hashing algorithm makes password cracking attacks more difficult.<\/td>\nInspect \/etc\/login.defs<\/code> and ensure the following line appears:<\/p>\n
ENCRYPT_METHOD SHA512<\/pre>\n
If it does not, this is a finding.<\/td>\n
In \/etc\/login.defs<\/code>, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:<\/p>\n
ENCRYPT_METHOD SHA512<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000064<\/td>\nCCI-000803<\/td>\nmedium<\/td>\nThe system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).<\/td>\nUsing a stronger hashing algorithm makes password cracking attacks more difficult.<\/td>\nInspect \/etc\/libuser.conf<\/code> and ensure the following line appears in the [default]<\/code> section:<\/p>\n
crypt_style = sha512<\/pre>\n
If it does not, this is a finding.<\/td>\n
In \/etc\/libuser.conf<\/code>, add or correct the following line in its [defaults]<\/code> section to ensure the system will use the SHA-512 algorithm for password hashing:<\/p>\n
crypt_style = sha512<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000065<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system boot loader configuration file(s) must be owned by root.<\/td>\nOnly root should be able to modify important boot parameters.<\/td>\nTo check the ownership of \/etc\/grub.conf<\/code>, run the command:<\/p>\n
$ ls -lL \/etc\/grub.conf<\/pre>\n
If properly configured, the output should indicate the following owner: root<\/code> If it does not, this is a finding.<\/td>\n
The file \/etc\/grub.conf<\/code> should be owned by the root<\/code> user to prevent destruction or modification of the file. To properly set the owner of \/etc\/grub.conf<\/code>, run the command:<\/p>\n
# chown root\/etc\/grub.conf<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000066<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system boot loader configuration file(s) must be group-owned by root.<\/td>\nThe root<\/code> group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.<\/td>\nTo check the group ownership of \/etc\/grub.conf<\/code>, run the command:<\/p>\n
$ ls -lL \/etc\/grub.conf<\/pre>\n
If properly configured, the output should indicate the following group-owner. root<\/code> If it does not, this is a finding.<\/td>\n
The file \/etc\/grub.conf<\/code> should be group-owned by the root<\/code> group to prevent destruction or modification of the file. To properly set the group owner of \/etc\/grub.conf<\/code>, run the command:<\/p>\n
# chgrp root\/etc\/grub.conf<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000067<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system boot loader configuration file(s) must have mode 0600 or less permissive.<\/td>\nProper permissions ensure that only the root user can modify important boot parameters.<\/td>\nTo check the permissions of \/etc\/grub.conf, run the command:<\/p>\n
$ sudo ls -lL \/etc\/grub.conf<\/pre>\n
If properly configured, the output should indicate the following permissions: -rw-------<\/code> If it does not, this is a finding.<\/td>\n
File permissions for \/boot\/grub\/grub.conf<\/code> should be set to 600, which is the default. To properly set the permissions of \/boot\/grub\/grub.conf<\/code>, run the command:<\/p>\n
# chmod 600\/boot\/grub\/grub.conf<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000068<\/td>\nCCI-000213<\/td>\nmedium<\/td>\nThe system boot loader must require authentication.<\/td>\nPassword protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.<\/td>\nTo verify the boot loader password has been set and encrypted, run the following command:<\/p>\n
$ sudo grep password \/etc\/grub.conf<\/pre>\n
The output should show the following:<\/p>\n
password --encrypted password-hash<\/b><\/pre>\n
If it does not, this is a finding.<\/td>\n
The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command:<\/p>\n
$ grub-crypt --sha-512<\/pre>\n
When prompted to enter a password, insert the following line into \/etc\/grub.conf<\/code> immediately after the header comments. (Use the output from grub-crypt<\/code> as the value of password-hash<\/b>):<\/p>\n
password --encrypted password-hash<\/b><\/pre>\n
NOTE: To meet FISMA Moderate, the bootloader password MUST differ from the root password.<\/td>\n<\/tr>\n
RHEL-06-000069<\/td>\nCCI-000213<\/td>\nmedium<\/td>\nThe system must require authentication upon booting into single-user and maintenance modes.<\/td>\nThis prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.<\/td>\nTo check if authentication is required for single-user mode, run the following command:<\/p>\n
$ grep SINGLE \/etc\/sysconfig\/init<\/pre>\n
The output should be the following:<\/p>\n
SINGLE=\/sbin\/sulogin<\/pre>\n
If the output is different, this is a finding.<\/td>\n
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.<\/p>\n

To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file \/etc\/sysconfig\/init<\/code>:<\/p>\n

SINGLE=\/sbin\/sulogin<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000070<\/td>\nCCI-000213<\/td>\nmedium<\/td>\nThe system must not permit interactive boot.<\/td>\nUsing interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.<\/td>\nTo check whether interactive boot is disabled, run the following command:<\/p>\n
$ grep PROMPT \/etc\/sysconfig\/init<\/pre>\n
If interactive boot is disabled, the output will show:<\/p>\n
PROMPT=no<\/pre>\n
If it does not, this is a finding.<\/td>\n
To disable the ability for users to perform interactive startups, edit the file \/etc\/sysconfig\/init<\/code>. Add or correct the line:<\/p>\n
PROMPT=no<\/pre>\n
The PROMPT<\/code> option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.<\/td>\n<\/tr>\n
RHEL-06-000071<\/td>\nCCI-000058<\/td>\nlow<\/td>\nThe system must allow locking of the console screen.<\/td>\nInstalling screen<\/code> ensures a console locking capability is available for users who may need to suspend console logins.<\/td>\nRun the following command to determine if the screen<\/code> package is installed:<\/p>\n
# rpm -q screen<\/pre>\n
If the package is not installed, this is a finding.<\/td>\n
To enable console screen locking, install the screen<\/code> package:<\/p>\n
$ sudo yum install screen<\/pre>\n
Instruct users to begin new terminal sessions with the following command:<\/p>\n
$ screen<\/pre>\n
The console can now be locked with the following key combination:<\/p>\n
ctrl+a x<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000073<\/td>\nCCI-NaN<\/td>\nmedium<\/td>\nThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.<\/td>\nAn appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.<\/td>\nTo check if the system login banner is compliant, run the following command:<\/p>\n
$ cat \/etc\/issue<\/pre>\n
If it does not display the required banner, this is a finding.<\/td>\n
To configure the system login banner:<\/p>\n

Edit \/etc\/issue<\/code>. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:<\/p>\n

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
\n-At any time, the USG may inspect and seize data stored on this IS.
\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.<\/code><\/p>\n

OR:<\/p>\n

I've read & consent to terms in IS user agreem't.<\/code><\/td>\n<\/tr>\n

RHEL-06-000078<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must implement virtual address space randomization.<\/td>\nAddress space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process’s address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.<\/td>\nThe status of the kernel.randomize_va_space<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl kernel.randomize_va_space<\/pre>\n
The output of the command should indicate a value of 2<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the kernel.randomize_va_space<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w kernel.randomize_va_space=2<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
kernel.randomize_va_space = 2<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000079<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must limit the ability of processes to have simultaneous write and execute access to memory.<\/td>\nExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process’s memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range.<\/td>\nThe status of the kernel.exec-shield<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl kernel.exec-shield<\/pre>\n
The output of the command should indicate a value of 1<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the kernel.exec-shield<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w kernel.exec-shield=1<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
kernel.exec-shield = 1<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000080<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must not send ICMPv4 redirects by default.<\/td>\nSending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.<\/td>\nThe status of the net.ipv4.conf.default.send_redirects<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl net.ipv4.conf.default.send_redirects<\/pre>\n
The output of the command should indicate a value of 0<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the net.ipv4.conf.default.send_redirects<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w net.ipv4.conf.default.send_redirects=0<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
net.ipv4.conf.default.send_redirects = 0<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000081<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must not send ICMPv4 redirects from any interface.<\/td>\nSending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.<\/td>\nThe status of the net.ipv4.conf.all.send_redirects<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl net.ipv4.conf.all.send_redirects<\/pre>\n
The output of the command should indicate a value of 0<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the net.ipv4.conf.all.send_redirects<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w net.ipv4.conf.all.send_redirects=0<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
net.ipv4.conf.all.send_redirects = 0<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000082<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nIP forwarding for IPv4 must not be enabled, unless the system is a router.<\/td>\nIP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.<\/td>\nThe status of the net.ipv4.ip_forward<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl net.ipv4.ip_forward<\/pre>\n
The output of the command should indicate a value of 0<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. The ability to forward packets is only appropriate for routers. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the net.ipv4.ip_forward<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w net.ipv4.ip_forward=0<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
net.ipv4.ip_forward = 0<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000083<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must not accept IPv4 source-routed packets on any interface.<\/td>\nAccepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.<\/td>\nThe status of the net.ipv4.conf.all.accept_source_route<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl net.ipv4.conf.all.accept_source_route<\/pre>\n
The output of the command should indicate a value of 0<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the net.ipv4.conf.all.accept_source_route<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w net.ipv4.conf.all.accept_source_route=0<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
net.ipv4.conf.all.accept_source_route = 0<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000084<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must not accept ICMPv4 redirect packets on any interface.<\/td>\nAccepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.<\/td>\nThe status of the net.ipv4.conf.all.accept_redirects<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl net.ipv4.conf.all.accept_redirects<\/pre>\n
The output of the command should indicate a value of 0<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the net.ipv4.conf.all.accept_redirects<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w net.ipv4.conf.all.accept_redirects=0<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
net.ipv4.conf.all.accept_redirects = 0<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000086<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must not accept ICMPv4 secure redirect packets on any interface.<\/td>\nAccepting “secure” ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.<\/td>\nThe status of the net.ipv4.conf.all.secure_redirects<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl net.ipv4.conf.all.secure_redirects<\/pre>\n
The output of the command should indicate a value of 0<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the net.ipv4.conf.all.secure_redirects<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w net.ipv4.conf.all.secure_redirects=0<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
net.ipv4.conf.all.secure_redirects = 0<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000088<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system must log Martian packets.<\/td>\nThe presence of “martian” packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.<\/td>\nThe status of the net.ipv4.conf.all.log_martians<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl net.ipv4.conf.all.log_martians<\/pre>\n
The output of the command should indicate a value of 1<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the net.ipv4.conf.all.log_martians<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w net.ipv4.conf.all.log_martians=1<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
net.ipv4.conf.all.log_martians = 1<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000089<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must not accept IPv4 source-routed packets by default.<\/td>\nAccepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.<\/td>\nThe status of the net.ipv4.conf.default.accept_source_route<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl net.ipv4.conf.default.accept_source_route<\/pre>\n
The output of the command should indicate a value of 0<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the net.ipv4.conf.default.accept_source_route<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w net.ipv4.conf.default.accept_source_route=0<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
net.ipv4.conf.default.accept_source_route = 0<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000090<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must not accept ICMPv4 secure redirect packets by default.<\/td>\nAccepting “secure” ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.<\/td>\nThe status of the net.ipv4.conf.default.secure_redirects<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl net.ipv4.conf.default.secure_redirects<\/pre>\n
The output of the command should indicate a value of 0<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the net.ipv4.conf.default.secure_redirects<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w net.ipv4.conf.default.secure_redirects=0<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
net.ipv4.conf.default.secure_redirects = 0<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000091<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system must ignore IPv4 ICMP redirect messages.<\/td>\nThis feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.<\/td>\nThe status of the net.ipv4.conf.default.accept_redirects<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl net.ipv4.conf.default.accept_redirects<\/pre>\n
The output of the command should indicate a value of 0<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the net.ipv4.conf.default.accept_redirects<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w net.ipv4.conf.default.accept_redirects=0<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
net.ipv4.conf.default.accept_redirects = 0<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000092<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system must not respond to ICMPv4 sent to a broadcast address.<\/td>\nIgnoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.<\/td>\nThe status of the net.ipv4.icmp_echo_ignore_broadcasts<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl net.ipv4.icmp_echo_ignore_broadcasts<\/pre>\n
The output of the command should indicate a value of 1<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
net.ipv4.icmp_echo_ignore_broadcasts = 1<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000093<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system must ignore ICMPv4 bogus error responses.<\/td>\nIgnoring bogus ICMP error responses reduces log size, although some activity would not be logged.<\/td>\nThe status of the net.ipv4.icmp_ignore_bogus_error_responses<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl net.ipv4.icmp_ignore_bogus_error_responses<\/pre>\n
The output of the command should indicate a value of 1<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
net.ipv4.icmp_ignore_bogus_error_responses = 1<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000095<\/td>\nCCI-001095<\/td>\nmedium<\/td>\nThe system must be configured to use TCP syncookies when experiencing a TCP SYN flood.<\/td>\nA TCP SYN flood attack can cause a denial of service by filling a system’s TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.<\/td>\nThe status of the net.ipv4.tcp_syncookies<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl net.ipv4.tcp_syncookies<\/pre>\n
The output of the command should indicate a value of 1<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the net.ipv4.tcp_syncookies<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w net.ipv4.tcp_syncookies=1<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
net.ipv4.tcp_syncookies = 1<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000096<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.<\/td>\nEnabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.<\/td>\nThe status of the net.ipv4.conf.all.rp_filter<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl net.ipv4.conf.all.rp_filter<\/pre>\n
The output of the command should indicate a value of 1<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the net.ipv4.conf.all.rp_filter<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w net.ipv4.conf.all.rp_filter=1<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
net.ipv4.conf.all.rp_filter = 1<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000097<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must use a reverse-path filter for IPv4 network traffic when possible by default.<\/td>\nEnabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.<\/td>\nThe status of the net.ipv4.conf.default.rp_filter<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl net.ipv4.conf.default.rp_filter<\/pre>\n
The output of the command should indicate a value of 1<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the net.ipv4.conf.default.rp_filter<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w net.ipv4.conf.default.rp_filter=1<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
net.ipv4.conf.default.rp_filter = 1<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000098<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe IPv6 protocol handler must not be bound to the network stack unless needed.<\/td>\nAny unnecessary network stacks – including IPv6 – should be disabled, to reduce the vulnerability to exploitation.<\/td>\nIf the system uses IPv6, this is not applicable.<\/p>\n

If the system is configured to prevent the loading of the ipv6<\/code> kernel module, it will contain a line of the form:<\/p>\n

options ipv6 disable=1<\/pre>\n
Such lines may be inside any file in \/etc\/modprobe.d<\/code> or the deprecated\/etc\/modprobe.conf<\/code>. This permits insertion of the IPv6 kernel module (which other parts of the system expect to be present), but otherwise keeps it inactive. Run the following command to search for such lines in all files in \/etc\/modprobe.d<\/code> and the deprecated \/etc\/modprobe.conf<\/code>:<\/p>\n
$ grep -r ipv6 \/etc\/modprobe.conf \/etc\/modprobe.d<\/pre>\n
If the ipv6 kernel module is loaded, this is a finding.<\/td>\n
To prevent the IPv6 kernel module (ipv6<\/code>) from loading the IPv6 networking stack, add the following line to \/etc\/modprobe.d\/disabled.conf<\/code> (or another file in \/etc\/modprobe.d<\/code>):<\/p>\n
options ipv6 disable=1<\/pre>\n
This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol.<\/td>\n<\/tr>\n
RHEL-06-000099<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must ignore ICMPv6 redirects by default.<\/td>\nAn illicit ICMP redirect message could result in a man-in-the-middle attack.<\/td>\nThe status of the net.ipv6.conf.default.accept_redirects<\/code> kernel parameter can be queried by running the following command:<\/p>\n
$ sysctl net.ipv6.conf.default.accept_redirects<\/pre>\n
The output of the command should indicate a value of 0<\/code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \/etc\/sysctl.conf<\/code>. If the correct value is not returned, this is a finding.<\/td>\n
To set the runtime status of the net.ipv6.conf.default.accept_redirects<\/code> kernel parameter, run the following command:<\/p>\n
# sysctl -w net.ipv6.conf.default.accept_redirects=0<\/pre>\n
If this is not the system’s default value, add the following line to \/etc\/sysctl.conf<\/code>:<\/p>\n
net.ipv6.conf.default.accept_redirects = 0<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000103<\/td>\nCCI-001118<\/td>\nmedium<\/td>\nThe system must employ a local IPv6 firewall.<\/td>\nThe ip6tables<\/code> service provides the system’s host-based firewalling capability for IPv6 and ICMPv6.<\/td>\nIf IPv6 is disabled, this is not applicable.<\/p>\n

Run the following command to determine the current status of the ip6tables<\/code> service:<\/p>\n

# service ip6tables status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
ip6tables is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The ip6tables<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 ip6tables on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000105<\/td>\nCCI-001117<\/td>\nmedium<\/td>\nThe system must employ a local IPv6 firewall.<\/td>\nThe ip6tables<\/code> service provides the system’s host-based firewalling capability for IPv6 and ICMPv6.<\/td>\nIf IPv6 is disabled, this is not applicable.<\/p>\n

Run the following command to determine the current status of the ip6tables<\/code> service:<\/p>\n

# service ip6tables status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
ip6tables is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The ip6tables<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 ip6tables on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000106<\/td>\nCCI-001098<\/td>\nmedium<\/td>\nThe system must employ a local IPv6 firewall.<\/td>\nThe ip6tables<\/code> service provides the system’s host-based firewalling capability for IPv6 and ICMPv6.<\/td>\nIf IPv6 is disabled, this is not applicable.<\/p>\n

Run the following command to determine the current status of the ip6tables<\/code> service:<\/p>\n

# service ip6tables status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
ip6tables is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The ip6tables<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 ip6tables on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000107<\/td>\nCCI-001100<\/td>\nmedium<\/td>\nThe system must employ a local IPv6 firewall.<\/td>\nThe ip6tables<\/code> service provides the system’s host-based firewalling capability for IPv6 and ICMPv6.<\/td>\nIf IPv6 is disabled, this is not applicable.<\/p>\n

Run the following command to determine the current status of the ip6tables<\/code> service:<\/p>\n

# service ip6tables status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
ip6tables is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The ip6tables<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 ip6tables on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000108<\/td>\nCCI-001097<\/td>\nmedium<\/td>\nThe system must employ a local IPv6 firewall.<\/td>\nThe ip6tables<\/code> service provides the system’s host-based firewalling capability for IPv6 and ICMPv6.<\/td>\nIf IPv6 is disabled, this is not applicable.<\/p>\n

Run the following command to determine the current status of the ip6tables<\/code> service:<\/p>\n

# service ip6tables status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
ip6tables is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The ip6tables<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 ip6tables on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000109<\/td>\nCCI-001414<\/td>\nmedium<\/td>\nThe system must employ a local IPv6 firewall.<\/td>\nThe ip6tables<\/code> service provides the system’s host-based firewalling capability for IPv6 and ICMPv6.<\/td>\nIf IPv6 is disabled, this is not applicable.<\/p>\n

Run the following command to determine the current status of the ip6tables<\/code> service:<\/p>\n

