RedHat 6 STIG PDF - NoPasara

UNCLASSIFIED 

Red Hat Enterprise Linux 6 Security Technical Implementation Guide 

1 

Release: 2 Benchmark Date: 03 Jun 2013 

The Red Hat Enterprise Linux 6 Security Technical Implementation 

Guide (STIG) is published as a tool to improve the security of 

Department of Defense (DoD) information systems. Comments or 

proposed revisions to this document should be sent via e-mail to the 

following address: 

disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil. 

Rule Title: The system must use a separate file system 

for /tmp. 

STIG ID: RHEL-06-000001 Rule ID: SV-50255r1_rule Vuln 

ID: V-38455 

Severity: CAT III Class: Unclass 

Discussion: 

The "/tmp" partition is used as temporary storage by many 

programs. Placing "/tmp" in its own partition enables the 

setting of more restrictive mount options, which can help 

protect programs which use it. 

Documentable: No 

Check Content: 

Run the following command to determine if "/tmp" is on 

its own partition or logical volume: 

$ mount | grep "on /tmp " 

If "/tmp" has its own partition or volume group, a line 

will be returned. 

If no line is returned, this is a finding.

UNCLASSIFIED 

Fix Text: 

The "/tmp" directory is a world-writable directory used 

for temporary file storage. Ensure it has its own 

partition or logical volume at installation time, or 

migrate it using LVM. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 


for /var. 


ID: V-38456 


Discussion: 

Ensuring that "/var" is mounted on its own partition 

enables the setting of more restrictive mount options. 

This helps protect system services such as daemons or 

other programs which use it. It is not uncommon for the 

"/var" directory to contain world-writable directories, 

installed by other software packages. 



Run the following command to determine if "/var" is on 


$ mount | grep "on /var " 

If "/var" has its own partition or volume group, a line 


If no line is returned, this is a finding. 

Fix Text: 

The "/var" directory is used by daemons and other system 

UNCLASSIFIED

UNCLASSIFIED 

services to store frequently-changing data. Ensure that 

"/var" has its own partition or logical volume at 

installation time, or migrate it using LVM. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 


for /var/log. 


ID: V-38463 


Discussion: 

Placing "/var/log" in its own partition enables better 

separation between log files and other files in "/var/". 



Run the following command to determine if "/var/log" is 

on its own partition or logical volume: 

$ mount | grep "on /var/log " 

If "/var/log" has its own partition or volume group, a 

line will be returned. 


Fix Text: 

System logs are stored in the "/var/log" directory. 

Ensure that it has its own partition or logical volume 

at installation time, or migrate it using LVM. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

UNCLASSIFIED

UNCLASSIFIED 


for the system audit data path. 


ID: V-38467 


Discussion: 

Placing "/var/log/audit" in its own partition enables 

better separation between audit files and other files, 

and helps ensure that auditing cannot be halted due to 

the partition running out of space. 



Run the following command to determine if 

"/var/log/audit" is on its own partition or logical 

volume: 

$ mount | grep "on /var/log/audit " 

If "/var/log/audit" has its own partition or volume 

group, a line will be returned. 


Fix Text: 

Audit logs are stored in the "/var/log/audit" directory. 

Ensure that it has its own partition or logical volume 

at installation time, or migrate it later using LVM. Make 

absolutely certain that it is large enough to store all 

audit logs that will be created by the auditing daemon. 

CCI: CCI-000137 

NIST SP 800-53A :: AU-4.1 (i) 

NIST SP 800-53 :: AU-4 

UNCLASSIFIED

UNCLASSIFIED 

Rule Title: The audit system must alert designated staff 

members when the audit storage volume approaches 

capacity. 


ID: V-38470 

Severity: CAT II Class: Unclass 

Discussion: 

Notifying administrators of an impending disk space 

problem may allow them to take corrective action prior 

to any disruption. 



Inspect "/etc/audit/auditd.conf" and locate the 

following line to determine if the system is configured 

to email the administrator when disk space is starting 

to run low: 

# grep space_left_action /etc/audit/auditd.conf 

space_left_action = email 

If the system is not configured to send an email to the 

system administrator when disk space is starting to run 

low, this is a finding. 