# service ip6tables status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
ip6tables is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The ip6tables<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 ip6tables on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000113<\/td>\nCCI-001118<\/td>\nmedium<\/td>\nThe system must employ a local IPv4 firewall.<\/td>\nThe iptables<\/code> service provides the system’s host-based firewalling capability for IPv4 and ICMP.<\/td>\nRun the following command to determine the current status of the iptables<\/code> service:<\/p>\n
# service iptables status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
iptables is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The iptables<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 iptables on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000115<\/td>\nCCI-001117<\/td>\nmedium<\/td>\nThe system must employ a local IPv4 firewall.<\/td>\nThe iptables<\/code> service provides the system’s host-based firewalling capability for IPv4 and ICMP.<\/td>\nRun the following command to determine the current status of the iptables<\/code> service:<\/p>\n
# service iptables status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
iptables is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The iptables<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 iptables on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000116<\/td>\nCCI-001098<\/td>\nmedium<\/td>\nThe system must employ a local IPv4 firewall.<\/td>\nThe iptables<\/code> service provides the system’s host-based firewalling capability for IPv4 and ICMP.<\/td>\nRun the following command to determine the current status of the iptables<\/code> service:<\/p>\n
# service iptables status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
iptables is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The iptables<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 iptables on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000117<\/td>\nCCI-001100<\/td>\nmedium<\/td>\nThe system must employ a local IPv4 firewall.<\/td>\nThe iptables<\/code> service provides the system’s host-based firewalling capability for IPv4 and ICMP.<\/td>\nRun the following command to determine the current status of the iptables<\/code> service:<\/p>\n
# service iptables status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
iptables is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The iptables<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 iptables on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000118<\/td>\nCCI-001097<\/td>\nmedium<\/td>\nThe system must employ a local IPv4 firewall.<\/td>\nThe iptables<\/code> service provides the system’s host-based firewalling capability for IPv4 and ICMP.<\/td>\nRun the following command to determine the current status of the iptables<\/code> service:<\/p>\n
# service iptables status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
iptables is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The iptables<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 iptables on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000119<\/td>\nCCI-001414<\/td>\nmedium<\/td>\nThe system must employ a local IPv4 firewall.<\/td>\nThe iptables<\/code> service provides the system’s host-based firewalling capability for IPv4 and ICMP.<\/td>\nRun the following command to determine the current status of the iptables<\/code> service:<\/p>\n
# service iptables status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
iptables is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The iptables<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 iptables on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000120<\/td>\nCCI-000066<\/td>\nmedium<\/td>\nThe system’s local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.<\/td>\nIn iptables<\/code> the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP<\/code> implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.<\/td>\nInspect the file \/etc\/sysconfig\/iptables<\/code> to determine the default policy for the INPUT chain. It should be set to DROP:<\/p>\n
$ sudo grep \":INPUT\" \/etc\/sysconfig\/iptables<\/pre>\n
If the default policy for the INPUT chain is not set to DROP, this is a finding.<\/td>\n
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in \/etc\/sysconfig\/iptables<\/code>:<\/p>\n
:INPUT DROP [0:0]<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000121<\/td>\nCCI-001115<\/td>\nmedium<\/td>\nThe system’s local firewall must implement a deny-all, allow-by-exception policy for inbound packets.<\/td>\nIn iptables<\/code> the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP<\/code> implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.<\/td>\nInspect the file \/etc\/sysconfig\/iptables<\/code> to determine the default policy for the INPUT chain. It should be set to DROP:<\/p>\n
$ sudo grep \":INPUT\" \/etc\/sysconfig\/iptables<\/pre>\n
If the default policy for the INPUT chain is not set to DROP, this is a finding.<\/td>\n
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in \/etc\/sysconfig\/iptables<\/code>:<\/p>\n
:INPUT DROP [0:0]<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000122<\/td>\nCCI-001154<\/td>\nmedium<\/td>\nThe system’s local firewall must implement a deny-all, allow-by-exception policy for inbound packets.<\/td>\nIn iptables<\/code> the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP<\/code> implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.<\/td>\nInspect the file \/etc\/sysconfig\/iptables<\/code> to determine the default policy for the INPUT chain. It should be set to DROP:<\/p>\n
$ sudo grep \":INPUT\" \/etc\/sysconfig\/iptables<\/pre>\n
If the default policy for the INPUT chain is not set to DROP, this is a finding.<\/td>\n
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in \/etc\/sysconfig\/iptables<\/code>:<\/p>\n
:INPUT DROP [0:0]<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000124<\/td>\nCCI-000382<\/td>\nmedium<\/td>\nThe Datagram Congestion Control Protocol (DCCP) must be disabled unless required.<\/td>\nDisabling DCCP protects the system against exploitation of any flaws in its implementation.<\/td>\nIf the system is configured to prevent the loading of the dccp<\/code> kernel module, it will contain lines inside any file in \/etc\/modprobe.d<\/code> or the deprecated\/etc\/modprobe.conf<\/code>. These lines instruct the module loading system to run another program (such as \/bin\/false<\/code>) upon a module install<\/code> event. Run the following command to search for such lines in all files in \/etc\/modprobe.d<\/code> and the deprecated \/etc\/modprobe.conf<\/code>:<\/p>\n
$ grep -r dccp \/etc\/modprobe.conf \/etc\/modprobe.d<\/pre>\n
If no line is returned, this is a finding.<\/td>\n
The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the dccp<\/code> kernel module from being loaded, add the following line to a file in the directory \/etc\/modprobe.d<\/code>:<\/p>\n
install dccp \/bin\/false<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000125<\/td>\nCCI-000382<\/td>\nmedium<\/td>\nThe Stream Control Transmission Protocol (SCTP) must be disabled unless required.<\/td>\nDisabling SCTP protects the system against exploitation of any flaws in its implementation.<\/td>\nIf the system is configured to prevent the loading of the sctp<\/code> kernel module, it will contain lines inside any file in \/etc\/modprobe.d<\/code> or the deprecated\/etc\/modprobe.conf<\/code>. These lines instruct the module loading system to run another program (such as \/bin\/false<\/code>) upon a module install<\/code> event. Run the following command to search for such lines in all files in \/etc\/modprobe.d<\/code> and the deprecated \/etc\/modprobe.conf<\/code>:<\/p>\n
$ grep -r sctp \/etc\/modprobe.conf \/etc\/modprobe.d<\/pre>\n
If no line is returned, this is a finding.<\/td>\n
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp<\/code> kernel module from being loaded, add the following line to a file in the directory \/etc\/modprobe.d<\/code>:<\/p>\n
install sctp \/bin\/false<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000126<\/td>\nCCI-000382<\/td>\nlow<\/td>\nThe Reliable Datagram Sockets (RDS) protocol must be disabled unless required.<\/td>\nDisabling RDS protects the system against exploitation of any flaws in its implementation.<\/td>\nIf the system is configured to prevent the loading of the rds<\/code> kernel module, it will contain lines inside any file in \/etc\/modprobe.d<\/code> or the deprecated\/etc\/modprobe.conf<\/code>. These lines instruct the module loading system to run another program (such as \/bin\/false<\/code>) upon a module install<\/code> event. Run the following command to search for such lines in all files in \/etc\/modprobe.d<\/code> and the deprecated \/etc\/modprobe.conf<\/code>:<\/p>\n
$ grep -r rds \/etc\/modprobe.conf \/etc\/modprobe.d<\/pre>\n
If no line is returned, this is a finding.<\/td>\n
The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the rds<\/code> kernel module from being loaded, add the following line to a file in the directory \/etc\/modprobe.d<\/code>:<\/p>\n
install rds \/bin\/false<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000127<\/td>\nCCI-000382<\/td>\nmedium<\/td>\nThe Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.<\/td>\nDisabling TIPC protects the system against exploitation of any flaws in its implementation.<\/td>\nIf the system is configured to prevent the loading of the tipc<\/code> kernel module, it will contain lines inside any file in \/etc\/modprobe.d<\/code> or the deprecated\/etc\/modprobe.conf<\/code>. These lines instruct the module loading system to run another program (such as \/bin\/false<\/code>) upon a module install<\/code> event. Run the following command to search for such lines in all files in \/etc\/modprobe.d<\/code> and the deprecated \/etc\/modprobe.conf<\/code>:<\/p>\n
$ grep -r tipc \/etc\/modprobe.conf \/etc\/modprobe.d<\/pre>\n
If no line is returned, this is a finding.<\/td>\n
The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc<\/code> kernel module from being loaded, add the following line to a file in the directory \/etc\/modprobe.d<\/code>:<\/p>\n
install tipc \/bin\/false<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000133<\/td>\nCCI-001314<\/td>\nmedium<\/td>\nAll rsyslog-generated log files must be owned by root.<\/td>\nThe log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.<\/td>\nThe owner of all log files written by rsyslog<\/code> should be root. These log files are determined by the second part of each Rule line in \/etc\/rsyslog.conf<\/code> and typically all appear in \/var\/log<\/code>. To see the owner of a given log file, run the following command:<\/p>\n
$ ls -l LOGFILE<\/i><\/pre>\n
If the owner is not root, this is a finding.<\/td>\n
The owner of all log files written by rsyslog<\/code> should be root. These log files are determined by the second part of each Rule line in \/etc\/rsyslog.conf<\/code> and typically all appear in \/var\/log<\/code>. For each log file LOGFILE<\/i> referenced in \/etc\/rsyslog.conf<\/code>, run the following command to inspect the file’s owner:<\/p>\n
$ ls -l LOGFILE<\/i><\/pre>\n
If the owner is not root<\/code>, run the following command to correct this:<\/p>\n
$ sudo chown root LOGFILE<\/i><\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000134<\/td>\nCCI-001314<\/td>\nmedium<\/td>\nAll rsyslog-generated log files must be group-owned by root.<\/td>\nThe log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.<\/td>\nThe group-owner of all log files written by rsyslog<\/code> should be root. These log files are determined by the second part of each Rule line in \/etc\/rsyslog.conf<\/code> and typically all appear in \/var\/log<\/code>. To see the group-owner of a given log file, run the following command:<\/p>\n
$ ls -l LOGFILE<\/i><\/pre>\n
If the group-owner is not root, this is a finding.<\/td>\n
The group-owner of all log files written by rsyslog<\/code> should be root. These log files are determined by the second part of each Rule line in \/etc\/rsyslog.conf<\/code> and typically all appear in \/var\/log<\/code>. For each log file LOGFILE<\/i> referenced in \/etc\/rsyslog.conf<\/code>, run the following command to inspect the file’s group owner:<\/p>\n
$ ls -l LOGFILE<\/i><\/pre>\n
If the owner is not root<\/code>, run the following command to correct this:<\/p>\n
$ sudo chgrp root LOGFILE<\/i><\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000135<\/td>\nCCI-001314<\/td>\nmedium<\/td>\nAll rsyslog-generated log files must have mode 0600 or less permissive.<\/td>\nLog files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value.<\/td>\nThe file permissions for all log files written by rsyslog<\/code> should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in \/etc\/rsyslog.conf<\/code> and typically all appear in \/var\/log<\/code>. To see the permissions of a given log file, run the following command:<\/p>\n
$ ls -l LOGFILE<\/i><\/pre>\n
The permissions should be 600, or more restrictive. If the permissions are not correct, this is a finding.<\/td>\n
The file permissions for all log files written by rsyslog<\/code> should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in \/etc\/rsyslog.conf<\/code> and typically all appear in \/var\/log<\/code>. For each log file LOGFILE<\/i> referenced in \/etc\/rsyslog.conf<\/code>, run the following command to inspect the file’s permissions:<\/p>\n
$ ls -l LOGFILE<\/i><\/pre>\n
If the permissions are not 600 or more restrictive, run the following command to correct this:<\/p>\n
$ sudo chmod 0600 LOGFILE<\/i><\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000136<\/td>\nCCI-001348<\/td>\nmedium<\/td>\nThe operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.<\/td>\nA log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.<\/td>\nTo ensure logs are sent to a remote host, examine the file \/etc\/rsyslog.conf<\/code>. If using UDP, a line similar to the following should be present:<\/p>\n
 *.* @loghost.example.com<\/i><\/pre>\n
If using TCP, a line similar to the following should be present:<\/p>\n
 *.* @@loghost.example.com<\/i><\/pre>\n
If using RELP, a line similar to the following should be present:<\/p>\n
 *.* :omrelp:loghost.example.com<\/i><\/pre>\n
If none of these are present, this is a finding.<\/td>\n
To configure rsyslog to send logs to a remote log server, open \/etc\/rsyslog.conf<\/code> and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting loghost.example.com<\/i><\/code> appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
\nTo use UDP for log message delivery:<\/p>\n
*.* @loghost.example.com<\/i><\/pre>\n
To use TCP for log message delivery:<\/p>\n
*.* @@loghost.example.com<\/i><\/pre>\n
To use RELP for log message delivery:<\/p>\n
*.* :omrelp:loghost.example.com<\/i><\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000137<\/td>\nCCI-000136<\/td>\nmedium<\/td>\nThe operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.<\/td>\nA log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.<\/td>\nTo ensure logs are sent to a remote host, examine the file \/etc\/rsyslog.conf<\/code>. If using UDP, a line similar to the following should be present:<\/p>\n
 *.* @loghost.example.com<\/i><\/pre>\n
If using TCP, a line similar to the following should be present:<\/p>\n
 *.* @@loghost.example.com<\/i><\/pre>\n
If using RELP, a line similar to the following should be present:<\/p>\n
 *.* :omrelp:loghost.example.com<\/i><\/pre>\n
If none of these are present, this is a finding.<\/td>\n
To configure rsyslog to send logs to a remote log server, open \/etc\/rsyslog.conf<\/code> and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting loghost.example.com<\/i><\/code> appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
\nTo use UDP for log message delivery:<\/p>\n
*.* @loghost.example.com<\/i><\/pre>\n
To use TCP for log message delivery:<\/p>\n
*.* @@loghost.example.com<\/i><\/pre>\n
To use RELP for log message delivery:<\/p>\n
*.* :omrelp:loghost.example.com<\/i><\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000138<\/td>\nCCI-000366<\/td>\nlow<\/td>\nSystem logs must be rotated daily.<\/td>\nLog files that are not properly rotated run the risk of growing so large that they fill up the \/var\/log partition. Valuable logging information could be lost if the \/var\/log partition becomes full.<\/td>\nTo determine the status and frequency of logrotate, run the following command:<\/p>\n
$ sudo grep logrotate \/var\/log\/cron*<\/pre>\n
If logrotate is configured properly, output should include references to \/etc\/cron.daily<\/code>. If logrotate is not configured to run daily, this is a finding.<\/td>\n
The logrotate<\/code> utility allows for the automatic rotation of log files. The frequency of rotation is specified in \/etc\/logrotate.conf<\/code>, which triggers a cron task. To configure logrotate to run daily, add or correct the following line in \/etc\/logrotate.conf<\/code>:<\/p>\n
# rotate log files frequency<\/i>\r\ndaily<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000139<\/td>\nCCI-000347<\/td>\nmedium<\/td>\nAuditing must be implemented.<\/td>\nEnsuring the auditd<\/code> service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.<\/td>\nRun the following command to determine the current status of the auditd<\/code> service:<\/p>\n
# service auditd status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
auditd is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The auditd<\/code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 auditd on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000140<\/td>\nCCI-000157<\/td>\nmedium<\/td>\nThe operating system audit records must be able to be used by a report generation capability.<\/td>\nThe Red Hat Enterprise Linux audit system meets this requirement through design and implementation.<\/td>\nThe RHEL6 auditing system supports this requirement and cannot be configured to be out of compliance. Every audit record in RHEL includes a timestamp, the operation attempted, success or failure of the operation, the subject involved (executable\/process), the object involved (file\/path), and security labels for the subject and object. It also includes the ability to label events with custom key labels. The auditing system centralizes the recording of audit events for the entire system and includes reduction (ausearch<\/code>), reporting (aureport<\/code>), and real-time response (audispd<\/code>) facilities. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000142<\/td>\nCCI-000880<\/td>\nmedium<\/td>\nThe operating system must audit nonlocal maintenance and diagnostic sessions.<\/td>\nEnsuring the auditd<\/code> service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.<\/td>\nRun the following command to determine the current status of the auditd<\/code> service:<\/p>\n
# service auditd status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
auditd is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The auditd<\/code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 auditd on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000143<\/td>\nCCI-001353<\/td>\nmedium<\/td>\nThe operating system must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.<\/td>\nEnsuring the auditd<\/code> service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.<\/td>\nRun the following command to determine the current status of the auditd<\/code> service:<\/p>\n
# service auditd status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
auditd is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The auditd<\/code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 auditd on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000145<\/td>\nCCI-001487<\/td>\nmedium<\/td>\nThe operating system must produce audit records containing sufficient information to establish the identity of any user\/subject associated with the event.<\/td>\nEnsuring the auditd<\/code> service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.<\/td>\nRun the following command to determine the current status of the auditd<\/code> service:<\/p>\n
# service auditd status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
auditd is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The auditd<\/code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 auditd on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000148<\/td>\nCCI-000067<\/td>\nmedium<\/td>\nThe operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.<\/td>\nEnsuring the auditd<\/code> service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.<\/td>\nRun the following command to determine the current status of the auditd<\/code> service:<\/p>\n
# service auditd status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
auditd is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The auditd<\/code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 auditd on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000149<\/td>\nCCI-000158<\/td>\nmedium<\/td>\nThe operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.<\/td>\nEnsuring the auditd<\/code> service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.<\/td>\nRun the following command to determine the current status of the auditd<\/code> service:<\/p>\n
# service auditd status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
auditd is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The auditd<\/code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 auditd on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000151<\/td>\nCCI-001190<\/td>\nmedium<\/td>\nThe operating system must fail to an organization defined known state for organization defined types of failures.<\/td>\nEnsuring the auditd<\/code> service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.<\/td>\nRun the following command to determine the current status of the auditd<\/code> service:<\/p>\n
# service auditd status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
auditd is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The auditd<\/code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 auditd on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000154<\/td>\nCCI-000130<\/td>\nmedium<\/td>\nThe operating system must produce audit records containing sufficient information to establish what type of events occurred.<\/td>\nEnsuring the auditd<\/code> service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.<\/td>\nRun the following command to determine the current status of the auditd<\/code> service:<\/p>\n
# service auditd status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
auditd is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The auditd<\/code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 auditd on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000157<\/td>\nCCI-001464<\/td>\nlow<\/td>\nAuditing must be enabled at boot by setting a kernel parameter.<\/td>\nEach process on the system carries an “auditable” flag which indicates whether its activities can be audited. Although auditd<\/code> takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.<\/td>\nInspect the kernel boot arguments (which follow the word kernel<\/code>) in \/etc\/grub.conf<\/code>. If they include audit=1<\/code>, then auditing is enabled at boot time. If auditing is not enabled at boot time, this is a finding.<\/td>\nTo ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1<\/code> to the kernel line in \/etc\/grub.conf<\/code>, in the manner below:<\/p>\n
kernel \/vmlinuz-version ro vga=ext root=\/dev\/VolGroup00\/LogVol00 rhgb quiet audit=1<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000159<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must retain enough rotated audit logs to cover the required log retention period.<\/td>\nThe total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.<\/td>\nInspect \/etc\/audit\/auditd.conf<\/code> and locate the following line to determine how many logs the system is configured to retain after rotation: $ sudo grep num_logs \/etc\/audit\/auditd.conf<\/code><\/p>\n
num_logs = 5<\/pre>\n
If the system log file retention has not been properly configured, this is a finding.<\/td>\n
Determine how many log files auditd<\/code> should retain when it rotates logs. Edit the file \/etc\/audit\/auditd.conf<\/code>. Add or modify the following line, substituting NUMLOGS<\/i> with the correct value of:<\/p>\n
num_logs = NUMLOGS<\/i><\/pre>\n
Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.<\/td>\n<\/tr>\n
RHEL-06-000160<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must set a maximum audit log file size.<\/td>\nThe total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.<\/td>\nInspect \/etc\/audit\/auditd.conf<\/code> and locate the following line to determine how much data the system will retain in each audit log file: $ sudo grep max_log_file \/etc\/audit\/auditd.conf<\/code><\/p>\n
max_log_file = 6<\/pre>\n
If the system audit data threshold has not been properly configured, this is a finding.<\/td>\n
Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file \/etc\/audit\/auditd.conf<\/code>. Add or modify the following line, substituting the correct value of for STOREMB<\/i>:<\/p>\n
max_log_file = STOREMB<\/i><\/pre>\n
Set the value to 6<\/code> (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.<\/td>\n<\/tr>\n
RHEL-06-000161<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe system must rotate audit log files that reach the maximum file size.<\/td>\nAutomatically rotating logs (by setting this to rotate<\/code>) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs<\/code> can be employed.<\/td>\nInspect \/etc\/audit\/auditd.conf<\/code> and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size: $ sudo grep max_log_file_action \/etc\/audit\/auditd.conf<\/code><\/p>\n
max_log_file_action rotate<\/code><\/pre>\n
If the system has not been properly configured to rotate audit logs, this is a finding.<\/td>\n
The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd<\/code>, add or correct the line in \/etc\/audit\/auditd.conf<\/code>:<\/p>\n
max_log_file_action = ACTION<\/i><\/pre>\n
Possible values for ACTION<\/i> are described in the auditd.conf<\/code> man page. These include:<\/p>\n
    \n
  • ignore<\/code><\/li>\n
  • syslog<\/code><\/li>\n
  • suspend<\/code><\/li>\n
  • rotate<\/code><\/li>\n
  • keep_logs<\/code><\/li>\n<\/ul>\n
    Set the ACTION<\/i><\/code> to rotate<\/code> to ensure log rotation occurs. This is the default. The setting is case-insensitive.<\/td>\n<\/tr>\n
RHEL-06-000165<\/td>\nCCI-000169<\/td>\nlow<\/td>\nThe audit system must be configured to audit all attempts to alter system time through adjtimex.<\/td>\nArbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.<\/td>\nTo determine if the system is configured to audit calls to the adjtimex<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep adjtimex<\/pre>\n
If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding.<\/td>\n
On a 32-bit system, add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
# audit_time_rules\r\n-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules<\/pre>\n
On a 64-bit system, add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
# audit_time_rules\r\n-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules<\/pre>\n
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:<\/p>\n
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime \r\n-k audit_time_rules<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000167<\/td>\nCCI-000169<\/td>\nlow<\/td>\nThe audit system must be configured to audit all attempts to alter system time through settimeofday.<\/td>\nArbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.<\/td>\nTo determine if the system is configured to audit calls to the settimeofday<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep settimeofday<\/pre>\n
If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding.<\/td>\n
On a 32-bit system, add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
# audit_time_rules\r\n-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules<\/pre>\n
On a 64-bit system, add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
# audit_time_rules\r\n-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules<\/pre>\n
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:<\/p>\n
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime \r\n-k audit_time_rules<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000169<\/td>\nCCI-000169<\/td>\nlow<\/td>\nThe audit system must be configured to audit all attempts to alter system time through stime.<\/td>\nArbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.<\/td>\nIf the system is 64-bit only, this is not applicable.
\nTo determine if the system is configured to audit calls to the stime<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep stime<\/pre>\n
If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding.<\/td>\n
On a 32-bit system, add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
# audit_time_rules\r\n-a always,exit -F arch=b32 -S stime -k audit_time_rules<\/pre>\n
On a 64-bit system, the “-S stime” is not necessary. The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:<\/p>\n
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime \r\n-k audit_time_rules<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000171<\/td>\nCCI-000169<\/td>\nlow<\/td>\nThe audit system must be configured to audit all attempts to alter system time through clock_settime.<\/td>\nArbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.<\/td>\nTo determine if the system is configured to audit calls to the clock_settime<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep clock_settime<\/pre>\n
If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding.<\/td>\n
On a 32-bit system, add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
# audit_time_rules\r\n-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules<\/pre>\n
On a 64-bit system, add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
# audit_time_rules\r\n-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules<\/pre>\n
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:<\/p>\n
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime \r\n-k audit_time_rules<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000173<\/td>\nCCI-000169<\/td>\nlow<\/td>\nThe audit system must be configured to audit all attempts to alter system time through \/etc\/localtime.<\/td>\nArbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.<\/td>\nTo determine if the system is configured to audit attempts to alter time via the \/etc\/localtime file, run the following command:<\/p>\n
$ sudo auditctl -l | grep \"watch=\/etc\/localtime\"<\/pre>\n
If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding.<\/td>\n
Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-w \/etc\/localtime -p wa -k audit_time_rules<\/pre>\n
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.<\/td>\n<\/tr>\n
RHEL-06-000174<\/td>\nCCI-000018<\/td>\nlow<\/td>\nThe operating system must automatically audit account creation.<\/td>\nIn addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.<\/td>\nTo determine if the system is configured to audit account changes, run the following command:<\/p>\n
auditctl -l | egrep '(\/etc\/passwd|\/etc\/shadow|\/etc\/group|\/etc\/gshadow|\/etc\/security\/opasswd)'<\/pre>\n
If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa<\/code> for each). If the system is not configured to audit account changes, this is a finding.<\/td>\n
Add the following to \/etc\/audit\/audit.rules<\/code>, in order to capture events that modify account changes:<\/p>\n
# audit_account_changes\r\n-w \/etc\/group -p wa -k audit_account_changes\r\n-w \/etc\/passwd -p wa -k audit_account_changes\r\n-w \/etc\/gshadow -p wa -k audit_account_changes\r\n-w \/etc\/shadow -p wa -k audit_account_changes\r\n-w \/etc\/security\/opasswd -p wa -k audit_account_changes<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000175<\/td>\nCCI-001403<\/td>\nlow<\/td>\nThe operating system must automatically audit account modification.<\/td>\nIn addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.<\/td>\nTo determine if the system is configured to audit account changes, run the following command:<\/p>\n
auditctl -l | egrep '(\/etc\/passwd|\/etc\/shadow|\/etc\/group|\/etc\/gshadow|\/etc\/security\/opasswd)'<\/pre>\n
If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa<\/code> for each). If the system is not configured to audit account changes, this is a finding.<\/td>\n
Add the following to \/etc\/audit\/audit.rules<\/code>, in order to capture events that modify account changes:<\/p>\n
# audit_account_changes\r\n-w \/etc\/group -p wa -k audit_account_changes\r\n-w \/etc\/passwd -p wa -k audit_account_changes\r\n-w \/etc\/gshadow -p wa -k audit_account_changes\r\n-w \/etc\/shadow -p wa -k audit_account_changes\r\n-w \/etc\/security\/opasswd -p wa -k audit_account_changes<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000176<\/td>\nCCI-001404<\/td>\nlow<\/td>\nThe operating system must automatically audit account disabling actions.<\/td>\nIn addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.<\/td>\nTo determine if the system is configured to audit account changes, run the following command:<\/p>\n
auditctl -l | egrep '(\/etc\/passwd|\/etc\/shadow|\/etc\/group|\/etc\/gshadow|\/etc\/security\/opasswd)'<\/pre>\n
If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa<\/code> for each). If the system is not configured to audit account changes, this is a finding.<\/td>\n
Add the following to \/etc\/audit\/audit.rules<\/code>, in order to capture events that modify account changes:<\/p>\n
# audit_account_changes\r\n-w \/etc\/group -p wa -k audit_account_changes\r\n-w \/etc\/passwd -p wa -k audit_account_changes\r\n-w \/etc\/gshadow -p wa -k audit_account_changes\r\n-w \/etc\/shadow -p wa -k audit_account_changes\r\n-w \/etc\/security\/opasswd -p wa -k audit_account_changes<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000177<\/td>\nCCI-001405<\/td>\nlow<\/td>\nThe operating system must automatically audit account termination.<\/td>\nIn addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.<\/td>\nTo determine if the system is configured to audit account changes, run the following command:<\/p>\n
auditctl -l | egrep '(\/etc\/passwd|\/etc\/shadow|\/etc\/group|\/etc\/gshadow|\/etc\/security\/opasswd)'<\/pre>\n
If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa<\/code> for each). If the system is not configured to audit account changes, this is a finding.<\/td>\n
Add the following to \/etc\/audit\/audit.rules<\/code>, in order to capture events that modify account changes:<\/p>\n
# audit_account_changes\r\n-w \/etc\/group -p wa -k audit_account_changes\r\n-w \/etc\/passwd -p wa -k audit_account_changes\r\n-w \/etc\/gshadow -p wa -k audit_account_changes\r\n-w \/etc\/shadow -p wa -k audit_account_changes\r\n-w \/etc\/security\/opasswd -p wa -k audit_account_changes<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000182<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe audit system must be configured to audit modifications to the systems network configuration.<\/td>\nThe network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.<\/td>\nTo determine if the system is configured to audit changes to its network configuration, run the following command:<\/p>\n
auditctl -l | egrep '(\/etc\/issue|\/etc\/issue.net|\/etc\/hosts|\/etc\/sysconfig\/network)'<\/pre>\n
If the system is configured to watch for network configuration changes, a line should be returned for each file specified (and perm=wa<\/code> should be indicated for each). If the system is not configured to audit changes of the network configuration, this is a finding.<\/td>\n
Add the following to \/etc\/audit\/audit.rules<\/code>, setting ARCH to either b32 or b64 as appropriate for your system:<\/p>\n
# audit_network_modifications\r\n-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications\r\n-w \/etc\/issue -p wa -k audit_network_modifications\r\n-w \/etc\/issue.net -p wa -k audit_network_modifications\r\n-w \/etc\/hosts -p wa -k audit_network_modifications\r\n-w \/etc\/sysconfig\/network -p wa -k audit_network_modifications<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000183<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe audit system must be configured to audit modifications to the system’s Mandatory Access Control (MAC) configuration (SELinux).<\/td>\nThe system’s mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.<\/td>\nTo determine if the system is configured to audit changes to its SELinux configuration files, run the following command:<\/p>\n
$ sudo auditctl -l | grep \"dir=\/etc\/selinux\"<\/pre>\n
If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including perm=wa<\/code> indicating permissions that are watched). If the system is not configured to audit attempts to change the MAC policy, this is a finding.<\/td>\n
Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-w \/etc\/selinux\/ -p wa -k MAC-policy<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000184<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit all discretionary access control permission modifications using chmod.<\/td>\nThe changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.<\/td>\nTo determine if the system is configured to audit calls to the chmod<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep chmod<\/pre>\n
If the system is configured to audit this activity, it will return a line. If the system is not configured to audit permission changes, this is a finding.<\/td>\n
At a minimum the audit system should collect file permission changes for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n
If the system is 64 bit then also add the following:<\/p>\n
-a always,exit -F arch=b64 -S chmod  -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000185<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit all discretionary access control permission modifications using chown.<\/td>\nThe changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.<\/td>\nTo determine if the system is configured to audit calls to the chown<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep chown<\/pre>\n
If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.<\/td>\n
At a minimum the audit system should collect file permission changes for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n
If the system is 64 bit then also add the following:<\/p>\n
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000186<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit all discretionary access control permission modifications using fchmod.<\/td>\nThe changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.<\/td>\nTo determine if the system is configured to audit calls to the fchmod<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep fchmod<\/pre>\n
If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.<\/td>\n
At a minimum the audit system should collect file permission changes for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n
If the system is 64 bit then also add the following:<\/p>\n
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000187<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit all discretionary access control permission modifications using fchmodat.<\/td>\nThe changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.<\/td>\nTo determine if the system is configured to audit calls to the fchmodat<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep fchmodat<\/pre>\n
If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.<\/td>\n
At a minimum the audit system should collect file permission changes for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n
If the system is 64 bit then also add the following:<\/p>\n
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000188<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit all discretionary access control permission modifications using fchown.<\/td>\nThe changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.<\/td>\nTo determine if the system is configured to audit calls to the fchown<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep fchown<\/pre>\n
If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.<\/td>\n
At a minimum the audit system should collect file permission changes for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n
If the system is 64 bit then also add the following:<\/p>\n
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000189<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit all discretionary access control permission modifications using fchownat.<\/td>\nThe changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.<\/td>\nTo determine if the system is configured to audit calls to the fchownat<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep fchownat<\/pre>\n
If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.<\/td>\n
At a minimum the audit system should collect file permission changes for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n
If the system is 64 bit then also add the following:<\/p>\n
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000190<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.<\/td>\nThe changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.<\/td>\nTo determine if the system is configured to audit calls to the fremovexattr<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep fremovexattr<\/pre>\n
If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.<\/td>\n
At a minimum the audit system should collect file permission changes for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n
If the system is 64 bit then also add the following:<\/p>\n
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000191<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.<\/td>\nThe changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.<\/td>\nTo determine if the system is configured to audit calls to the fsetxattr<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep fsetxattr<\/pre>\n
If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.<\/td>\n
At a minimum the audit system should collect file permission changes for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n
If the system is 64 bit then also add the following:<\/p>\n
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000192<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit all discretionary access control permission modifications using lchown.<\/td>\nThe changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.<\/td>\nTo determine if the system is configured to audit calls to the lchown<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep lchown<\/pre>\n
If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.<\/td>\n
At a minimum the audit system should collect file permission changes for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n
If the system is 64 bit then also add the following:<\/p>\n
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000193<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.<\/td>\nThe changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.<\/td>\nTo determine if the system is configured to audit calls to the lremovexattr<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep lremovexattr<\/pre>\n
If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.<\/td>\n
At a minimum the audit system should collect file permission changes for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n
If the system is 64 bit then also add the following:<\/p>\n
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000194<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.<\/td>\nThe changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.<\/td>\nTo determine if the system is configured to audit calls to the lsetxattr<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep lsetxattr<\/pre>\n
If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.<\/td>\n
At a minimum the audit system should collect file permission changes for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n
If the system is 64 bit then also add the following:<\/p>\n
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000195<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit all discretionary access control permission modifications using removexattr.<\/td>\nThe changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.<\/td>\nTo determine if the system is configured to audit calls to the removexattr<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep removexattr<\/pre>\n
If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.<\/td>\n
At a minimum the audit system should collect file permission changes for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n
If the system is 64 bit then also add the following:<\/p>\n
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000196<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit all discretionary access control permission modifications using setxattr.<\/td>\nThe changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.<\/td>\nTo determine if the system is configured to audit calls to the setxattr<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep setxattr<\/pre>\n
If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.<\/td>\n
At a minimum the audit system should collect file permission changes for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n
If the system is 64 bit then also add the following:<\/p>\n
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000197<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit failed attempts to access files and programs.<\/td>\nUnsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.<\/td>\nTo verify that the audit system collects unauthorized file accesses, run the following commands:<\/p>\n
$ sudo grep EACCES \/etc\/audit\/audit.rules<\/pre>\n
$ sudo grep EPERM \/etc\/audit\/audit.rules<\/pre>\n
If 32-bit and 64-bit system calls to creat, open, openat, open_by_handle_at, truncate, and ftruncate are not audited during EACCES and EPERM, this is a finding.<\/td>\n
At a minimum the audit system should collect unauthorized file accesses for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access\r\n-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access\r\n-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access\r\n-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000198<\/td>\nCCI-000040<\/td>\nlow<\/td>\nThe audit system must be configured to audit all use of setuid programs.<\/td>\nPrivileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.<\/td>\nTo verify that auditing of privileged command use is configured, run the following command to find relevant setuid \/ setgid programs:<\/p>\n
$ sudo find \/ -xdev -type f -perm -4000 -o -perm -2000 2>\/dev\/null<\/pre>\n
Run the following command to verify entries in the audit rules for all programs found with the previous command:<\/p>\n
$ sudo grep path \/etc\/audit\/audit.rules<\/pre>\n
It should be the case that all relevant setuid \/ setgid programs have a line in the audit rules. If it is not the case, this is a finding.<\/td>\n
At a minimum the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid \/ setgid programs:<\/p>\n
$ sudo find \/ -xdev -type f -perm -4000 -o -perm -2000 2>\/dev\/null<\/pre>\n
Then, for each setuid \/ setgid program on the system, add a line of the following form to \/etc\/audit\/audit.rules<\/code>, where SETUID_PROG_PATH<\/i> is the full path to each setuid \/ setgid program in the list:<\/p>\n
-a always,exit -F path=SETUID_PROG_PATH<\/i> -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000199<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit successful file system mounts.<\/td>\nThe unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.<\/td>\nTo verify that auditing is configured for all media exportation events, run the following command:<\/p>\n
$ sudo auditctl -l | grep syscall | grep mount<\/pre>\n
If there is not output, this is a finding.<\/td>\n
At a minimum the audit system should collect media exportation events for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>, setting ARCH to either b32 or b64 as appropriate for your system:<\/p>\n
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000200<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit user deletions of files and programs.<\/td>\nAuditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.<\/td>\nTo determine if the system is configured to audit calls to the unlink<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep unlink<\/pre>\n
If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the unlinkat<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep unlinkat<\/pre>\n
If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the rename<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep rename<\/pre>\n
If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the renameat<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep renameat<\/pre>\n
If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.<\/td>\n
At a minimum the audit system should collect file deletion events for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>, setting ARCH to either b32 or b64 as appropriate for your system:<\/p>\n
-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000201<\/td>\nCCI-000172<\/td>\nlow<\/td>\nThe audit system must be configured to audit changes to the “\/etc\/sudoers” file.<\/td>\nThe actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.<\/td>\nTo verify that auditing is configured for system administrator actions, run the following command:<\/p>\n
$ sudo auditctl -l | grep \"watch=\/etc\/sudoers\"<\/pre>\n
If there is not output, this is a finding.<\/td>\n
At a minimum the audit system should collect administrator actions for all users and root. Add the following to \/etc\/audit\/audit.rules<\/code>:<\/p>\n
-w \/etc\/sudoers -p wa -k actions<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000202<\/td>\nCCI-000172<\/td>\nmedium<\/td>\nThe audit system must be configured to audit the loading and unloading of dynamic kernel modules.<\/td>\nThe addition\/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.<\/td>\nTo determine if the system is configured to audit calls to the init_module<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep init_module<\/pre>\n
If the system is configured to audit this activity, it will return a line. To determine if the system is configured to audit calls to the delete_module<\/code> system call, run the following command:<\/p>\n
# auditctl -l | grep syscall | grep delete_module<\/pre>\n
If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.<\/td>\n
Add the following to \/etc\/audit\/audit.rules<\/code> in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:<\/p>\n
-w \/sbin\/insmod -p x -k modules\r\n-w \/sbin\/rmmod -p x -k modules\r\n-w \/sbin\/modprobe -p x -k modules\r\n-a always,exit -F arch=ARCH<\/i> -S init_module -S delete_module -k modules<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000203<\/td>\nCCI-000382<\/td>\nmedium<\/td>\nThe xinetd service must be disabled if no network services utilizing it are enabled.<\/td>\nThe xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.<\/td>\nIf network services are using the xinetd service, this is not applicable.<\/p>\n

To check that the xinetd<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n

# chkconfig xinetd<\/code> --list<\/pre>\n
Output should indicate the xinetd<\/code> service has either not been installed, or has been disabled at all runlevels, as shown in the example below:<\/p>\n
# chkconfig xinetd<\/code> --list\r\nxinetd<\/code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off<\/pre>\n
Run the following command to verify xinetd<\/code> is disabled through current runtime configuration:<\/p>\n
# service xinetd status<\/pre>\n
If the service is disabled the command will return the following output:<\/p>\n
xinetd is stopped<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The xinetd<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig xinetd off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000204<\/td>\nCCI-000382<\/td>\nlow<\/td>\nThe xinetd service must be uninstalled if no network services utilizing it are enabled.<\/td>\nRemoving the xinetd<\/code> package decreases the risk of the xinetd service’s accidental (or intentional) activation.<\/td>\nIf network services are using the xinetd service, this is not applicable.<\/p>\n

Run the following command to determine if the xinetd<\/code> package is installed:<\/p>\n

# rpm -q xinetd<\/pre>\n
If the package is installed, this is a finding.<\/td>\n
The xinetd<\/code> package can be uninstalled with the following command:<\/p>\n
$ sudo yum erase xinetd<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000206<\/td>\nCCI-000381<\/td>\nhigh<\/td>\nThe telnet-server package must not be installed.<\/td>\nRemoving the telnet-server<\/code> package decreases the risk of the telnet service’s accidental (or intentional) activation.<\/td>\nRun the following command to determine if the telnet-server<\/code> package is installed:<\/p>\n
# rpm -q telnet-server<\/pre>\n
If the package is installed, this is a finding.<\/td>\n
The telnet-server<\/code> package can be uninstalled with the following command:<\/p>\n
$ sudo yum erase telnet-server<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000211<\/td>\nCCI-000888<\/td>\nhigh<\/td>\nThe telnet daemon must not be running.<\/td>\nThe telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks.<\/td>\nTo check that the telnet<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig telnet<\/code> --list<\/pre>\n
Output should indicate the telnet<\/code> service has either not been installed, or has been disabled, as shown in the example below:<\/p>\n
# chkconfig telnet<\/code> --list\r\ntelnet<\/code>       off<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The telnet<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig telnet off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000213<\/td>\nCCI-000381<\/td>\nhigh<\/td>\nThe rsh-server package must not be installed.<\/td>\nThe rsh-server<\/code> package provides several obsolete and insecure network services. Removing it decreases the risk of those services’ accidental (or intentional) activation.<\/td>\nRun the following command to determine if the rsh-server<\/code> package is installed:<\/p>\n
# rpm -q rsh-server<\/pre>\n
If the package is installed, this is a finding.<\/td>\n
The rsh-server<\/code> package can be uninstalled with the following command:<\/p>\n
$ sudo yum erase rsh-server<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000214<\/td>\nCCI-000068<\/td>\nhigh<\/td>\nThe rshd service must not be running.<\/td>\nThe rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.<\/td>\nTo check that the rsh<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig rsh<\/code> --list<\/pre>\n
Output should indicate the rsh<\/code> service has either not been installed, or has been disabled, as shown in the example below:<\/p>\n
# chkconfig rsh<\/code> --list\r\nrsh<\/code>       off<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The rsh<\/code> service, which is available with the rsh-server<\/code> package and runs as a service through xinetd, should be disabled. The rsh<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig rsh off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000216<\/td>\nCCI-000068<\/td>\nhigh<\/td>\nThe rexecd service must not be running.<\/td>\nThe rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.<\/td>\nTo check that the rexec<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig rexec<\/code> --list<\/pre>\n
Output should indicate the rexec<\/code> service has either not been installed, or has been disabled, as shown in the example below:<\/p>\n
# chkconfig rexec<\/code> --list\r\nrexec<\/code>       off<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The rexec<\/code> service, which is available with the rsh-server<\/code> package and runs as a service through xinetd, should be disabled. The rexec<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig rexec off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000218<\/td>\nCCI-001436<\/td>\nhigh<\/td>\nThe rlogind service must not be running.<\/td>\nThe rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.<\/td>\nTo check that the rlogin<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig rlogin<\/code> --list<\/pre>\n
Output should indicate the rlogin<\/code> service has either not been installed, or has been disabled, as shown in the example below:<\/p>\n
# chkconfig rlogin<\/code> --list\r\nrlogin<\/code>       off<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The rlogin<\/code> service, which is available with the rsh-server<\/code> package and runs as a service through xinetd, should be disabled. The rlogin<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig rlogin off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000220<\/td>\nCCI-000381<\/td>\nmedium<\/td>\nThe ypserv package must not be installed.<\/td>\nRemoving the ypserv<\/code> package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.<\/td>\nRun the following command to determine if the ypserv<\/code> package is installed:<\/p>\n
# rpm -q ypserv<\/pre>\n
If the package is installed, this is a finding.<\/td>\n
The ypserv<\/code> package can be uninstalled with the following command:<\/p>\n
$ sudo yum erase ypserv<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000221<\/td>\nCCI-000382<\/td>\nmedium<\/td>\nThe ypbind service must not be running.<\/td>\nDisabling the ypbind<\/code> service ensures the system is not acting as a client in a NIS or NIS+ domain.<\/td>\nTo check that the ypbind<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig ypbind<\/code> --list<\/pre>\n
Output should indicate the ypbind<\/code> service has either not been installed, or has been disabled at all runlevels, as shown in the example below:<\/p>\n
# chkconfig ypbind<\/code> --list\r\nypbind<\/code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off<\/pre>\n
Run the following command to verify ypbind<\/code> is disabled through current runtime configuration:<\/p>\n
# service ypbind status<\/pre>\n
If the service is disabled the command will return the following output:<\/p>\n
ypbind is stopped<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The ypbind<\/code> service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The ypbind<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig ypbind off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000222<\/td>\nCCI-000381<\/td>\nmedium<\/td>\nThe tftp-server package must not be installed.<\/td>\nRemoving the tftp-server<\/code> package decreases the risk of the accidental (or intentional) activation of tftp services.<\/td>\nRun the following command to determine if the tftp-server<\/code> package is installed:<\/p>\n
# rpm -q tftp-server<\/pre>\n
If the package is installed, this is a finding.<\/td>\n
The tftp-server<\/code> package can be removed with the following command:<\/p>\n
# yum erase tftp-server<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000223<\/td>\nCCI-001436<\/td>\nmedium<\/td>\nThe TFTP service must not be running.<\/td>\nDisabling the tftp<\/code> service ensures the system is not acting as a TFTP server, which does not provide encryption or authentication.<\/td>\nTo check that the tftp<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig tftp<\/code> --list<\/pre>\n
Output should indicate the tftp<\/code> service has either not been installed, or has been disabled at all runlevels, as shown in the example below:<\/p>\n
# chkconfig tftp<\/code> --list\r\ntftp<\/code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off<\/pre>\n
Run the following command to verify tftp<\/code> is disabled through current runtime configuration:<\/p>\n
# service tftp status<\/pre>\n
If the service is disabled the command will return the following output:<\/p>\n
tftp is stopped<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The tftp<\/code> service should be disabled. The tftp<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig tftp off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000224<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe cron service must be running.<\/td>\nDue to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.<\/td>\nRun the following command to determine the current status of the crond<\/code> service:<\/p>\n
# service crond status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
crond is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The crond<\/code> service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The crond<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 crond on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000227<\/td>\nCCI-000774<\/td>\nhigh<\/td>\nThe SSH daemon must be configured to use only the SSHv2 protocol.<\/td>\nSSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.<\/td>\nTo check which SSH protocol version is allowed, run the following command:<\/p>\n
$ sudo grep Protocol \/etc\/ssh\/sshd_config<\/pre>\n
If configured properly, output should be<\/p>\n
Protocol 2<\/pre>\n
If it is not, this is a finding.<\/td>\n
Only SSH protocol version 2 connections should be permitted. The default setting in \/etc\/ssh\/sshd_config<\/code> is correct, and can be verified by ensuring that the following line appears:<\/p>\n
Protocol 2<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000230<\/td>\nCCI-001133<\/td>\nlow<\/td>\nThe SSH daemon must set a timeout interval on idle sessions.<\/td>\nCausing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.<\/td>\nRun the following command to see what the timeout interval is:<\/p>\n
$ sudo grep ClientAliveInterval \/etc\/ssh\/sshd_config<\/pre>\n
If properly configured, the output should be:<\/p>\n
ClientAliveInterval 900<\/pre>\n
If it is not, this is a finding.<\/td>\n
SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.<\/p>\n