Fix Text: 

The "auditd" service can be configured to take an action 

when disk space starts to run low. Edit the file 

"/etc/audit/auditd.conf". Modify the following line, 

substituting [ACTION] appropriately: 

space_left_action = [ACTION] 

Possible values for [ACTION] are described in the 

"auditd.conf" man page. These include: 

UNCLASSIFIED

UNCLASSIFIED 

"ignore" 

"syslog" 

"email" 

"exec" 

"suspend" 

"single" 

"halt" 

Set this to "email" (instead of the default, which is 

"suspend") as it is more likely to get prompt attention. 

RHEL-06-000521 ensures that the email generated through 

the operation "space_left_action" will be sent to an 

administrator. 

CCI: CCI-000138 

NIST SP 800-53A :: AU-4.1 (ii) 

NIST SP 800-53 :: AU-4 


for user home directories. 


ID: V-38473 


Discussion: 

Ensuring that "/home" is mounted on its own partition 

enables the setting of more restrictive mount options, 

and also helps ensure that users cannot trivially fill 

partitions used for log or audit data storage. 



Run the following command to determine if "/home" is on 


UNCLASSIFIED

UNCLASSIFIED 

$ mount | grep "on /home " 

If "/home" has its own partition or volume group, a line 



Fix Text: 

If user home directories will be stored locally, create 

a separate partition for "/home" at installation time (or 

migrate it later using LVM). If "/home" will be mounted 

from another system such as an NFS server, then creating 

a separate partition is not necessary at installation 

time, and the mountpoint can instead be configured later. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: Vendor-provided cryptographic certificates 

must be installed to verify the integrity of system 

software. 


ID: V-38476 

Severity: CAT I Class: Unclass 

Discussion: 

This key is necessary to cryptographically verify 

packages are from Red Hat. 



To ensure that the GPG key is installed, run: 

$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey 

The command should return the string below: 

UNCLASSIFIED

UNCLASSIFIED 

gpg(Red Hat, Inc. (release key ) 

If the Red Hat GPG Key is not installed, this is a finding. 

Fix Text: 

To ensure the system can cryptographically verify base 

software packages come from Red Hat (and to connect to 

the Red Hat Network to receive them if desired), the Red 

Hat GPG key must properly be installed. To ensure the GPG 

key is installed, run: 

# rhn_register 

CCI: CCI-000352 

NIST SP 800-53A :: CM-5 (3).1 (ii) 

NIST SP 800-53 :: CM-5 (3) 

Rule Title: The Red Hat Network Service (rhnsd) service 

must not be running, unless using RHN or an RHN Satellite. 


ID: V-38478 


Discussion: 

Although systems management and patching is extremely 

important to system security, management by a system 

outside the enterprise enclave is not desirable for some 

environments. However, if the system is being managed by 

RHN or RHN Satellite Server the "rhnsd" daemon can remain 

on. 



If the system uses RHN or is an RHN Satellite, this is 

not applicable. 

UNCLASSIFIED

UNCLASSIFIED 

To check that the "rhnsd" service is disabled in system 

boot configuration, run the following command: 

# chkconfig "rhnsd" --list 

Output should indicate the "rhnsd" service has either not 

been installed, or has been disabled at all runlevels, 

as shown in the example below: 

# chkconfig "rhnsd" --list 

"rhnsd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Run the following command to verify "rhnsd" is disabled 

through current runtime configuration: 

# service rhnsd status 

If the service is disabled the command will return the 

following output: 

rhnsd is stopped 

If the service is running, this is a finding. 

Fix Text: 

The Red Hat Network service automatically queries Red Hat 

Network servers to determine whether there are any 

actions that should be executed, such as package updates. 

This only occurs if the system was registered to an RHN 

server or satellite and managed as such. The "rhnsd" 

service can be disabled with the following command: 

# chkconfig rhnsd off 

CCI: CCI-000382 

NIST SP 800-53A :: CM-7.1 (iii) 

NIST SP 800-53 :: CM-7 

UNCLASSIFIED

UNCLASSIFIED 

Rule Title: System security patches and updates must be 

installed and up-to-date. 


ID: V-38481 


Discussion: 

Installing software updates is a fundamental mitigation 

against the exploitation of publicly-known 

vulnerabilities. 