To set an idle timeout interval, edit the following line in \/etc\/ssh\/sshd_config<\/code> as follows:<\/p>\n

ClientAliveInterval <\/b><\/pre>\n
The timeout interval<\/b> is given in seconds. To have a timeout of 15 minutes, set interval<\/b> to 900.<\/p>\n
If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.<\/td>\n<\/tr>\n
RHEL-06-000231<\/td>\nCCI-000879<\/td>\nlow<\/td>\nThe SSH daemon must set a timeout count on idle sessions.<\/td>\nThis ensures a user login will be terminated as soon as the ClientAliveCountMax<\/code> is reached.<\/td>\nTo ensure the SSH idle timeout will occur when the ClientAliveCountMax<\/code> is set, run the following command:<\/p>\n
$ sudo grep ClientAliveCountMax \/etc\/ssh\/sshd_config<\/pre>\n
If properly configured, output should be:<\/p>\n
ClientAliveCountMax 0<\/pre>\n
If it is not, this is a finding.<\/td>\n
To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax<\/code> is set, edit \/etc\/ssh\/sshd_config<\/code> as follows:<\/p>\n
ClientAliveCountMax 0<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000234<\/td>\nCCI-000766<\/td>\nmedium<\/td>\nThe SSH daemon must ignore .rhosts files.<\/td>\nSSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.<\/td>\nTo determine how the SSH daemon’s IgnoreRhosts<\/code> option is set, run the following command:<\/p>\n
# grep -i IgnoreRhosts \/etc\/ssh\/sshd_config<\/pre>\n
If no line, a commented line, or a line indicating the value yes<\/code> is returned, then the required value is set. If the required value is not set, this is a finding.<\/td>\n
SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts<\/code> files.<\/p>\n

To ensure this behavior is disabled, add or correct the following line in \/etc\/ssh\/sshd_config<\/code>:<\/p>\n

IgnoreRhosts yes<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000235<\/td>\nCCI-000765<\/td>\nmedium<\/td>\nThe SSH daemon must not allow host-based authentication.<\/td>\nSSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.<\/td>\nTo determine how the SSH daemon’s HostbasedAuthentication<\/code> option is set, run the following command:<\/p>\n
# grep -i HostbasedAuthentication \/etc\/ssh\/sshd_config<\/pre>\n
If no line, a commented line, or a line indicating the value no<\/code> is returned, then the required value is set. If the required value is not set, this is a finding.<\/td>\n
SSH’s cryptographic host-based authentication is more secure than .rhosts<\/code> authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.<\/p>\n

To disable host-based authentication, add or correct the following line in \/etc\/ssh\/sshd_config<\/code>:<\/p>\n

HostbasedAuthentication no<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000236<\/td>\nCCI-000766<\/td>\nmedium<\/td>\nThe SSH daemon must not allow host-based authentication.<\/td>\nSSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.<\/td>\nTo determine how the SSH daemon’s HostbasedAuthentication<\/code> option is set, run the following command:<\/p>\n
# grep -i HostbasedAuthentication \/etc\/ssh\/sshd_config<\/pre>\n
If no line, a commented line, or a line indicating the value no<\/code> is returned, then the required value is set. If the required value is not set, this is a finding.<\/td>\n
SSH’s cryptographic host-based authentication is more secure than .rhosts<\/code> authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.<\/p>\n

To disable host-based authentication, add or correct the following line in \/etc\/ssh\/sshd_config<\/code>:<\/p>\n

HostbasedAuthentication no<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000237<\/td>\nCCI-000770<\/td>\nmedium<\/td>\nThe system must not permit root logins using remote access programs such as ssh.<\/td>\nPermitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root’s password.<\/td>\nTo determine how the SSH daemon’s PermitRootLogin<\/code> option is set, run the following command:<\/p>\n
# grep -i PermitRootLogin \/etc\/ssh\/sshd_config<\/pre>\n
If a line indicating no is returned, then the required value is set. If the required value is not set, this is a finding.<\/td>\n
The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in \/etc\/ssh\/sshd_config<\/code>:<\/p>\n
PermitRootLogin no<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000239<\/td>\nCCI-000766<\/td>\nhigh<\/td>\nThe SSH daemon must not allow authentication using an empty password.<\/td>\nConfiguring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.<\/td>\nTo determine how the SSH daemon’s PermitEmptyPasswords<\/code> option is set, run the following command:<\/p>\n
# grep -i PermitEmptyPasswords \/etc\/ssh\/sshd_config<\/pre>\n
If no line, a commented line, or a line indicating the value no<\/code> is returned, then the required value is set. If the required value is not set, this is a finding.<\/td>\n
To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in \/etc\/ssh\/sshd_config<\/code>:<\/p>\n
PermitEmptyPasswords no<\/pre>\n
Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.<\/td>\n<\/tr>\n
RHEL-06-000240<\/td>\nCCI-000048<\/td>\nmedium<\/td>\nThe SSH daemon must be configured with the Department of Defense (DoD) login banner.<\/td>\nThe warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.<\/td>\nTo determine how the SSH daemon’s Banner<\/code> option is set, run the following command:<\/p>\n
# grep -i Banner \/etc\/ssh\/sshd_config<\/pre>\n
If a line indicating \/etc\/issue is returned, then the required value is set. If the required value is not set, this is a finding.<\/td>\n
To enable the warning banner and ensure it is consistent across the system, add or correct the following line in \/etc\/ssh\/sshd_config<\/code>:<\/p>\n
Banner \/etc\/issue<\/pre>\n
Another section contains information on how to create an appropriate system-wide warning banner.<\/td>\n<\/tr>\n
RHEL-06-000241<\/td>\nCCI-001414<\/td>\nlow<\/td>\nThe SSH daemon must not permit user environment settings.<\/td>\nSSH environment options potentially allow users to bypass access restriction in some configurations.<\/td>\nTo ensure users are not able to present environment daemons, run the following command:<\/p>\n
$ sudo grep PermitUserEnvironment \/etc\/ssh\/sshd_config<\/pre>\n
If properly configured, output should be:<\/p>\n
PermitUserEnvironment no<\/pre>\n
If it is not, this is a finding.<\/td>\n
To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in \/etc\/ssh\/sshd_config<\/code>:<\/p>\n
PermitUserEnvironment no<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000243<\/td>\nCCI-001144<\/td>\nmedium<\/td>\nThe SSH daemon must be configured to use only FIPS 140-2 approved ciphers.<\/td>\nApproved algorithms should impart some level of confidence in their implementation. These are also required for compliance.<\/td>\nOnly FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command:<\/p>\n
$ sudo grep Ciphers \/etc\/ssh\/sshd_config<\/pre>\n
The output should contain only those ciphers which are FIPS-approved, namely, the AES and 3DES ciphers. If that is not the case, this is a finding.<\/td>\n
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in \/etc\/ssh\/sshd_config<\/code> demonstrates use of FIPS-approved ciphers:<\/p>\n
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc<\/pre>\n
The man page sshd_config(5)<\/code> contains a list of supported ciphers.<\/td>\n<\/tr>\n
RHEL-06-000244<\/td>\nCCI-001145<\/td>\nmedium<\/td>\nThe operating system must employ FIPS-validated cryptography to protect unclassified information.<\/td>\nApproved algorithms should impart some level of confidence in their implementation. These are also required for compliance.<\/td>\nOnly FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command:<\/p>\n
$ sudo grep Ciphers \/etc\/ssh\/sshd_config<\/pre>\n
The output should contain only those ciphers which are FIPS-approved, namely, the AES and 3DES ciphers. If that is not the case, this is a finding.<\/td>\n
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in \/etc\/ssh\/sshd_config<\/code> demonstrates use of FIPS-approved ciphers:<\/p>\n
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc<\/pre>\n
The man page sshd_config(5)<\/code> contains a list of supported ciphers.<\/td>\n<\/tr>\n
RHEL-06-000245<\/td>\nCCI-001146<\/td>\nmedium<\/td>\nThe operating system must employ NSA-approved cryptography to protect classified information.<\/td>\nApproved algorithms should impart some level of confidence in their implementation. These are also required for compliance.<\/td>\nOnly FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command:<\/p>\n
$ sudo grep Ciphers \/etc\/ssh\/sshd_config<\/pre>\n
The output should contain only those ciphers which are FIPS-approved, namely, the AES and 3DES ciphers. If that is not the case, this is a finding.<\/td>\n
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in \/etc\/ssh\/sshd_config<\/code> demonstrates use of FIPS-approved ciphers:<\/p>\n
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc<\/pre>\n
The man page sshd_config(5)<\/code> contains a list of supported ciphers.<\/td>\n<\/tr>\n
RHEL-06-000246<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe avahi service must be disabled.<\/td>\nBecause the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.<\/td>\nTo check that the avahi-daemon<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig avahi-daemon<\/code> --list<\/pre>\n
Output should indicate the avahi-daemon<\/code> service has either not been installed, or has been disabled at all runlevels, as shown in the example below:<\/p>\n
# chkconfig avahi-daemon<\/code> --list\r\navahi-daemon<\/code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off<\/pre>\n
Run the following command to verify avahi-daemon<\/code> is disabled through current runtime configuration:<\/p>\n
# service avahi-daemon status<\/pre>\n
If the service is disabled the command will return the following output:<\/p>\n
avahi-daemon is stopped<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The avahi-daemon<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig avahi-daemon off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000247<\/td>\nCCI-000160<\/td>\nmedium<\/td>\nThe system clock must be synchronized continuously, or at least daily.<\/td>\nEnabling the ntpd<\/code> service ensures that the ntpd<\/code> service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.<\/p>\n

The NTP daemon offers all of the functionality of ntpdate<\/code>, which is now deprecated. Additional information on this is available at http:\/\/support.ntp.org\/bin\/view\/Dev\/DeprecatingNtpdate<\/td>\n

Run the following command to determine the current status of the ntpd<\/code> service:<\/p>\n
# service ntpd status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
ntpd is running...<\/pre>\n
If the service is not running, this is a finding.<\/td>\n
The ntpd<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 ntpd on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000248<\/td>\nCCI-000160<\/td>\nmedium<\/td>\nThe system clock must be synchronized to an authoritative DoD time source.<\/td>\nSynchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events.<\/td>\nTo verify that a remote NTP service is configured for time synchronization, open the following file:<\/p>\n
\/etc\/ntp.conf<\/pre>\n
In the file, there should be a section similar to the following:<\/p>\n
server ntpserver<\/i><\/pre>\n
If this is not the case, this is a finding.<\/td>\n
To specify a remote NTP server for time synchronization, edit the file \/etc\/ntp.conf<\/code>. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver<\/em>:<\/p>\n
server ntpserver<\/i><\/pre>\n
This instructs the NTP software to contact that remote server to obtain time data.<\/td>\n<\/tr>\n
RHEL-06-000249<\/td>\nCCI-000382<\/td>\nmedium<\/td>\nMail relaying must be restricted.<\/td>\nThis ensures postfix<\/code> accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.<\/td>\nRun the following command to ensure postfix accepts mail messages from only the local system:<\/p>\n
$ grep inet_interfaces \/etc\/postfix\/main.cf<\/pre>\n
If properly configured, the output should show only localhost<\/code>. If it does not, this is a finding.<\/td>\n
Edit the file \/etc\/postfix\/main.cf<\/code> to ensure that only the following inet_interfaces<\/code> line appears:<\/p>\n
inet_interfaces = localhost<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000252<\/td>\nCCI-001453<\/td>\nmedium<\/td>\nIf the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.<\/td>\nThe ssl directive specifies whether to use ssl or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL.<\/td>\nTo ensure LDAP is configured to use TLS for all transactions, run the following command:<\/p>\n
$ grep start_tls \/etc\/pam_ldap.conf<\/pre>\n
If no lines are returned, this is a finding.<\/td>\n
Configure LDAP to enforce TLS use. First, edit the file \/etc\/pam_ldap.conf<\/code>, and add or correct the following lines:<\/p>\n
ssl start_tls<\/pre>\n
Then review the LDAP server and ensure TLS has been configured.<\/td>\n<\/tr>\n
RHEL-06-000253<\/td>\nCCI-000776<\/td>\nmedium<\/td>\nThe LDAP client must use a TLS connection using trust certificates signed by the site CA.<\/td>\nThe tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA.<\/td>\nTo ensure TLS is configured with trust certificates, run the following command:<\/p>\n
$ grep cert \/etc\/pam_ldap.conf<\/pre>\n
If there is no output, or the lines are commented out, this is a finding.<\/td>\n
Ensure a copy of a trusted CA certificate has been placed in the file \/etc\/pki\/tls\/CA\/cacert.pem<\/code>. Configure LDAP to enforce TLS use and to trust certificates signed by that CA. First, edit the file \/etc\/pam_ldap.conf<\/code>, and add or correct either of the following lines:<\/p>\n
tls_cacertdir \/etc\/pki\/tls\/CA<\/pre>\n
or<\/p>\n
tls_cacertfile \/etc\/pki\/tls\/CA\/cacert.pem<\/pre>\n
Then review the LDAP server and ensure TLS has been configured.<\/td>\n<\/tr>\n
RHEL-06-000256<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe openldap-servers package must not be installed unless required.<\/td>\nUnnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems.<\/td>\nTo verify the openldap-servers<\/code> package is not installed, run the following command:<\/p>\n
$ rpm -q openldap-servers<\/pre>\n
The output should show the following:<\/p>\n
package openldap-servers is not installed<\/pre>\n
If it does not, this is a finding.<\/td>\n
The openldap-servers<\/code> package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package.<\/p>\n
$ sudo yum erase openldap-servers<\/pre>\n
The openldap-servers RPM is not installed by default on RHEL 6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.<\/td>\n<\/tr>\n
RHEL-06-000257<\/td>\nCCI-000057<\/td>\nmedium<\/td>\nThe graphical desktop environment must set the idle timeout to no more than 15 minutes.<\/td>\nSetting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.<\/td>\nTo check the current idle time-out value, run the following command:<\/p>\n
$ gconftool-2 -g \/desktop\/gnome\/session\/idle_delay<\/pre>\n
If properly configured, the output should be 15<\/code>. If it is not, this is a finding.<\/td>\n
Run the following command to set the idle time-out value for inactivity in the GNOME desktop to minutes:<\/p>\n
$ sudo gconftool-2 \\\r\n  --direct \\\r\n  --config-source xml:readwrite:\/etc\/gconf\/gconf.xml.mandatory \\\r\n  --type int \\\r\n  --set \/desktop\/gnome\/session\/idle_delay<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000258<\/td>\nCCI-000057<\/td>\nmedium<\/td>\nThe graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user to re-authenticate to unlock the environment.<\/td>\nEnabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.<\/td>\nTo check the screensaver mandatory use status, run the following command:<\/p>\n
$ gconftool-2 -g \/apps\/gnome-screensaver\/idle_activation_enabled<\/pre>\n
If properly configured, the output should be true<\/code>. If it is not, this is a finding.<\/td>\n
Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity:<\/p>\n
$ sudo gconftool-2 --direct \\\r\n  --config-source xml:readwrite:\/etc\/gconf\/gconf.xml.mandatory \\\r\n  --type bool \\\r\n  --set \/apps\/gnome-screensaver\/idle_activation_enabled true<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000259<\/td>\nCCI-000057<\/td>\nmedium<\/td>\nThe graphical desktop environment must have automatic lock enabled.<\/td>\nEnabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.<\/td>\nTo check the status of the idle screen lock activation, run the following command:<\/p>\n
$ gconftool-2 -g \/apps\/gnome-screensaver\/lock_enabled<\/pre>\n
If properly configured, the output should be true<\/code>. If it is not, this is a finding.<\/td>\n
Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated:<\/p>\n
$ sudo gconftool-2 --direct \\\r\n  --config-source xml:readwrite:\/etc\/gconf\/gconf.xml.mandatory \\\r\n  --type bool \\\r\n  --set \/apps\/gnome-screensaver\/lock_enabled true<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000260<\/td>\nCCI-000060<\/td>\nlow<\/td>\nThe system must display a publicly-viewable pattern during a graphical desktop environment session lock.<\/td>\nSetting the screensaver mode to blank-only conceals the contents of the display from passersby.<\/td>\nTo ensure the screensaver is configured to be blank, run the following command:<\/p>\n
$ gconftool-2 -g \/apps\/gnome-screensaver\/mode<\/pre>\n
If properly configured, the output should be blank-only<\/code> If it is not, this is a finding.<\/td>\n
Run the following command to set the screensaver mode in the GNOME desktop to a blank screen:<\/p>\n
$ sudo gconftool-2 --direct \\\r\n  --config-source xml:readwrite:\/etc\/gconf\/gconf.xml.mandatory \\\r\n  --type string \\\r\n  --set \/apps\/gnome-screensaver\/mode blank-only<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000261<\/td>\nCCI-000382<\/td>\nlow<\/td>\nThe Automatic Bug Reporting Tool (abrtd) service must not be running.<\/td>\nMishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process’s address space or registers.<\/td>\nTo check that the abrtd<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig abrtd<\/code> --list<\/pre>\n
Output should indicate the abrtd<\/code> service has either not been installed, or has been disabled at all runlevels, as shown in the example below:<\/p>\n
# chkconfig abrtd<\/code> --list\r\nabrtd<\/code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off<\/pre>\n
Run the following command to verify abrtd<\/code> is disabled through current runtime configuration:<\/p>\n
# service abrtd status<\/pre>\n
If the service is disabled the command will return the following output:<\/p>\n
abrtd is stopped<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The Automatic Bug Reporting Tool (abrtd<\/code>) daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The abrtd<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig abrtd off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000262<\/td>\nCCI-000382<\/td>\nlow<\/td>\nThe atd service must be disabled.<\/td>\nThe atd<\/code> service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with at<\/code> or batch<\/code> is not common.<\/td>\nTo check that the atd<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig atd<\/code> --list<\/pre>\n
Output should indicate the atd<\/code> service has either not been installed, or has been disabled at all runlevels, as shown in the example below:<\/p>\n
# chkconfig atd<\/code> --list\r\natd<\/code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off<\/pre>\n
Run the following command to verify atd<\/code> is disabled through current runtime configuration:<\/p>\n
# service atd status<\/pre>\n
If the service is disabled the command will return the following output:<\/p>\n
atd is stopped<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The at<\/code> and batch<\/code> commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon atd<\/code> keeps track of tasks scheduled via at<\/code> and batch<\/code>, and executes them at the specified time. The atd<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig atd off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000263<\/td>\nCCI-001250<\/td>\nlow<\/td>\nAutomated file system mounting tools must not be enabled unless needed.<\/td>\nDisabling the automounter permits the administrator to statically control filesystem mounting through \/etc\/fstab<\/code>.<\/td>\nTo check that the autofs<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig autofs<\/code> --list<\/pre>\n
Output should indicate the autofs<\/code> service has either not been installed, or has been disabled at all runlevels, as shown in the example below:<\/p>\n
# chkconfig autofs<\/code> --list\r\nautofs<\/code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off<\/pre>\n
Run the following command to verify autofs<\/code> is disabled through current runtime configuration:<\/p>\n
# service autofs status<\/pre>\n
If the service is disabled the command will return the following output:<\/p>\n
autofs is stopped<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The autofs<\/code> daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as \/misc\/cd<\/code>. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing \/etc\/fstab<\/code> rather than relying on the automounter.<\/p>\n

The autofs<\/code> service can be disabled with the following command:<\/p>\n

# chkconfig autofs off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000265<\/td>\nCCI-000382<\/td>\nlow<\/td>\nThe ntpdate service must not be running.<\/td>\nThe ntpdate<\/code> service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.<\/td>\nTo check that the ntpdate<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig ntpdate<\/code> --list<\/pre>\n
Output should indicate the ntpdate<\/code> service has either not been installed, or has been disabled at all runlevels, as shown in the example below:<\/p>\n
# chkconfig ntpdate<\/code> --list\r\nntpdate<\/code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off<\/pre>\n
Run the following command to verify ntpdate<\/code> is disabled through current runtime configuration:<\/p>\n
# service ntpdate status<\/pre>\n
If the service is disabled the command will return the following output:<\/p>\n
ntpdate is stopped<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The ntpdate<\/code> service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in \/etc\/ntp\/step-tickers<\/code> or \/etc\/ntp.conf<\/code> and then sets the local hardware clock to the newly synchronized system time. The ntpdate<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig ntpdate off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000266<\/td>\nCCI-000382<\/td>\nlow<\/td>\nThe oddjobd service must not be running.<\/td>\nThe oddjobd<\/code> service may provide necessary functionality in some environments, and can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.<\/td>\nTo check that the oddjobd<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig oddjobd<\/code> --list<\/pre>\n
Output should indicate the oddjobd<\/code> service has either not been installed, or has been disabled at all runlevels, as shown in the example below:<\/p>\n
# chkconfig oddjobd<\/code> --list\r\noddjobd<\/code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off<\/pre>\n
Run the following command to verify oddjobd<\/code> is disabled through current runtime configuration:<\/p>\n
# service oddjobd status<\/pre>\n
If the service is disabled the command will return the following output:<\/p>\n
oddjobd is stopped<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The oddjobd<\/code> service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with oddjobd<\/code> through the system message bus. The oddjobd<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig oddjobd off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000267<\/td>\nCCI-000382<\/td>\nlow<\/td>\nThe qpidd service must not be running.<\/td>\nThe qpidd service is automatically installed when the “base” package selection is selected during installation. The qpidd service listens for network connections, which increases the attack surface of the system. If the system is not intended to receive AMQP traffic, then the qpidd<\/code> service is not needed and should be disabled or removed.<\/td>\nTo check that the qpidd<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig qpidd<\/code> --list<\/pre>\n
Output should indicate the qpidd<\/code> service has either not been installed, or has been disabled at all runlevels, as shown in the example below:<\/p>\n
# chkconfig qpidd<\/code> --list\r\nqpidd<\/code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off<\/pre>\n
Run the following command to verify qpidd<\/code> is disabled through current runtime configuration:<\/p>\n
# service qpidd status<\/pre>\n
If the service is disabled the command will return the following output:<\/p>\n
qpidd is stopped<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The qpidd<\/code> service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The qpidd<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig qpidd off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000268<\/td>\nCCI-000382<\/td>\nlow<\/td>\nThe rdisc service must not be running.<\/td>\nGeneral-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.<\/td>\nTo check that the rdisc<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig rdisc<\/code> --list<\/pre>\n
Output should indicate the rdisc<\/code> service has either not been installed, or has been disabled at all runlevels, as shown in the example below:<\/p>\n
# chkconfig rdisc<\/code> --list\r\nrdisc<\/code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off<\/pre>\n
Run the following command to verify rdisc<\/code> is disabled through current runtime configuration:<\/p>\n
# service rdisc status<\/pre>\n
If the service is disabled the command will return the following output:<\/p>\n
rdisc is stopped<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The rdisc<\/code> service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. The rdisc<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig rdisc off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000269<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nRemote file systems must be mounted with the “nodev” option.<\/td>\nLegitimate device files should only exist in the \/dev directory. NFS mounts should not present device files to users.<\/td>\nTo verify the nodev<\/code> option is configured for all NFS mounts, run the following command:<\/p>\n
$ mount | grep nfs<\/pre>\n
All NFS mounts should show the nodev<\/code> setting in parentheses. This is not applicable if NFS is not implemented. If the setting does not show, this is a finding.<\/td>\n
Add the nodev<\/code> option to the fourth column of \/etc\/fstab<\/code> for the line which controls mounting of any NFS mounts.<\/td>\n<\/tr>\n
RHEL-06-000270<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nRemote file systems must be mounted with the “nosuid” option.<\/td>\nNFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.<\/td>\nTo verify the nosuid<\/code> option is configured for all NFS mounts, run the following command:<\/p>\n
$ mount | grep nfs<\/pre>\n
All NFS mounts should show the nosuid<\/code> setting in parentheses. This is not applicable if NFS is not implemented. If the setting does not show, this is a finding.<\/td>\n
Add the nosuid<\/code> option to the fourth column of \/etc\/fstab<\/code> for the line which controls mounting of any NFS mounts.<\/td>\n<\/tr>\n
RHEL-06-000271<\/td>\nCCI-000087<\/td>\nlow<\/td>\nThe noexec option must be added to removable media partitions.<\/td>\nAllowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.<\/td>\nTo verify that binaries cannot be directly executed from removable media, run the following command:<\/p>\n
$ grep -v noexec \/etc\/fstab<\/pre>\n
The resulting output will show partitions which do not have the noexec<\/code> flag. Verify all partitions in the output are not removable media. If removable media partitions are present, this is a finding.<\/td>\n
The noexec<\/code> mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media. Add the noexec<\/code> option to the fourth column of \/etc\/fstab<\/code> for the line which controls mounting of any removable media partitions.<\/td>\n<\/tr>\n
RHEL-06-000272<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system must use SMB client signing for connecting to samba servers using smbclient.<\/td>\nPacket signing can prevent man-in-the-middle attacks which modify SMB packets in transit.<\/td>\nTo verify that Samba clients running smbclient must use packet signing, run the following command:<\/p>\n
$ grep signing \/etc\/samba\/smb.conf<\/pre>\n
The output should show:<\/p>\n
client signing = mandatory<\/pre>\n
If it is not, this is a finding.<\/td>\n
To require samba clients running smbclient<\/code> to use packet signing, add the following to the [global]<\/code> section of the Samba configuration file, \/etc\/samba\/smb.conf<\/code>:<\/p>\n
client signing = mandatory<\/pre>\n
Requiring samba clients such as smbclient<\/code> to use packet signing ensures they can only communicate with servers that support packet signing.<\/td>\n<\/tr>\n
RHEL-06-000273<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system must use SMB client signing for connecting to samba servers using mount.cifs.<\/td>\nPacket signing can prevent man-in-the-middle attacks which modify SMB packets in transit.<\/td>\nTo verify that Samba clients using mount.cifs must use packet signing, run the following command:<\/p>\n
$ grep sec \/etc\/fstab<\/pre>\n
The output should show either krb5i<\/code> or ntlmv2i<\/code> in use. If it does not, this is a finding.<\/td>\n
Require packet signing of clients who mount Samba shares using the mount.cifs<\/code> program (e.g., those who specify shares in \/etc\/fstab<\/code>). To do so, ensure signing options (either sec=krb5i<\/code> or sec=ntlmv2i<\/code>) are used.<\/p>\n

See the mount.cifs(8)<\/code> man page for more information. A Samba client should only communicate with servers who can support SMB packet signing.<\/td>\n<\/tr>\n

RHEL-06-000274<\/td>\nCCI-000200<\/td>\nmedium<\/td>\nThe system must prohibit the reuse of passwords within twenty-four iterations.<\/td>\nPreventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.<\/td>\nTo verify the password reuse setting is compliant, run the following command:<\/p>\n
$ grep remember \/etc\/pam.d\/system-auth<\/pre>\n
The output should show the following at the end of the line:<\/p>\n
remember=24<\/pre>\n
If it does not, this is a finding.<\/td>\n
Do not allow users to reuse recent passwords. This can be accomplished by using the remember<\/code> option for the pam_unix<\/code> PAM module. In the file \/etc\/pam.d\/system-auth<\/code>, append remember=<\/code> to the line which refers to the pam_unix.so<\/code> module, as shown:<\/p>\n
password sufficient pam_unix.so existing_options<\/i> remember=<\/pre>\n
The DoD STIG requirement is 5 passwords.<\/td>\n<\/tr>\n
RHEL-06-000275<\/td>\nCCI-001019<\/td>\nlow<\/td>\nThe operating system must employ cryptographic mechanisms to protect information in storage.<\/td>\nThe risk of a system’s physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.<\/td>\nDetermine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.<\/td>\nRed Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.<\/p>\n

For manual installations, select the Encrypt<\/code> checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.<\/p>\n

For automated\/unattended installations, it is possible to use Kickstart by adding the --encrypted<\/code> and --passphrase=<\/code> options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:<\/p>\n

part \/ --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE<\/i><\/pre>\n
Any PASSPHRASE<\/i> is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase=<\/code> option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.<\/p>\n
Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site:
\nhttps:\/\/docs.redhat.com\/docs\/en-US\/Red_Hat_Enterprise_Linux\/6\/html\/Security_Guide\/sect-Security_Guide-LUKS_Disk_Encryption.html<\/td>\n<\/tr>\n
RHEL-06-000276<\/td>\nCCI-001199<\/td>\nlow<\/td>\nThe operating system must protect the confidentiality and integrity of data at rest.<\/td>\nThe risk of a system’s physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.<\/td>\nDetermine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.<\/td>\nRed Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.<\/p>\n

For manual installations, select the Encrypt<\/code> checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.<\/p>\n

For automated\/unattended installations, it is possible to use Kickstart by adding the --encrypted<\/code> and --passphrase=<\/code> options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:<\/p>\n

part \/ --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE<\/i><\/pre>\n
Any PASSPHRASE<\/i> is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase=<\/code> option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.<\/p>\n
Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site:
\nhttps:\/\/docs.redhat.com\/docs\/en-US\/Red_Hat_Enterprise_Linux\/6\/html\/Security_Guide\/sect-Security_Guide-LUKS_Disk_Encryption.html<\/td>\n<\/tr>\n
RHEL-06-000277<\/td>\nCCI-001200<\/td>\nlow<\/td>\nThe operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.<\/td>\nThe risk of a system’s physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.<\/td>\nDetermine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding.<\/td>\nRed Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.<\/p>\n

For manual installations, select the Encrypt<\/code> checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.<\/p>\n

For automated\/unattended installations, it is possible to use Kickstart by adding the --encrypted<\/code> and --passphrase=<\/code> options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:<\/p>\n

part \/ --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE<\/i><\/pre>\n
Any PASSPHRASE<\/i> is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase=<\/code> option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.<\/p>\n
Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site:
\nhttps:\/\/docs.redhat.com\/docs\/en-US\/Red_Hat_Enterprise_Linux\/6\/html\/Security_Guide\/sect-Security_Guide-LUKS_Disk_Encryption.html<\/td>\n<\/tr>\n
RHEL-06-000282<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThere must be no world-writable files on the system.<\/td>\nData in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.<\/td>\nTo find world-writable files, run the following command:<\/p>\n
$ sudo find \/ -xdev -type f -perm -002<\/pre>\n
If there is output, this is a finding.<\/td>\n
It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account.<\/td>\n<\/tr>\n
RHEL-06-000284<\/td>\nCCI-001668<\/td>\nhigh<\/td>\nThe system must use and update a DoD-approved virus scan program.<\/td>\nVirus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.<\/td>\nInspect the system for a cron job or system service which executes a virus scanning tool regularly.
\n To verify the McAfee VSEL system service is operational, run the following command:<\/p>\n
$ sudo \/sbin\/service nails status<\/pre>\n
To check on the age of uvscan virus definition files, run the following command:<\/p>\n
$ sudo cd \/opt\/NAI\/LinuxShield\/engine\/dat\r\n$ sudo ls -la avvscan.dat avvnames.dat avvclean.dat<\/pre>\n
If virus scanning software does not run continuously, or at least daily, or has signatures that are out of date, this is a finding.<\/td>\n
Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems. Ensure virus definition files are no older than 7 days, or their last release. Configure the virus scanning software to perform scans dynamically on all accessed files. If this is not possible, configure the system to scan all altered files on the system on a daily basis. If the system processes inbound SMTP mail, configure the virus scanner to scan all received mail. <\/td>\n<\/tr>\n
RHEL-06-000285<\/td>\nCCI-001263<\/td>\nmedium<\/td>\nThe system must have a host-based intrusion detection tool installed.<\/td>\nHost-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network.<\/td>\nInspect the system to determine if intrusion detection software has been installed. Verify this intrusion detection software is active. If no host-based intrusion detection tools are installed, this is a finding.<\/td>\nThe base Red Hat platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised.
\nIn DoD environments, supplemental intrusion detection tools, such as, the McAfee Host-based Security System, are available to integrate with existing infrastructure. When these supplemental tools interfere with the proper functioning of SELinux, SELinux takes precedence.<\/td>\n<\/tr>\n
RHEL-06-000286<\/td>\nCCI-000366<\/td>\nhigh<\/td>\nThe x86 Ctrl-Alt-Delete key sequence must be disabled.<\/td>\nA locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Del sequence is reduced because the user will be prompted before any action is taken. NOTE: When updating the initscripts<\/code> package on a Red Hat Enterprise Linux 6 system, custom changes to \/etc\/init\/control-alt-delete.conf<\/code> may be overwritten. Refer to https:\/\/access.redhat.com\/site\/solutions\/70464<\/b> for additional information.<\/td>\nTo ensure the system is configured to log a message instead of rebooting the system when Ctrl-Alt-Del is pressed, ensure the following line is in \/etc\/init\/control-alt-delete.conf<\/code>:<\/p>\n
exec \/usr\/bin\/logger -p security.info \"Control-Alt-Delete pressed\"<\/pre>\n
If the system is configured to run the shutdown command, this is a finding.<\/td>\n
By default, the system includes the following line in \/etc\/init\/control-alt-delete.conf<\/code> to reboot the system when the Ctrl-Alt-Del key sequence is pressed:<\/p>\n
exec \/sbin\/shutdown -r now \"Control-Alt-Delete pressed\"<\/pre>\n
To configure the system to log a message instead of rebooting the system, alter that line to read as follows:<\/p>\n
exec \/usr\/bin\/logger -p security.info \"Control-Alt-Delete pressed\"<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000287<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe postfix service must be enabled for mail delivery.<\/td>\nLocal mail delivery is essential to some system maintenance and notification tasks.<\/td>\nRun the following command to determine the current status of the postfix<\/code> service:<\/p>\n
# service postfix status<\/pre>\n
If the service is enabled, it should return the following:<\/p>\n
postfix is running...<\/pre>\n
If the system is not a cross domain solution and the service is not enabled, this is a finding.<\/td>\n
The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The postfix<\/code> service can be enabled with the following command:<\/p>\n
# chkconfig --level 2345 postfix on<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000288<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe sendmail package must be removed.<\/td>\nThe sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.<\/td>\nRun the following command to determine if the sendmail<\/code> package is installed:<\/p>\n
# rpm -q sendmail<\/pre>\n
If the package is installed, this is a finding.<\/td>\n
Sendmail is not the default mail transfer agent and is not installed by default. The sendmail<\/code> package can be removed with the following command:<\/p>\n
# yum erase sendmail<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000289<\/td>\nCCI-000382<\/td>\nlow<\/td>\nThe netconsole service must be disabled unless required.<\/td>\nThe netconsole<\/code> service is not necessary unless there is a need to debug kernel panics, which is not common.<\/td>\nTo check that the netconsole<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig netconsole<\/code> --list<\/pre>\n
Output should indicate the netconsole<\/code> service has either not been installed, or has been disabled at all runlevels, as shown in the example below:<\/p>\n
# chkconfig netconsole<\/code> --list\r\nnetconsole<\/code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off<\/pre>\n
Run the following command to verify netconsole<\/code> is disabled through current runtime configuration:<\/p>\n
# service netconsole status<\/pre>\n
If the service is disabled the command will return the following output:<\/p>\n
netconsole is stopped<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The netconsole<\/code> service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The netconsole<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig netconsole off<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000290<\/td>\nCCI-001436<\/td>\nmedium<\/td>\nX Windows must not be enabled unless required.<\/td>\nUnnecessary services should be disabled to decrease the attack surface of the system.<\/td>\nTo verify the default runlevel is 3, run the following command:<\/p>\n
$ grep initdefault \/etc\/inittab<\/pre>\n
The output should show the following:<\/p>\n
id:3:initdefault:<\/pre>\n
If it does not, this is a finding.<\/td>\n
Setting the system’s runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in \/etc\/inittab<\/code> features a 3<\/code> as shown:<\/p>\n
id:3:initdefault:<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000291<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe xorg-x11-server-common (X Windows) package must not be installed, unless required.<\/td>\nUnnecessary packages should not be installed to decrease the attack surface of the system.<\/td>\nTo ensure the X Windows package group is removed, run the following command:<\/p>\n
$ rpm -qi xorg-x11-server-common<\/pre>\n
The output should be:<\/p>\n
package xorg-x11-server-common is not installed<\/pre>\n
If it is not, this is a finding.<\/td>\n
Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command:<\/p>\n
$ sudo yum groupremove \"X Window System\"<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000292<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe DHCP client must be disabled if not needed.<\/td>\nDHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.<\/td>\nTo verify that DHCP is not being used, examine the following file for each interface:<\/p>\n
# \/etc\/sysconfig\/network-scripts\/ifcfg-interface<\/i><\/pre>\n
Look for the following:<\/p>\n
BOOTPROTO=none<\/pre>\n
and the following, substituting the appropriate values based on your site’s addressing scheme:<\/p>\n
NETMASK=255.255.255.0\r\nIPADDR=192.168.1.2\r\nGATEWAY=192.168.1.1<\/pre>\n
If it does not, this is a finding.<\/td>\n
For each interface on the system (e.g. eth0), edit \/etc\/sysconfig\/network-scripts\/ifcfg-interface<\/i><\/code> and make the following changes:<\/p>\n
    \n
  • Correct the BOOTPROTO line to read:\n
    BOOTPROTO=none<\/pre>\n<\/li>\n
  • Add or correct the following lines, substituting the appropriate values based on your site’s addressing scheme:\n
    NETMASK=255.255.255.0\r\nIPADDR=192.168.1.2\r\nGATEWAY=192.168.1.1<\/pre>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
RHEL-06-000294<\/td>\nCCI-000366<\/td>\nlow<\/td>\nAll GIDs referenced in \/etc\/passwd must be defined in \/etc\/group<\/td>\nInconsistency in GIDs between \/etc\/passwd<\/code> and \/etc\/group<\/code> could lead to a user having unintended rights.<\/td>\nTo ensure all GIDs referenced in \/etc\/passwd<\/code> are defined in \/etc\/group<\/code>, run the following command:<\/p>\n
$ sudo pwck -qr<\/pre>\n
There should be no output. If there is output, this is a finding.<\/td>\n
Add a group to the system for each GID referenced without a corresponding group.<\/td>\n<\/tr>\n
RHEL-06-000296<\/td>\nCCI-000804<\/td>\nlow<\/td>\nAll accounts on the system must have unique user or account names<\/td>\nUnique usernames allow for accountability on the system.<\/td>\nRun the following command to check for duplicate account names:<\/p>\n
$ sudo pwck -qr<\/pre>\n
If there are no duplicate names, no line will be returned. If a line is returned, this is a finding.<\/td>\n
Change usernames, or delete accounts, so each has a unique name.<\/td>\n<\/tr>\n
RHEL-06-000299<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system must require passwords to contain no more than three consecutive repeating characters.<\/td>\nPasswords with excessive repeating characters may be more vulnerable to password-guessing attacks.<\/td>\nTo check the maximum value for consecutive repeating characters, run the following command:<\/p>\n
$ grep pam_cracklib \/etc\/pam.d\/system-auth<\/pre>\n
Look for the value of the maxrepeat<\/code> parameter. The DoD requirement is 3. If maxrepeat is not found or not set to the required value, this is a finding.<\/td>\n
The pam_cracklib module’s maxrepeat<\/code> parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Add maxrepeat=<\/code> after pam_cracklib.so to prevent a run of ( + 1) or more identical characters.<\/td>\n<\/tr>\n
RHEL-06-000300<\/td>\nCCI-000224<\/td>\nlow<\/td>\nAll files and directories must have a valid owner.<\/td>\nUnowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.<\/td>\nThe following command will discover and print any files on local partitions which do not belong to a valid user. Run it once for each local partition PART<\/i>:<\/p>\n
$ sudo find PART<\/i> -xdev -nouser -print<\/pre>\n
If files exist that are not owned by a valid user, this is a finding.<\/td>\n
If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user.<\/td>\n<\/tr>\n
RHEL-06-000301<\/td>\nCCI-000224<\/td>\nlow<\/td>\nAll files must be owned by a group.<\/td>\nUnowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.<\/td>\nThe following command will discover and print any files on local partitions which do not belong to a valid group. Run it once for each local partition PART<\/i>:<\/p>\n
$ sudo find PART<\/i> -xdev -nogroup -print<\/pre>\n
If there is output, this is a finding.<\/td>\n
If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group.<\/td>\n<\/tr>\n
RHEL-06-000302<\/td>\nCCI-000374<\/td>\nmedium<\/td>\nA file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.<\/td>\nBy default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.<\/td>\nTo determine that periodic AIDE execution has been scheduled, run the following command:<\/p>\n
$ grep aide \/etc\/crontab<\/pre>\n
If there is no output, this is a finding.<\/td>\n
To implement a daily execution of AIDE at 4:05am using cron, add the following line to \/etc\/crontab<\/code>:<\/p>\n
05 4 * * * root \/usr\/sbin\/aide --check<\/pre>\n
AIDE can be executed periodically through other means; this is merely one example.<\/td>\n<\/tr>\n
RHEL-06-000303<\/td>\nCCI-000416<\/td>\nmedium<\/td>\nThe operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components\/devices into the operating system.<\/td>\nBy default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.<\/td>\nTo determine that periodic AIDE execution has been scheduled, run the following command:<\/p>\n
$ grep aide \/etc\/crontab<\/pre>\n
If there is no output, this is a finding.<\/td>\n
To implement a daily execution of AIDE at 4:05am using cron, add the following line to \/etc\/crontab<\/code>:<\/p>\n
05 4 * * * root \/usr\/sbin\/aide --check<\/pre>\n
AIDE can be executed periodically through other means; this is merely one example.<\/td>\n<\/tr>\n
RHEL-06-000304<\/td>\nCCI-001069<\/td>\nmedium<\/td>\nThe operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.<\/td>\nBy default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.<\/td>\nTo determine that periodic AIDE execution has been scheduled, run the following command:<\/p>\n
$ grep aide \/etc\/crontab<\/pre>\n
If there is no output, this is a finding.<\/td>\n
To implement a daily execution of AIDE at 4:05am using cron, add the following line to \/etc\/crontab<\/code>:<\/p>\n
05 4 * * * root \/usr\/sbin\/aide --check<\/pre>\n
AIDE can be executed periodically through other means; this is merely one example.<\/td>\n<\/tr>\n
RHEL-06-000305<\/td>\nCCI-001263<\/td>\nmedium<\/td>\nThe operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.<\/td>\nBy default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.<\/td>\nTo determine that periodic AIDE execution has been scheduled, run the following command:<\/p>\n
$ grep aide \/etc\/crontab<\/pre>\n
If there is no output, this is a finding.<\/td>\n
To implement a daily execution of AIDE at 4:05am using cron, add the following line to \/etc\/crontab<\/code>:<\/p>\n
05 4 * * * root \/usr\/sbin\/aide --check<\/pre>\n
AIDE can be executed periodically through other means; this is merely one example.<\/td>\n<\/tr>\n
RHEL-06-000306<\/td>\nCCI-001297<\/td>\nmedium<\/td>\nThe operating system must detect unauthorized changes to software and information.<\/td>\nBy default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.<\/td>\nTo determine that periodic AIDE execution has been scheduled, run the following command:<\/p>\n
$ grep aide \/etc\/crontab<\/pre>\n
If there is no output, this is a finding.<\/td>\n
To implement a daily execution of AIDE at 4:05am using cron, add the following line to \/etc\/crontab<\/code>:<\/p>\n
05 4 * * * root \/usr\/sbin\/aide --check<\/pre>\n
AIDE can be executed periodically through other means; this is merely one example.<\/td>\n<\/tr>\n
RHEL-06-000307<\/td>\nCCI-001589<\/td>\nmedium<\/td>\nThe operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.<\/td>\nBy default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.<\/td>\nTo determine that periodic AIDE execution has been scheduled, run the following command:<\/p>\n
$ grep aide \/etc\/crontab<\/pre>\n
If there is no output, this is a finding.<\/td>\n
To implement a daily execution of AIDE at 4:05am using cron, add the following line to \/etc\/crontab<\/code>:<\/p>\n
05 4 * * * root \/usr\/sbin\/aide --check<\/pre>\n
AIDE can be executed periodically through other means; this is merely one example.<\/td>\n<\/tr>\n
RHEL-06-000308<\/td>\nCCI-000366<\/td>\nlow<\/td>\nProcess core dumps must be disabled unless needed.<\/td>\nA core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.<\/td>\nTo verify that core dumps are disabled for all users, run the following command:<\/p>\n
$ grep core \/etc\/security\/limits.conf<\/pre>\n
The output should be:<\/p>\n
*     hard   core    0<\/pre>\n
If it is not, this is a finding.<\/td>\n
To disable core dumps for all users, add the following line to \/etc\/security\/limits.conf<\/code>:<\/p>\n
*     hard   core    0<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000309<\/td>\nCCI-000764<\/td>\nhigh<\/td>\nThe NFS server must not have the insecure file locking option enabled.<\/td>\nAllowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.<\/td>\nTo verify insecure file locking has been disabled, run the following command:<\/p>\n
$ grep insecure_locks \/etc\/exports<\/pre>\n
If there is output, this is a finding.<\/td>\n
By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the insecure_locks<\/code> option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the insecure_locks<\/code> option from the file \/etc\/exports<\/code>.<\/td>\n<\/tr>\n
RHEL-06-000311<\/td>\nCCI-000143<\/td>\nmedium<\/td>\nThe audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.<\/td>\nNotifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.<\/td>\nInspect \/etc\/audit\/auditd.conf<\/code> and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: $ sudo grep space_left_action \/etc\/audit\/auditd.conf<\/code><\/p>\n
space_left_action<\/pre>\n
Acceptable values are email<\/code>, suspend<\/code>, single<\/code>, and halt<\/code>. If the system is not configured to send an email to the system administrator when disk space is starting to run low, this is a finding.<\/td>\n
The auditd<\/code> service can be configured to take an action when disk space starts<\/i> to run low. Edit the file \/etc\/audit\/auditd.conf<\/code>. Modify the following line, substituting ACTION<\/i> appropriately:<\/p>\n
space_left_action = ACTION<\/i><\/pre>\n
Possible values for ACTION<\/i> are described in the auditd.conf<\/code> man page. These include:<\/p>\n
    \n
  • ignore<\/code><\/li>\n
  • syslog<\/code><\/li>\n
  • email<\/code><\/li>\n
  • exec<\/code><\/li>\n
  • suspend<\/code><\/li>\n
  • single<\/code><\/li>\n
  • halt<\/code><\/li>\n<\/ul>\n
    Set this to email<\/code> (instead of the default, which is suspend<\/code>) as it is more likely to get prompt attention. Acceptable values also include suspend<\/code>, single<\/code>, and halt<\/code>.<\/td>\n<\/tr>\n
RHEL-06-000313<\/td>\nCCI-000139<\/td>\nmedium<\/td>\nThe audit system must identify staff members to receive notifications of audit log storage volume capacity issues.<\/td>\nEmail sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.<\/td>\nInspect \/etc\/audit\/auditd.conf<\/code> and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator:<\/p>\n
action_mail_acct = root<\/pre>\n
If auditd is not configured to send emails per identified actions, this is a finding.<\/td>\n
The auditd<\/code> service can be configured to send email to a designated account in certain situations. Add or correct the following line in \/etc\/audit\/auditd.conf<\/code> to ensure that administrators are notified via email for those situations:<\/p>\n
action_mail_acct =<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000315<\/td>\nCCI-000085<\/td>\nmedium<\/td>\nThe Bluetooth kernel module must be disabled.<\/td>\nIf Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.<\/td>\nIf the system is configured to prevent the loading of the bluetooth<\/code> kernel module, it will contain lines inside any file in \/etc\/modprobe.d<\/code> or the deprecated\/etc\/modprobe.conf<\/code>. These lines instruct the module loading system to run another program (such as \/bin\/false<\/code>) upon a module install<\/code> event. Run the following command to search for such lines in all files in \/etc\/modprobe.d<\/code> and the deprecated \/etc\/modprobe.conf<\/code>:<\/p>\n
$ grep -r bluetooth \/etc\/modprobe.conf \/etc\/modprobe.d<\/pre>\n
If the system is configured to prevent the loading of the net-pf-31<\/code> kernel module, it will contain lines inside any file in \/etc\/modprobe.d<\/code> or the deprecated\/etc\/modprobe.conf<\/code>. These lines instruct the module loading system to run another program (such as \/bin\/false<\/code>) upon a module install<\/code> event. Run the following command to search for such lines in all files in \/etc\/modprobe.d<\/code> and the deprecated \/etc\/modprobe.conf<\/code>:<\/p>\n
$ grep -r net-pf-31 \/etc\/modprobe.conf \/etc\/modprobe.d<\/pre>\n
If no line is returned, this is a finding.<\/td>\n
The kernel’s module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate \/etc\/modprobe.d<\/code> configuration file to prevent the loading of the Bluetooth module:<\/p>\n
install net-pf-31 \/bin\/false\r\ninstall bluetooth \/bin\/false<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000317<\/td>\nCCI-001250<\/td>\nmedium<\/td>\nThe system must have USB Mass Storage disabled unless needed.<\/td>\nUSB storage devices such as thumb drives can be used to introduce malicious software.<\/td>\nIf the system is configured to prevent the loading of the usb-storage<\/code> kernel module, it will contain lines inside any file in \/etc\/modprobe.d<\/code> or the deprecated\/etc\/modprobe.conf<\/code>. These lines instruct the module loading system to run another program (such as \/bin\/false<\/code>) upon a module install<\/code> event. Run the following command to search for such lines in all files in \/etc\/modprobe.d<\/code> and the deprecated \/etc\/modprobe.conf<\/code>:<\/p>\n
$ grep -r usb-storage \/etc\/modprobe.conf \/etc\/modprobe.d<\/pre>\n
If no line is returned, this is a finding.<\/td>\n
To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage<\/code> kernel module from being loaded, add the following line to a file in the directory \/etc\/modprobe.d<\/code>:<\/p>\n
install usb-storage \/bin\/false<\/pre>\n
This will prevent the modprobe<\/code> program from loading the usb-storage<\/code> module, but will not prevent an administrator (or another program) from using the insmod<\/code> program to load the module manually.<\/td>\n<\/tr>\n
RHEL-06-000319<\/td>\nCCI-000054<\/td>\nlow<\/td>\nThe system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.<\/td>\nLimiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.<\/td>\nRun the following command to ensure the maxlogins<\/code> value is configured for all users on the system:<\/p>\n
$ grep \"maxlogins\" \/etc\/security\/limits.conf<\/pre>\n
You should receive output similar to the following:<\/p>\n
*\t\thard\tmaxlogins\t10<\/pre>\n
If it is not similar, this is a finding.<\/td>\n
Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. The DoD requirement is 10. To set the number of concurrent sessions per user add the following line in \/etc\/security\/limits.conf<\/code>:<\/p>\n
* hard maxlogins<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000320<\/td>\nCCI-001109<\/td>\nmedium<\/td>\nThe system’s local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.<\/td>\nIn iptables<\/code>, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP<\/code> implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.<\/td>\nRun the following command to ensure the default FORWARD<\/code> policy is DROP<\/code>:<\/p>\n
grep \":FORWARD\" \/etc\/sysconfig\/iptables<\/pre>\n
The output should be similar to the following:<\/p>\n
$ sudo grep \":FORWARD\" \/etc\/sysconfig\/iptables\r\n:FORWARD DROP [0:0<\/pre>\n
If the default policy for the FORWARD chain is not set to DROP, this is a finding.<\/td>\n
To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in \/etc\/sysconfig\/iptables<\/code>:<\/p>\n
:FORWARD DROP [0:0]<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000321<\/td>\nCCI-001130<\/td>\nlow<\/td>\nThe system must provide VPN connectivity for communications over untrusted networks.<\/td>\nProviding the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.<\/td>\nRun the following command to determine if the openswan<\/code> package is installed:<\/p>\n
# rpm -q openswan<\/pre>\n
If the package is not installed, this is a finding.<\/td>\n
The Openswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The openswan<\/code> package can be installed with the following command:<\/p>\n
# yum install openswan<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000324<\/td>\nCCI-000050<\/td>\nmedium<\/td>\nA login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.<\/td>\nAn appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.<\/td>\nTo ensure a login warning banner is enabled, run the following:<\/p>\n
$ gconftool-2 -g \/apps\/gdm\/simple-greeter\/banner_message_enable<\/pre>\n
Search for the banner_message_enable<\/code> schema. If properly configured, the default<\/code> value should be true<\/code>. If it is not, this is a finding.<\/td>\n
To enable displaying a login warning banner in the GNOME Display Manager’s login screen, run the following command:<\/p>\n
$ sudo gconftool-2 --direct \\\r\n  --config-source xml:readwrite:\/etc\/gconf\/gconf.xml.mandatory \\\r\n  --type bool \\\r\n  --set \/apps\/gdm\/simple-greeter\/banner_message_enable true<\/pre>\n
To display a banner, this setting must be enabled and then banner text must also be set.<\/td>\n<\/tr>\n
RHEL-06-000326<\/td>\nCCI-NaN<\/td>\nmedium<\/td>\nThe Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.<\/td>\nAn appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.<\/td>\nTo ensure the login warning banner text is properly set, run the following:<\/p>\n
$ gconftool-2 -g \/apps\/gdm\/simple-greeter\/banner_message_text<\/pre>\n
If properly configured, the proper banner text will appear within this schema. If it does not, this is a finding.<\/td>\n
To set the text shown by the GNOME Display Manager in the login screen, run the following command:<\/p>\n
$ sudo gconftool-2 --direct \\\r\n  --config-source xml:readwrite:\/etc\/gconf\/gconf.xml.mandatory \\\r\n  --type string \\\r\n  --set \/apps\/gdm\/simple-greeter\/banner_message_text \\\r\n  \"Text of the warning banner here\"<\/pre>\n
When entering a warning banner that spans several lines, remember to begin and end the string with \"<\/code>. This command writes directly either to the \/etc\/gconf\/gconf.xml.mandatory\/%gconf-tree.xml<\/code> if it exists or to the file \/etc\/gconf\/gconf.xml.mandatory\/apps\/gdm\/simple-greeter\/%gconf.xml<\/code>. Either of these files can later be edited directly if necessary.<\/td>\n<\/tr>\n
RHEL-06-000331<\/td>\nCCI-000085<\/td>\nmedium<\/td>\nThe Bluetooth service must be disabled.<\/td>\nDisabling the bluetooth<\/code> service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.<\/td>\nTo check that the bluetooth<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig bluetooth<\/code> --list<\/pre>\n
Output should indicate the bluetooth<\/code> service has either not been installed, or has been disabled at all runlevels, as shown in the example below:<\/p>\n
# chkconfig bluetooth<\/code> --list\r\nbluetooth<\/code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off<\/pre>\n
Run the following command to verify bluetooth<\/code> is disabled through current runtime configuration:<\/p>\n
# service bluetooth status<\/pre>\n
If the service is disabled the command will return the following output:<\/p>\n
bluetooth is stopped<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The bluetooth<\/code> service can be disabled with the following command:<\/p>\n
# chkconfig bluetooth off<\/pre>\n
$ sudo service bluetooth stop<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000334<\/td>\nCCI-000017<\/td>\nlow<\/td>\nAccounts must be locked upon 35 days of inactivity.<\/td>\nDisabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.<\/td>\nTo verify the INACTIVE<\/code> setting, run the following command:<\/p>\n
grep \"INACTIVE\" \/etc\/default\/useradd<\/pre>\n
The output should indicate the INACTIVE<\/code> configuration option is set to an appropriate integer as shown in the example below:<\/p>\n
$ sudo grep \"INACTIVE\" \/etc\/default\/useradd\r\nINACTIVE=35<\/pre>\n
If it does not, this is a finding.<\/td>\n
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in \/etc\/default\/useradd<\/code>, substituting NUM_DAYS<\/i><\/code> appropriately:<\/p>\n
INACTIVE=NUM_DAYS<\/i><\/pre>\n
A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd<\/code> man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a “normal” period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.<\/td>\n<\/tr>\n
RHEL-06-000335<\/td>\nCCI-000795<\/td>\nlow<\/td>\nThe operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.<\/td>\nDisabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.<\/td>\nTo verify the INACTIVE<\/code> setting, run the following command:<\/p>\n
grep \"INACTIVE\" \/etc\/default\/useradd<\/pre>\n
The output should indicate the INACTIVE<\/code> configuration option is set to an appropriate integer as shown in the example below:<\/p>\n
$ sudo grep \"INACTIVE\" \/etc\/default\/useradd\r\nINACTIVE=35<\/pre>\n
If it does not, this is a finding.<\/td>\n
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in \/etc\/default\/useradd<\/code>, substituting NUM_DAYS<\/i><\/code> appropriately:<\/p>\n
INACTIVE=NUM_DAYS<\/i><\/pre>\n
A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd<\/code> man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a “normal” period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.<\/td>\n<\/tr>\n
RHEL-06-000336<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe sticky bit must be set on all public directories.<\/td>\nFailing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.<\/p>\n

The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as \/tmp<\/code>), and for directories requiring global read\/write access.<\/td>\n

To find world-writable directories that lack the sticky bit, run the following command:<\/p>\n
$ sudo find \/ -xdev -type d -perm 002 ! -perm 1000<\/pre>\n
If any world-writable directories are missing the sticky bit, this is a finding.<\/td>\n
When the so-called ‘sticky bit’ is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other’s files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application’s documentation instead of blindly changing modes.
\nTo set the sticky bit on a world-writable directory DIR<\/i>, run the following command:<\/p>\n
$ sudo chmod +t DIR<\/i><\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000337<\/td>\nCCI-000366<\/td>\nlow<\/td>\nAll public directories must be owned by a system account.<\/td>\nAllowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.<\/td>\nThe following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition PART<\/i>:<\/p>\n
$ sudo find PART<\/i> -xdev -type d -perm -0002 -uid +499 -print<\/pre>\n
If there is output, this is a finding.<\/td>\n
All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.<\/td>\n<\/tr>\n
RHEL-06-000338<\/td>\nCCI-000366<\/td>\nhigh<\/td>\nThe TFTP daemon must operate in “secure mode” which provides access only to a single directory on the host file system.<\/td>\nUsing the -s<\/code> option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private.<\/td>\nIf TFTP is not installed, this is not applicable. To determine if TFTP is installed, run the following command:<\/p>\n
$ rpm -qa | grep tftp<\/pre>\n
Verify tftp<\/code> is configured by with the -s<\/code> option by running the following command:<\/p>\n
grep \"server_args\" \/etc\/xinetd.d\/tftp<\/pre>\n
The output should indicate the server_args<\/code> variable is configured with the -s<\/code> flag, matching the example below:<\/p>\n
 $ grep \"server_args\" \/etc\/xinetd.d\/tftp\r\nserver_args = -s \/var\/lib\/tftpboot<\/pre>\n
If this flag is missing, this is a finding.<\/td>\n
If running the tftp<\/code> service is necessary, it should be configured to change its root directory at startup. To do so, ensure \/etc\/xinetd.d\/tftp<\/code> includes -s<\/code> as a command line argument, as shown in the following example (which is also the default):<\/p>\n
server_args = -s \/var\/lib\/tftpboot<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000339<\/td>\nCCI-000130<\/td>\nlow<\/td>\nThe FTP daemon must be configured for logging or verbose mode.<\/td>\nTo trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the FTP server are logged using the verbose vsftpd log format. The default vsftpd log file is \/var\/log\/vsftpd.log<\/code>.<\/td>\nFind if logging is applied to the FTP daemon.<\/p>\n

Procedures:<\/p>\n

If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file:<\/p>\n

$ grep vsftpd \/etc\/xinetd.d\/*<\/pre>\n
$ grep server_args vsftpd xinetd.d startup file<\/i><\/pre>\n
This will indicate the vsftpd config file used when starting through xinetd. If the server_args<\/i> line is missing or does not include the vsftpd configuration file, then the default config file (\/etc\/vsftpd\/vsftpd.conf) is used.<\/p>\n
$ sudo grep xferlog_enable vsftpd config file<\/i><\/pre>\n
If xferlog_enable is missing, or is not set to yes, this is a finding.<\/td>\n
Add or correct the following configuration options within the vsftpd<\/code> configuration file, located at \/etc\/vsftpd\/vsftpd.conf<\/code>:<\/p>\n
xferlog_enable=YES\r\nxferlog_std_format=NO\r\nlog_ftp_protocol=YES<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000340<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe snmpd service must use only SNMP protocol version 3 or newer.<\/td>\nEarlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information.<\/td>\nTo ensure only SNMPv3 or newer is used, run the following command:<\/p>\n
$ sudo grep 'rocommunity\\|rwcommunity\\|com2sec' \/etc\/snmp\/snmpd.conf | grep -v \"^#\"<\/pre>\n
There should be no output. If there is output, this is a finding.<\/td>\n
Edit \/etc\/snmp\/snmpd.conf<\/code>, removing any references to rocommunity<\/code>, rwcommunity<\/code>, or com2sec<\/code>. Upon doing that, restart the SNMP service:<\/p>\n
$ sudo service snmpd restart<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000341<\/td>\nCCI-000366<\/td>\nhigh<\/td>\nThe snmpd service must not use a default password.<\/td>\nPresence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system.<\/td>\nTo ensure the default password is not set, run the following command:<\/p>\n
$ sudo grep -v \"^#\" \/etc\/snmp\/snmpd.conf| grep public<\/pre>\n
There should be no output. If there is output, this is a finding.<\/td>\n
Edit \/etc\/snmp\/snmpd.conf<\/code>, remove default community string public<\/code>. Upon doing that, restart the SNMP service:<\/p>\n
$ sudo service snmpd restart<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000342<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system default umask for the bash shell must be 077.<\/td>\nThe umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.<\/td>\nVerify the umask<\/code> setting is configured correctly in the \/etc\/bashrc<\/code> file by running the following command:<\/p>\n
$ grep \"umask\" \/etc\/bashrc<\/pre>\n
All output must show the value of umask<\/code> set to 077, as shown below:<\/p>\n
$ grep \"umask\" \/etc\/bashrc\r\numask 077\r\numask 077<\/pre>\n
If the above command returns no output, or if the umask is configured incorrectly, this is a finding.<\/td>\n
To ensure the default umask for users of the Bash shell is set properly, add or correct the umask<\/code> setting in \/etc\/bashrc<\/code> to read as follows:<\/p>\n
umask<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000343<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system default umask for the csh shell must be 077.<\/td>\nThe umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.<\/td>\nVerify the umask<\/code> setting is configured correctly in the \/etc\/csh.cshrc<\/code> file by running the following command:<\/p>\n
$ grep \"umask\" \/etc\/csh.cshrc<\/pre>\n
All output must show the value of umask<\/code> set to 077, as shown in the below:<\/p>\n
$ grep \"umask\" \/etc\/csh.cshrc\r\numask 077<\/pre>\n
If the above command returns no output, or if the umask is configured incorrectly, this is a finding.<\/td>\n
To ensure the default umask for users of the C shell is set properly, add or correct the umask<\/code> setting in \/etc\/csh.cshrc<\/code> to read as follows:<\/p>\n
umask<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000344<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system default umask in \/etc\/profile must be 077.<\/td>\nThe umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.<\/td>\nVerify the umask<\/code> setting is configured correctly in the \/etc\/profile<\/code> file by running the following command:<\/p>\n
$ grep \"umask\" \/etc\/profile<\/pre>\n
All output must show the value of umask<\/code> set to 077, as shown in the below:<\/p>\n
$ grep \"umask\" \/etc\/profile\r\numask 077<\/pre>\n
If the above command returns no output, or if the umask is configured incorrectly, this is a finding.<\/td>\n
To ensure the default umask controlled by \/etc\/profile<\/code> is set properly, add or correct the umask<\/code> setting in \/etc\/profile<\/code> to read as follows:<\/p>\n
umask<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000345<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system default umask in \/etc\/login.defs must be 077.<\/td>\nThe umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users.<\/td>\nVerify the UMASK<\/code> setting is configured correctly in the \/etc\/login.defs<\/code> file by running the following command:<\/p>\n
$ grep -i \"UMASK\" \/etc\/login.defs<\/pre>\n
All output must show the value of umask<\/code> set to 077, as shown in the below:<\/p>\n
$ grep -i \"UMASK\" \/etc\/login.defs\r\numask 077<\/pre>\n
If the above command returns no output, or if the umask is configured incorrectly, this is a finding.<\/td>\n
To ensure the default umask controlled by \/etc\/login.defs<\/code> is set properly, add or correct the UMASK<\/code> setting in \/etc\/login.defs<\/code> to read as follows:<\/p>\n
UMASK<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000346<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system default umask for daemons must be 027 or 022.<\/td>\nThe umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.<\/td>\nTo check the value of the umask<\/code>, run the following command:<\/p>\n
$ grep umask \/etc\/init.d\/functions<\/pre>\n
The output should show either 022<\/code> or 027<\/code>. If it does not, this is a finding.<\/td>\n
The file \/etc\/init.d\/functions<\/code> includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for umask<\/i> appropriately:<\/p>\n
umask <\/i><\/pre>\n
Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts.<\/td>\n<\/tr>\n
RHEL-06-000347<\/td>\nCCI-000196<\/td>\nmedium<\/td>\nThere must be no .netrc files on the system.<\/td>\nUnencrypted passwords for remote FTP servers may be stored in .netrc<\/code> files. DoD policy requires passwords be encrypted in storage and not used in access scripts.<\/td>\nTo check the system for the existence of any .netrc<\/code> files, run the following command:<\/p>\n
$ sudo find \/home -xdev -name .netrc<\/pre>\n
 If any .netrc files exist, this is a finding.<\/td>\n
The .netrc<\/code> files contain login information used to auto-login into FTP servers and reside in the user’s home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any .netrc<\/code> files should be removed.<\/td>\n<\/tr>\n
RHEL-06-000348<\/td>\nCCI-000048<\/td>\nmedium<\/td>\nThe FTPS\/FTP service on the system must be configured with the Department of Defense (DoD) login banner.<\/td>\nThis setting will cause the system greeting banner to be used for FTP connections as well.<\/td>\nIf FTP services are not installed, this is not applicable.<\/p>\n

To verify this configuration, run the following command:<\/p>\n

grep \"banner_file\" \/etc\/vsftpd\/vsftpd.conf<\/pre>\n
The output should show the value of banner_file<\/code> is set to \/etc\/issue<\/code>, an example of which is shown below:<\/p>\n
$ sudo grep \"banner_file\" \/etc\/vsftpd\/vsftpd.conf\r\nbanner_file=\/etc\/issue<\/pre>\n
If it does not, this is a finding.<\/td>\n
Edit the vsftpd configuration file, which resides at \/etc\/vsftpd\/vsftpd.conf<\/code> by default. Add or correct the following configuration options:<\/p>\n
banner_file=\/etc\/issue<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000349<\/td>\nCCI-000765<\/td>\nmedium<\/td>\nThe system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.<\/td>\nSmart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials.<\/td>\nInterview the SA to determine if all accounts not exempted by policy are using CAC authentication. For DoD systems, the following systems and accounts are exempt from using smart card (CAC) authentication:<\/p>\n
    \n
  • SIPRNET systems<\/li>\n

    <\/p>\n

  • Standalone systems<\/li>\n
  • Application accounts<\/li>\n
  • Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV<\/li>\n
  • Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT<\/li>\n
  • Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT.<\/li>\n<\/ul>\n

    If non-exempt accounts are not using CAC authentication, this is a finding.<\/td>\n

To enable smart card authentication, consult the documentation at:<\/p>\n
    \n
  • https:\/\/docs.redhat.com\/docs\/en-US\/Red_Hat_Enterprise_Linux\/6\/html\/Managing_Smart_Cards\/enabling-smart-card-login.html<\/b><\/li>\n<\/ul>\n

    For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at:<\/p>\n

      \n
    • https:\/\/access.redhat.com\/solutions\/82273<\/b><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
RHEL-06-000356<\/td>\nCCI-000047<\/td>\nmedium<\/td>\nThe system must require administrator action to unlock an account locked by excessive failed login attempts.<\/td>\nLocking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.<\/td>\nTo ensure the failed password attempt policy is configured correctly, run the following command:<\/p>\n
$ grep pam_faillock \/etc\/pam.d\/system-auth<\/pre>\n
The output should show unlock_time=<some-large-number><\/code>. If that is not the case, this is a finding.<\/td>\n
To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so<\/code>:<\/p>\n

Add the following lines immediately below the pam_env.so<\/code> statement in \/etc\/pam.d\/system-auth<\/code>:<\/p>\n

auth [default=die] pam_faillock.so authfail deny=3 unlock_time= fail_interval=900<\/pre>\n
auth required pam_faillock.so authsucc deny=3 unlock_time= fail_interval=900<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000357<\/td>\nCCI-001452<\/td>\nmedium<\/td>\nThe system must disable accounts after excessive login failures within a 15-minute interval.<\/td>\nLocking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks.<\/td>\nTo ensure the failed password attempt policy is configured correctly, run the following command:<\/p>\n
$ grep pam_faillock \/etc\/pam.d\/system-auth \/etc\/pam.d\/password-auth<\/pre>\n
For each file, the output should show fail_interval=<interval-in-seconds><\/code> where interval-in-seconds<\/code> is 900 (15 minutes) or greater. If the fail_interval<\/code> parameter is not set, the default setting of 900 seconds is acceptable. If that is not the case, this is a finding.<\/td>\n
Utilizing pam_faillock.so<\/code>, the fail_interval<\/code> directive configures the system to lock out accounts after a number of incorrect login attempts.<\/p>\n

Add the following fail_interval<\/code> directives to pam_faillock.so<\/code> immediately below the pam_env.so<\/code> statement in \/etc\/pam.d\/system-auth<\/code> and \/etc\/pam.d\/password-auth<\/code>:<\/p>\n

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=<\/pre>\n
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000372<\/td>\nCCI-000366<\/td>\nmedium<\/td>\nThe operating system, upon successful logon\/access, must display to the user the number of unsuccessful logon\/access attempts since the last successful logon\/access.<\/td>\nUsers need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.<\/td>\nTo ensure that last logon\/access notification is configured correctly, run the following command:<\/p>\n
$ grep pam_lastlog.so \/etc\/pam.d\/system-auth<\/pre>\n
The output should show output showfailed<\/code>. If that is not the case, this is a finding.<\/td>\n
To configure the system to notify users of last logon\/access using pam_lastlog<\/code>, add the following line immediately after session required pam_limits.so<\/code>:<\/p>\n
session       required     pam_lastlog.so showfailed<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000373<\/td>\nCCI-000056<\/td>\nmedium<\/td>\nThe operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000374<\/td>\nCCI-000099<\/td>\nmedium<\/td>\nThe operating system must employ automated mechanisms to enable authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000375<\/td>\nCCI-000131<\/td>\nmedium<\/td>\nThe operating system must produce audit records containing sufficient information to establish when (date and time) the events occurred.<\/td>\nThe Red Hat Enterprise Linux audit system meets this requirement through design and implementation.<\/td>\nThe RHEL6 auditing system supports this requirement and cannot be configured to be out of compliance. Every audit record in RHEL includes a timestamp, the operation attempted, success or failure of the operation, the subject involved (executable\/process), the object involved (file\/path), and security labels for the subject and object. It also includes the ability to label events with custom key labels. The auditing system centralizes the recording of audit events for the entire system and includes reduction (ausearch<\/code>), reporting (aureport<\/code>), and real-time response (audispd<\/code>) facilities. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000376<\/td>\nCCI-000132<\/td>\nmedium<\/td>\nThe operating system must produce audit records containing sufficient information to establish where the events occurred.<\/td>\nThe Red Hat Enterprise Linux audit system meets this requirement through design and implementation.<\/td>\nThe RHEL6 auditing system supports this requirement and cannot be configured to be out of compliance. Every audit record in RHEL includes a timestamp, the operation attempted, success or failure of the operation, the subject involved (executable\/process), the object involved (file\/path), and security labels for the subject and object. It also includes the ability to label events with custom key labels. The auditing system centralizes the recording of audit events for the entire system and includes reduction (ausearch<\/code>), reporting (aureport<\/code>), and real-time response (audispd<\/code>) facilities. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000377<\/td>\nCCI-000133<\/td>\nmedium<\/td>\nThe operating system must produce audit records containing sufficient information to establish the sources of the events.<\/td>\nThe Red Hat Enterprise Linux audit system meets this requirement through design and implementation.<\/td>\nThe RHEL6 auditing system supports this requirement and cannot be configured to be out of compliance. Every audit record in RHEL includes a timestamp, the operation attempted, success or failure of the operation, the subject involved (executable\/process), the object involved (file\/path), and security labels for the subject and object. It also includes the ability to label events with custom key labels. The auditing system centralizes the recording of audit events for the entire system and includes reduction (ausearch<\/code>), reporting (aureport<\/code>), and real-time response (audispd<\/code>) facilities. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000378<\/td>\nCCI-000134<\/td>\nmedium<\/td>\nThe operating system must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.<\/td>\nThe Red Hat Enterprise Linux audit system meets this requirement through design and implementation.<\/td>\nThe RHEL6 auditing system supports this requirement and cannot be configured to be out of compliance. Every audit record in RHEL includes a timestamp, the operation attempted, success or failure of the operation, the subject involved (executable\/process), the object involved (file\/path), and security labels for the subject and object. It also includes the ability to label events with custom key labels. The auditing system centralizes the recording of audit events for the entire system and includes reduction (ausearch<\/code>), reporting (aureport<\/code>), and real-time response (audispd<\/code>) facilities. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000379<\/td>\nCCI-000135<\/td>\nmedium<\/td>\nThe operating system must include organization defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.<\/td>\nThe Red Hat Enterprise Linux audit system meets this requirement through design and implementation.<\/td>\nThe RHEL6 auditing system supports this requirement and cannot be configured to be out of compliance. Every audit record in RHEL includes a timestamp, the operation attempted, success or failure of the operation, the subject involved (executable\/process), the object involved (file\/path), and security labels for the subject and object. It also includes the ability to label events with custom key labels. The auditing system centralizes the recording of audit events for the entire system and includes reduction (ausearch<\/code>), reporting (aureport<\/code>), and real-time response (audispd<\/code>) facilities. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000380<\/td>\nCCI-000154<\/td>\nmedium<\/td>\nOperating system must support the capability to centralize the review and analysis of audit records from multiple components within the system.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000382<\/td>\nCCI-000159<\/td>\nmedium<\/td>\nThe operating system must use internal system clocks to generate time stamps for audit records.<\/td>\nThe Red Hat Enterprise Linux audit system meets this requirement through design and implementation.<\/td>\nThe RHEL6 auditing system supports this requirement and cannot be configured to be out of compliance. Every audit record in RHEL includes a timestamp, the operation attempted, success or failure of the operation, the subject involved (executable\/process), the object involved (file\/path), and security labels for the subject and object. It also includes the ability to label events with custom key labels. The auditing system centralizes the recording of audit events for the entire system and includes reduction (ausearch<\/code>), reporting (aureport<\/code>), and real-time response (audispd<\/code>) facilities. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000383<\/td>\nCCI-000163<\/td>\nmedium<\/td>\nAudit log files must have mode 0640 or less permissive.<\/td>\nIf users can write to audit logs, audit trails can be modified or destroyed.<\/td>\nRun the following command to check the mode of the system audit logs:<\/p>\n
$ sudo ls -l \/var\/log\/audit<\/pre>\n
Audit logs must be mode 0640 or less permissive. If any are more permissive, this is a finding.<\/td>\n
Change the mode of the audit log files with the following command:<\/p>\n
$ sudo chmod 0640 audit_file<\/i><\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000384<\/td>\nCCI-000162<\/td>\nmedium<\/td>\nAudit log files must be owned by root.<\/td>\nFailure to give ownership of the audit log files to root allows the designated owner, and unauthorized users, potential access to sensitive information.<\/td>\nTo check the ownership of \/var\/log<\/code>, run the command:<\/p>\n
$ ls -lL \/var\/log<\/pre>\n
If properly configured, the output should indicate the following owner: root<\/code> If it does not, this is a finding.<\/td>\n
To properly set the owner of \/var\/log<\/code>, run the command:<\/p>\n
# chown root\/var\/log<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000387<\/td>\nCCI-000171<\/td>\nmedium<\/td>\nThe operating system must allow designated organizational personnel to select which auditable events are to be audited by the operating system.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000388<\/td>\nCCI-000174<\/td>\nmedium<\/td>\nThe operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization defined level of tolerance.<\/td>\nThe Red Hat Enterprise Linux audit system meets this requirement through design and implementation.<\/td>\nThe RHEL6 auditing system supports this requirement and cannot be configured to be out of compliance. Every audit record in RHEL includes a timestamp, the operation attempted, success or failure of the operation, the subject involved (executable\/process), the object involved (file\/path), and security labels for the subject and object. It also includes the ability to label events with custom key labels. The auditing system centralizes the recording of audit events for the entire system and includes reduction (ausearch<\/code>), reporting (aureport<\/code>), and real-time response (audispd<\/code>) facilities. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000389<\/td>\nCCI-000185<\/td>\nmedium<\/td>\nThe operating system, for PKI-based authentication must validate certificates by constructing a certification path with status information to an accepted trust anchor.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000390<\/td>\nCCI-000186<\/td>\nmedium<\/td>\nThe operating system, for PKI-based authentication must enforce authorized access to the corresponding private key.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000392<\/td>\nCCI-000206<\/td>\nmedium<\/td>\nThe operating system must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation\/use by unauthorized individuals.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000396<\/td>\nCCI-000223<\/td>\nmedium<\/td>\nThe operating system must bind security attributes to information to facilitate information flow policy enforcement.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000397<\/td>\nCCI-000226<\/td>\nmedium<\/td>\nThe operating system must provide the capability for a privileged administrator to configure organization defined security policy filters to support different security policies.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000398<\/td>\nCCI-000345<\/td>\nmedium<\/td>\nThe operating system must enforce logical access restrictions associated with changes to the information system.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000399<\/td>\nCCI-000346<\/td>\nmedium<\/td>\nThe operating system must employ automated mechanisms to enforce access restrictions.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000403<\/td>\nCCI-000386<\/td>\nmedium<\/td>\nThe operating system must employ automated mechanisms to prevent program execution in accordance with the organization defined specifications.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000411<\/td>\nCCI-000802<\/td>\nmedium<\/td>\nThe operating system must dynamically manage identifiers, attributes, and associated access authorizations.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000412<\/td>\nCCI-000872<\/td>\nmedium<\/td>\nThe operating system must employ automated mechanisms to restrict the use of maintenance tools to authorized personnel only.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000414<\/td>\nCCI-001082<\/td>\nmedium<\/td>\nThe operating system must separate user functionality (including user interface services) from operating system management functionality.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000415<\/td>\nCCI-001083<\/td>\nmedium<\/td>\nThe operating system must prevent the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000416<\/td>\nCCI-001084<\/td>\nmedium<\/td>\nThe operating system must isolate security functions from nonsecurity functions.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000417<\/td>\nCCI-001086<\/td>\nmedium<\/td>\nThe operating system must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000418<\/td>\nCCI-001087<\/td>\nmedium<\/td>\nThe operating system must implement an information system isolation boundary to minimize the number of non-security functions included within the boundary containing security functions.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000419<\/td>\nCCI-001089<\/td>\nmedium<\/td>\nThe operating system must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000420<\/td>\nCCI-001090<\/td>\nmedium<\/td>\nThe operating system must prevent unauthorized and unintended information transfer via shared system resources.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000421<\/td>\nCCI-001091<\/td>\nmedium<\/td>\nThe operating system must not share resources used to interface with systems operating at different security levels.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000423<\/td>\nCCI-001096<\/td>\nmedium<\/td>\nThe operating system must limit the use of resources by priority.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000424<\/td>\nCCI-001111<\/td>\nmedium<\/td>\nThe operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000430<\/td>\nCCI-001127<\/td>\nmedium<\/td>\nThe operating system must protect the integrity of transmitted information.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000431<\/td>\nCCI-001128<\/td>\nmedium<\/td>\nThe operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000432<\/td>\nCCI-001129<\/td>\nmedium<\/td>\nThe operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000445<\/td>\nCCI-001158<\/td>\nmedium<\/td>\nThe operating system must validate the integrity of security attributes exchanged between systems.<\/td>\nRHEL6 does not support this requirement.<\/td>\nThis is a permanent finding. If , this is a finding.<\/td>\nThis requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented but this finding cannot be considered fixed.<\/td>\n<\/tr>\n
RHEL-06-000451<\/td>\nCCI-001209<\/td>\nmedium<\/td>\nThe operating system must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000454<\/td>\nCCI-001214<\/td>\nmedium<\/td>\nThe operating system must employ organization defined information system components with no writeable storage that are persistent across component restart or power on\/off.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000455<\/td>\nCCI-001232<\/td>\nmedium<\/td>\nThe operating system must install software updates automatically.<\/td>\nThis is a manual inquiry about update procedure.<\/td>\nAsk an administrator if a process exists to promptly and automatically apply OS software updates. If such a process does not exist, this is a finding.<\/p>\n

If the OS update process limits automatic updates of software packages, where such updates would impede normal system operation, to scheduled maintenance windows, but still within IAVM-dictated timeframes, this is not a finding. If , this is a finding.<\/td>\n

Procedures to promptly apply software updates must be established and executed. The Red Hat operating system provides support for automating such a process, by running the yum program through a cron job or by managing the system and its packages through the Red Hat Network or a Satellite Server.<\/td>\n<\/tr>\n
RHEL-06-000456<\/td>\nCCI-001237<\/td>\nmedium<\/td>\nThe operating system must support automated patch management tools to facilitate flaw remediation to organization defined information system components.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000457<\/td>\nCCI-001248<\/td>\nmedium<\/td>\nThe operating system must prevent non-privileged users from circumventing malicious code protection capabilities.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000458<\/td>\nCCI-001265<\/td>\nmedium<\/td>\nThe operating system must prevent non-privileged users from circumventing intrusion detection and prevention capabilities.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000459<\/td>\nCCI-001269<\/td>\nmedium<\/td>\nThe operating system must protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000460<\/td>\nCCI-001291<\/td>\nmedium<\/td>\nThe operating system must verify the correct operation of security functions in accordance with organization defined conditions and in accordance with organization defined frequency (if periodic verification).<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000461<\/td>\nCCI-001294<\/td>\nmedium<\/td>\nThe operating system must provide notification of failed automated security tests.<\/td>\nRHEL6 does not support this requirement.<\/td>\nThis is a permanent finding. If , this is a finding.<\/td>\nThis requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented but this finding cannot be considered fixed.<\/td>\n<\/tr>\n
RHEL-06-000463<\/td>\nCCI-001295<\/td>\nmedium<\/td>\nThe operating system must provide automated support for the management of distributed security testing.<\/td>\nRHEL6 does not support this requirement.<\/td>\nThis is a permanent finding. If , this is a finding.<\/td>\nThis requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented but this finding cannot be considered fixed.<\/td>\n<\/tr>\n
RHEL-06-000464<\/td>\nCCI-001310<\/td>\nmedium<\/td>\nThe operating system must check the validity of information inputs.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000465<\/td>\nCCI-001328<\/td>\nmedium<\/td>\nThe operating system must support the requirement that organizations, if an information system component failure is detected must activate an organization defined alarm and\/or automatically shuts down the operating system.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000466<\/td>\nCCI-001338<\/td>\nmedium<\/td>\nThe operating system must associate the identity of the information producer with the information.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000473<\/td>\nCCI-001362<\/td>\nmedium<\/td>\nThe operating system must enforce an organization defined Discretionary Access Control (DAC) policy that must allow users to specify and control sharing by named individuals or groups of individuals, or by both.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000474<\/td>\nCCI-001368<\/td>\nmedium<\/td>\nThe operating system must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000485<\/td>\nCCI-001399<\/td>\nmedium<\/td>\nThe operating system must support and maintain the binding of organization defined security attributes to information in storage.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000486<\/td>\nCCI-001400<\/td>\nmedium<\/td>\nThe operating system must support and maintain the binding of organization defined security attributes to information in process.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000488<\/td>\nCCI-001424<\/td>\nmedium<\/td>\nThe operating system must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000489<\/td>\nCCI-001425<\/td>\nmedium<\/td>\nThe operating system must only allow authorized entities to change security attributes.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000490<\/td>\nCCI-001426<\/td>\nmedium<\/td>\nThe operating system must maintain the binding of security attributes to information with sufficient assurance that the information–attribute association can be used as the basis for automated policy actions.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000491<\/td>\nCCI-001427<\/td>\nmedium<\/td>\nThe operating system must only allow authorized users to associate security attributes with information.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000492<\/td>\nCCI-001428<\/td>\nmedium<\/td>\nThe operating system must display security attributes in human-readable form on each object output from the system to system output devices to identify an organization-identified set of special dissemination, handling, or distribution instructions using organization-identified human readable, standard naming conventions.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000493<\/td>\nCCI-001694<\/td>\nmedium<\/td>\nThe operating system must enforce a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000494<\/td>\nCCI-001500<\/td>\nmedium<\/td>\nThe operating system must automatically implement organization defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately.<\/td>\nRHEL6 does not support this requirement.<\/td>\nThis is a permanent finding. If , this is a finding.<\/td>\nThis requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented but this finding cannot be considered fixed.<\/td>\n<\/tr>\n
RHEL-06-000497<\/td>\nCCI-001693<\/td>\nmedium<\/td>\nThe operating system must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000500<\/td>\nCCI-001665<\/td>\nmedium<\/td>\nThe operating system must preserve organization defined system state information in the event of a system failure.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000501<\/td>\nCCI-001670<\/td>\nmedium<\/td>\nThe operating system must take organization defined list of least disruptive actions to terminate suspicious events.<\/td>\nRed Hat Enterprise Linux meets this requirement through design and implementation.<\/td>\nRHEL6 supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding. If , this is a finding.<\/td>\nThis requirement is a permanent not a finding. No fix is required.<\/td>\n<\/tr>\n
RHEL-06-000503<\/td>\nCCI-000086<\/td>\nmedium<\/td>\nThe system must have USB Mass Storage disabled unless needed.<\/td>\nUSB storage devices such as thumb drives can be used to introduce malicious software.<\/td>\nIf the system is configured to prevent the loading of the usb-storage<\/code> kernel module, it will contain lines inside any file in \/etc\/modprobe.d<\/code> or the deprecated\/etc\/modprobe.conf<\/code>. These lines instruct the module loading system to run another program (such as \/bin\/false<\/code>) upon a module install<\/code> event. Run the following command to search for such lines in all files in \/etc\/modprobe.d<\/code> and the deprecated \/etc\/modprobe.conf<\/code>:<\/p>\n
$ grep -r usb-storage \/etc\/modprobe.conf \/etc\/modprobe.d<\/pre>\n
If no line is returned, this is a finding.<\/td>\n
To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage<\/code> kernel module from being loaded, add the following line to a file in the directory \/etc\/modprobe.d<\/code>:<\/p>\n
install usb-storage \/bin\/false<\/pre>\n
This will prevent the modprobe<\/code> program from loading the usb-storage<\/code> module, but will not prevent an administrator (or another program) from using the insmod<\/code> program to load the module manually.<\/td>\n<\/tr>\n
RHEL-06-000509<\/td>\nCCI-000136<\/td>\nlow<\/td>\nThe system must forward audit records to the syslog service.<\/td>\nThe auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include an audit event multiplexor plugin (audispd) to pass audit records to the local syslog server<\/td>\nTo verify the audispd plugin is active, run the following command:<\/p>\n
$ sudo grep active \/etc\/audisp\/plugins.d\/syslog.conf<\/pre>\n
If the plugin is active, the output will show yes<\/code>. If it is not, this is a finding.<\/td>\n
To configure the auditd<\/code> service to use the audispd<\/code> plugin, set the active<\/code> line in \/etc\/audisp\/plugins.d\/syslog.conf<\/code> to yes<\/code>. Restart the auditd<\/code>service:<\/p>\n
$ sudo service auditd restart<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000512<\/td>\nCCI-000144<\/td>\nmedium<\/td>\nThe audit system must alert designated staff members when audit storage volume is full.<\/td>\nRHEL6 does not support this requirement.<\/td>\nThis is a permanent finding. If , this is a finding.<\/td>\nThis requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented but this finding cannot be considered fixed.<\/td>\n<\/tr>\n
RHEL-06-000513<\/td>\nCCI-000144<\/td>\nmedium<\/td>\nThe audit system must alert designated staff members when audit storage volume is generating disk errors.<\/td>\nRHEL6 does not support this requirement.<\/td>\nThis is a permanent finding. If , this is a finding.<\/td>\nThis requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented but this finding cannot be considered fixed.<\/td>\n<\/tr>\n
RHEL-06-000518<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system package management tool must verify permissions on all files and directories associated with packages.<\/td>\nPermissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.<\/td>\nThe following command will list which files on the system have permissions different from what is expected by the RPM database:<\/p>\n
$ rpm -Va | grep '^.M'<\/pre>\n
If there is output, this is a finding.<\/td>\n
The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, run the following command to determine which package owns it:<\/p>\n
$ rpm -qf FILENAME<\/i><\/pre>\n
Next, run the following command to reset its permissions to the correct values:<\/p>\n
$ sudo rpm --setperms PACKAGENAME<\/i><\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000519<\/td>\nCCI-000366<\/td>\nlow<\/td>\nThe system package management tool must verify contents of all files associated with packages.<\/td>\nThe hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.<\/td>\nThe following command will list which files on the system have file hashes different from what is expected by the RPM database.<\/p>\n
$ rpm -Va | awk '$1 ~ \/..5\/ && $2 != \"c\"'<\/pre>\n
If there is output, this is a finding.<\/td>\n
The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:<\/p>\n
$ rpm -Va | grep '^..5'<\/pre>\n
A “c” in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file:<\/p>\n
$ rpm -qf FILENAME<\/i><\/pre>\n
The package can be reinstalled from a yum repository using the command:<\/p>\n
$ sudo yum reinstall PACKAGENAME<\/i><\/pre>\n
Alternatively, the package can be reinstalled from trusted media using the command:<\/p>\n
$ sudo rpm -Uvh PACKAGENAME<\/i><\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000523<\/td>\nCCI-000066<\/td>\nmedium<\/td>\nThe system’s local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.<\/td>\nIn ip6tables<\/code>, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP<\/code> implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.<\/td>\nIf IPv6 is disabled, this is not applicable.<\/p>\n

Inspect the file \/etc\/sysconfig\/ip6tables<\/code> to determine the default policy for the INPUT chain. It should be set to DROP:<\/p>\n

$ sudo grep \":INPUT\" \/etc\/sysconfig\/ip6tables<\/pre>\n
If the default policy for the INPUT chain is not set to DROP, this is a finding.<\/td>\n
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in \/etc\/sysconfig\/ip6tables<\/code>:<\/p>\n
:INPUT DROP [0:0]<\/pre>\n
If changes were required, reload the ip6tables rules:<\/p>\n
$ sudo service ip6tables reload<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000525<\/td>\nCCI-000169<\/td>\nlow<\/td>\nAuditing must be enabled at boot by setting a kernel parameter.<\/td>\nEach process on the system carries an “auditable” flag which indicates whether its activities can be audited. Although auditd<\/code> takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.<\/td>\nInspect the kernel boot arguments (which follow the word kernel<\/code>) in \/etc\/grub.conf<\/code>. If they include audit=1<\/code>, then auditing is enabled at boot time. If auditing is not enabled at boot time, this is a finding.<\/td>\nTo ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1<\/code> to the kernel line in \/etc\/grub.conf<\/code>, in the manner below:<\/p>\n
kernel \/vmlinuz-version ro vga=ext root=\/dev\/VolGroup00\/LogVol00 rhgb quiet audit=1<\/pre>\n<\/td>\n<\/tr>\n
RHEL-06-000526<\/td>\nCCI-000366<\/td>\nlow<\/td>\nAutomated file system mounting tools must not be enabled unless needed.<\/td>\nDisabling the automounter permits the administrator to statically control filesystem mounting through \/etc\/fstab<\/code>.<\/td>\nTo check that the autofs<\/code> service is disabled in system boot configuration, run the following command:<\/p>\n
# chkconfig autofs<\/code> --list<\/pre>\n
Output should indicate the autofs<\/code> service has either not been installed, or has been disabled at all runlevels, as shown in the example below:<\/p>\n
# chkconfig autofs<\/code> --list\r\nautofs<\/code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off<\/pre>\n
Run the following command to verify autofs<\/code> is disabled through current runtime configuration:<\/p>\n
# service autofs status<\/pre>\n
If the service is disabled the command will return the following output:<\/p>\n
autofs is stopped<\/pre>\n
If the service is running, this is a finding.<\/td>\n
The autofs<\/code> daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as \/misc\/cd<\/code>. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing \/etc\/fstab<\/code> rather than relying on the automounter.<\/p>\n

The autofs<\/code> service can be disabled with the following command:<\/p>\n

# chkconfig autofs off<\/pre>\n<\/td>\n<\/tr>\n
SRG-OS-000006-NA<\/td>\nCCI-000021<\/td>\nmedium<\/td>\nThe operating system must enforce dual authorization, based on organizational policies and procedures for organization defined privileged commands.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000008-NA<\/td>\nCCI-000024<\/td>\nmedium<\/td>\nThe operating system must prevent access to organization defined security-relevant information except during secure, non-operable system states.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000009-NA<\/td>\nCCI-000025<\/td>\nmedium<\/td>\nThe operating system must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000010-NA<\/td>\nCCI-000026<\/td>\nmedium<\/td>\nThe operating system must enforce information flow control using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000011-NA<\/td>\nCCI-000027<\/td>\nmedium<\/td>\nThe operating system must enforce dynamic information flow control based on policy that must allow or disallow information flows based upon changing conditions or operational considerations.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000012-NA<\/td>\nCCI-000028<\/td>\nmedium<\/td>\nThe operating system must prevent encrypted data from bypassing content checking mechanisms.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000013-NA<\/td>\nCCI-000029<\/td>\nmedium<\/td>\nThe operating system must enforce organization defined limitations on the embedding of data types within other data types.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000014-NA<\/td>\nCCI-000030<\/td>\nmedium<\/td>\nThe operating system must enforce information flow control on metadata.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000016-NA<\/td>\nCCI-000032<\/td>\nmedium<\/td>\nThe operating system must enforce information flow control using organization defined security policy filters as a basis for flow control decisions.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000018-NA<\/td>\nCCI-000035<\/td>\nmedium<\/td>\nThe operating system must provide the capability for a privileged administrator to configure the organization defined security policy filters to support different security policies.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000019-NA<\/td>\nCCI-000037<\/td>\nmedium<\/td>\nThe operating system must implement separation of duties through assigned information system access authorizations.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000060-NA<\/td>\nCCI-000165<\/td>\nmedium<\/td>\nThe operating system must produce audit records on hardware-enforced, write-once media.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000061-NA<\/td>\nCCI-000166<\/td>\nmedium<\/td>\nThe operating system must protect against an individual falsely denying having performed a particular action.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000068-NA<\/td>\nCCI-000187<\/td>\nmedium<\/td>\nThe operating system, for PKI-based authentication must map the authenticated identity to the user account.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000074-NA<\/td>\nCCI-000197<\/td>\nmedium<\/td>\nThe operating system must enforce password encryption for transmission.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000081-NA<\/td>\nCCI-000218<\/td>\nmedium<\/td>\nThe operating system, when transferring information between different security domains, must identify information flows by data type specification and usage.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000082-NA<\/td>\nCCI-000219<\/td>\nmedium<\/td>\nThe operating system, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000083-NA<\/td>\nCCI-000221<\/td>\nmedium<\/td>\nThe operating system must enforce security policies regarding information on interconnected systems.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000091-NA<\/td>\nCCI-000354<\/td>\nmedium<\/td>\nThe operating system must enforce a two-person rule for changes to organization defined information system components and system-level information.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000092-NA<\/td>\nCCI-000371<\/td>\nmedium<\/td>\nThe operating system must employ automated mechanisms to centrally apply configuration settings.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000093-NA<\/td>\nCCI-000372<\/td>\nmedium<\/td>\nThe operating system must employ automated mechanisms to centrally verify configuration settings.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000101-NA<\/td>\nCCI-000539<\/td>\nmedium<\/td>\nThe operating system must conduct backups of operating system documentation including security-related documentation per organization defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000102-NA<\/td>\nCCI-000553<\/td>\nmedium<\/td>\nThe operating system must implement transaction recovery for transaction-based systems.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000107-NA<\/td>\nCCI-000767<\/td>\nmedium<\/td>\nThe operating system must use multifactor authentication for local access to privileged accounts.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000108-NA<\/td>\nCCI-000768<\/td>\nmedium<\/td>\nThe operating system must use multifactor authentication for local access to non-privileged accounts.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000110-NA<\/td>\nCCI-000771<\/td>\nmedium<\/td>\nThe operating system must use multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000111-NA<\/td>\nCCI-000772<\/td>\nmedium<\/td>\nThe operating system must use multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the operating system being accessed.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000115-NA<\/td>\nCCI-000779<\/td>\nmedium<\/td>\nThe operating system must authenticate devices before establishing remote network connections using bidirectional cryptographically based authentication between devices.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000116-NA<\/td>\nCCI-000780<\/td>\nmedium<\/td>\nThe operating system must authenticate devices before establishing wireless network connections using bidirectional cryptographically based authentication between devices.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000117-NA<\/td>\nCCI-000781<\/td>\nmedium<\/td>\nThe operating system must authenticate devices before establishing network connections using bidirectional cryptographically based authentication between devices.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000122-NA<\/td>\nCCI-000831<\/td>\nmedium<\/td>\nThe operating system must implement a configurable capability to automatically disable the operating system if any of the organization defined lists of security violations are detected.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000125-NA<\/td>\nCCI-000877<\/td>\nmedium<\/td>\nThe operating system must employ strong identification and authentication techniques in the establishment of nonlocal maintenance and diagnostic sessions.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000128-NA<\/td>\nCCI-000884<\/td>\nmedium<\/td>\nThe operating system must protect nonlocal maintenance sessions through the use of a strong authenticator tightly bound to the user.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000130-NA<\/td>\nCCI-001009<\/td>\nmedium<\/td>\nThe operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000140-NA<\/td>\nCCI-001092<\/td>\nmedium<\/td>\nThe operating system must protect against or must limit the effects of the organization defined or referenced types of Denial of Service attacks.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000141-NA<\/td>\nCCI-001094<\/td>\nmedium<\/td>\nThe operating system must restrict the ability of users to launch Denial of Service attacks against other information systems or networks.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000149-NA<\/td>\nCCI-001112<\/td>\nmedium<\/td>\nThe operating system must route organization defined internal communications traffic to organization defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000150<\/td>\nCCI-001115<\/td>\nmedium<\/td>\nThe operating system, at managed interfaces, must deny network traffic and must audit internal users (or malicious code) posing a threat to external information systems.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000153-NA<\/td>\nCCI-001123<\/td>\nmedium<\/td>\nThe operating system must route all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000154-NA<\/td>\nCCI-001124<\/td>\nmedium<\/td>\nThe operating system must prevent discovery of specific system components (or devices) composing a managed interface.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000155-NA<\/td>\nCCI-001125<\/td>\nmedium<\/td>\nThe operating system must employ automated mechanisms to enforce strict adherence to protocol format.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000156-NA<\/td>\nCCI-001126<\/td>\nmedium<\/td>\nThe operating system must fail securely in the event of an operational failure of a boundary protection device.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000161-NA<\/td>\nCCI-001131<\/td>\nmedium<\/td>\nThe operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000162-NA<\/td>\nCCI-001132<\/td>\nmedium<\/td>\nThe operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000164-NA<\/td>\nCCI-001135<\/td>\nmedium<\/td>\nThe operating system must establish a trusted communications path between the user and organization defined security functions within the operating system.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000165-NA<\/td>\nCCI-001140<\/td>\nmedium<\/td>\nThe operating system must produce, control, and distribute symmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000166-NA<\/td>\nCCI-001141<\/td>\nmedium<\/td>\nThe operating system must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000167-NA<\/td>\nCCI-001142<\/td>\nmedium<\/td>\nThe operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000168-NA<\/td>\nCCI-001143<\/td>\nmedium<\/td>\nThe operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000172-NA<\/td>\nCCI-001147<\/td>\nmedium<\/td>\nThe operating system must employ FIPS-validated cryptography to protect information when it must be separated from individuals who have the necessary clearances, yet lack the necessary access approvals.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000173-NA<\/td>\nCCI-001148<\/td>\nmedium<\/td>\nThe operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000174-NA<\/td>\nCCI-001149<\/td>\nmedium<\/td>\nThe operating system must protect the integrity and availability of publicly available information and applications.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000175-NA<\/td>\nCCI-001150<\/td>\nmedium<\/td>\nThe operating system must prohibit remote activation of collaborative computing devices, excluding the organization defined exceptions where remote activation is to be allowed.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000177-NA<\/td>\nCCI-001157<\/td>\nmedium<\/td>\nThe operating system must associate security attributes with information exchanged between information systems.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000179-NA<\/td>\nCCI-001159<\/td>\nmedium<\/td>\nThe operating system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000180-NA<\/td>\nCCI-001166<\/td>\nmedium<\/td>\nThe operating system must implement detection and inspection mechanisms to identify unauthorized mobile code.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000181-NA<\/td>\nCCI-001695<\/td>\nmedium<\/td>\nThe operating system must prevent the execution of prohibited mobile code.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000182-NA<\/td>\nCCI-001169<\/td>\nmedium<\/td>\nThe operating system must prevent the download of prohibited mobile code.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000183-NA<\/td>\nCCI-001170<\/td>\nmedium<\/td>\nThe operating system must prevent the automatic execution of mobile code in organization defined software applications and must require organization defined actions prior to executing the code.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000187-NA<\/td>\nCCI-001210<\/td>\nmedium<\/td>\nThe operating system at organization defined information system components must load and execute the operating environment from hardware-enforced, read-only media.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000188-NA<\/td>\nCCI-001211<\/td>\nmedium<\/td>\nThe operating system at organization defined information system components must load and execute organization defined applications from hardware-enforced, read-only media.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000193-NA<\/td>\nCCI-001239<\/td>\nmedium<\/td>\nThe operating system must have malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000204-NA<\/td>\nCCI-001311<\/td>\nmedium<\/td>\nThe operating system must identify potentially security-relevant error conditions.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000205-NA<\/td>\nCCI-001312<\/td>\nmedium<\/td>\nThe operating system must generate error messages providing information necessary for corrective actions without revealing organization defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000209-NA<\/td>\nCCI-001339<\/td>\nmedium<\/td>\nThe operating system must validate the binding of the information producer’s identity to the information.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000210-NA<\/td>\nCCI-001340<\/td>\nmedium<\/td>\nThe operating system must maintain reviewer\/releaser identity and credentials within the established chain of custody for all information reviewed or released.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000211-NA<\/td>\nCCI-001341<\/td>\nmedium<\/td>\nThe operating system must validate the binding of the reviewer’s identity to the information at the transfer\/release point prior to release\/transfer from one security domain to another security domain.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000214-NA<\/td>\nCCI-001274<\/td>\nmedium<\/td>\nThe operating system must employ automated mechanisms to alert security personnel of any organization defined inappropriate or unusual activities with security implications.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000216-NA<\/td>\nCCI-001350<\/td>\nmedium<\/td>\nThe operating system must use cryptographic mechanisms to protect the integrity of audit information.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000217-NA<\/td>\nCCI-001352<\/td>\nmedium<\/td>\nThe operating system must protect the audit records resulting from nonlocal accesses to privileged accounts and the execution of privileged functions.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000219-NA<\/td>\nCCI-001356<\/td>\nmedium<\/td>\nThe operating system must monitor for atypical usage of operating system accounts.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000222-NA<\/td>\nCCI-001372<\/td>\nmedium<\/td>\nThe operating system, when transferring information between different security domains, must implement policy filters constraining data structure and content to organization defined information security policy requirements.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000223-NA<\/td>\nCCI-001373<\/td>\nmedium<\/td>\nThe operating system, when transferring information between different security domains, must detect unsanctioned information.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000224-NA<\/td>\nCCI-001374<\/td>\nmedium<\/td>\nThe operating system, when transferring information between different security domains, must prohibit the transfer of unsanctioned information in accordance with the security policy.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000225-NA<\/td>\nCCI-001376<\/td>\nmedium<\/td>\nThe operating system must uniquely identify source domains for information transfer.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000226-NA<\/td>\nCCI-001377<\/td>\nmedium<\/td>\nThe operating system must uniquely authenticate source domains for information transfer.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000227-NA<\/td>\nCCI-001383<\/td>\nmedium<\/td>\nThe operating system must provide additional protection for mobile devices accessed via login by purging information from the device after organization defined number of consecutive, unsuccessful login attempts to the mobile device.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000229-NA<\/td>\nCCI-000370<\/td>\nmedium<\/td>\nThe operating system must employ automated mechanisms to centrally manage configuration settings.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000233-NA<\/td>\nCCI-001391<\/td>\nmedium<\/td>\nThe operating system must notify the user of the number of successful logins\/accesses that occur during the organization defined time period.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000234-NA<\/td>\nCCI-001392<\/td>\nmedium<\/td>\nThe operating system must notify the user of the number of unsuccessful login\/access attempts that occur during organization defined time period.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000235-NA<\/td>\nCCI-001395<\/td>\nmedium<\/td>\nThe operating system must notify the user of organization defined security-related changes to the user’s account that occur during the organization defined time period.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000238-NA<\/td>\nCCI-001401<\/td>\nmedium<\/td>\nThe operating system must support and maintain the binding of organization defined security attributes to information in transmission.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000251-NA<\/td>\nCCI-001454<\/td>\nmedium<\/td>\nThe operating system must ensure remote sessions for accessing an organization defined list of security functions and security-relevant information are audited.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000252-NA<\/td>\nCCI-001462<\/td>\nmedium<\/td>\nThe operating system must provide the capability to capture\/record and log all content related to a user session.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000261-NA<\/td>\nCCI-001555<\/td>\nmedium<\/td>\nThe operating system uniquely must identify destination domains for information transfer.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000262-NA<\/td>\nCCI-001556<\/td>\nmedium<\/td>\nThe operating system uniquely must authenticate destination domains for information transfer.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000263-NA<\/td>\nCCI-001557<\/td>\nmedium<\/td>\nThe operating system must track problems associated with the information transfer.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000267-NA<\/td>\nCCI-001632<\/td>\nmedium<\/td>\nThe operating system must protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000268-NA<\/td>\nCCI-001662<\/td>\nmedium<\/td>\nThe operating system must take corrective actions, when unauthorized mobile code is identified.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000274-NA<\/td>\nCCI-001683<\/td>\nmedium<\/td>\nThe operating system must notify, as required, appropriate individuals when accounts are created.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000275-NA<\/td>\nCCI-001684<\/td>\nmedium<\/td>\nThe operating system must notify, as required, appropriate individuals when accounts are modified.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000276-NA<\/td>\nCCI-001685<\/td>\nmedium<\/td>\nThe operating system must notify, as required, appropriate individuals when account is disabled.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n
SRG-OS-000277-NA<\/td>\nCCI-001686<\/td>\nmedium<\/td>\nThe operating system must notify, as required, appropriate individuals for account termination.<\/td>\nThe guidance does not meet this requirement. The requirement is impractical or out of scope.<\/td>\nRHEL6 cannot support this requirement without assistance from an external application, policy, or service. This requirement is NA. If , this is a finding.<\/td>\nThis requirement is NA. No fix is required.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"

 <\/p>\n

Rules In Pre-release Final STIG for Red Hat Enterprise Linux 6 <\/p>\n

 <\/p>\n

V-ID CCI CAT Title Description Check Procedures Fixtext RHEL-06-000001 CCI-000366 low The system must use a separate file system for \/tmp. The \/tmp partition is used as temporary storage by many programs. Placing \/tmp in its own partition enables the setting of […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,4,50],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4046"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4046"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4046\/revisions"}],"predecessor-version":[{"id":4047,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4046\/revisions\/4047"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}