If the system is joined to the Red Hat Network, a Red Hat 

Satellite Server, or a yum server which provides updates, 

invoking the following command will indicate if updates 

are available: 

# yum check-update 

If the system is not configured to update from one of these 

sources, run the following command to list when each 

package was last updated: 

$ rpm -qa -last 

Compare this to Red Hat Security Advisories (RHSA) listed 

at https://access.redhat.com/security/updates/active/ 

to determine whether the system is missing applicable 

security and bugfix updates. 

If updates are not installed, this is a finding. 

Fix Text: 

If the system is joined to the Red Hat Network, a Red Hat 

Satellite Server, or a yum server, run the following 

command to install updates: 

# yum update 

UNCLASSIFIED

UNCLASSIFIED 

If the system is not configured to use one of these 

sources, updates (in the form of RPM packages) can be 

manually downloaded from the Red Hat Network and 

installed using "rpm". 

CCI: CCI-001233 

NIST SP 800-53 :: SI-2 (2) 

NIST SP 800-53A :: SI-2 (2).1 (ii) 

Rule Title: The system package management tool must 

cryptographically verify the authenticity of system 

software packages during installation. 


ID: V-38483 


Discussion: 

Ensuring the validity of packages' cryptographic 

signatures prior to installation ensures the provenance 

of the software and protects against malicious tampering. 



To determine whether "yum" is configured to use 

"gpgcheck", inspect "/etc/yum.conf" and ensure the 

following appears in the "[main]" section: 

gpgcheck=1 

A value of "1" indicates that "gpgcheck" is enabled. 

Absence of a "gpgcheck" line or a setting of "0" indicates 

that it is disabled. 

If GPG checking is not enabled, this is a finding. 

If the "yum" system package management tool is not used 

to update the system, verify with the SA that installed 

packages are cryptographically signed. 

UNCLASSIFIED

UNCLASSIFIED 

Fix Text: 

The "gpgcheck" option should be used to ensure checking 

of an RPM package's signature always occurs prior to its 

installation. To configure yum to check package 

signatures before installing them, ensure the following 

line appears in "/etc/yum.conf" in the "[main]" section: 

gpgcheck=1 

CCI: CCI-000663 

NIST SP 800-53 :: SA-7 

NIST SP 800-53A :: SA-7.1 (ii) 


cryptographically verify the authenticity of all 



ID: V-38487 


Discussion: 

Ensuring all packages' cryptographic signatures are 

valid prior to installation ensures the provenance of the 

software and protects against malicious tampering. 



To determine whether "yum" has been configured to disable 

"gpgcheck" for any repos, inspect all files in 

"/etc/yum.repos.d" and ensure the following does not 

appear in any sections: 

gpgcheck=0 

A value of "0" indicates that "gpgcheck" has been disabled 

for that repo. 

UNCLASSIFIED

UNCLASSIFIED 

If GPG checking is disabled, this is a finding. 

If the "yum" system package management tool is not used 

to update the system, verify with the SA that installed 

packages are cryptographically signed. 

Fix Text: 

To ensure signature checking is not disabled for any 

repos, remove any lines from files in "/etc/yum.repos.d" 

of the form: 

gpgcheck=0 

CCI: CCI-000663 

NIST SP 800-53 :: SA-7 

NIST SP 800-53A :: SA-7.1 (ii) 

Rule Title: A file integrity tool must be installed. 


ID: V-38489 


Discussion: 

The AIDE package must be installed if it is to be available 

for integrity checking. 



If another file integrity tool is installed, this is not 

a finding. 

Run the following command to determine if the "aide" 

package is installed: 

# rpm -q aide 

UNCLASSIFIED

UNCLASSIFIED 

If the package is not installed, this is a finding. 

Fix Text: 

Install the AIDE package with the command: 

# yum install aide 

CCI: CCI-001069 

NIST SP 800-53A :: RA-5 (7).1 (ii) 

NIST SP 800-53 :: RA-5 (7) 

Rule Title: There must be no .rhosts or hosts.equiv 

files on the system. 


ID: V-38491 


Discussion: 

Trust files are convenient, but when used in conjunction 

with the R-services, they can allow unauthenticated 

access to a system. 



The existence of the file "/etc/hosts.equiv" or a file 

named ".rhosts" inside a user home directory indicates 

the presence of an Rsh trust relationship. 

If these files exist, this is a finding. 

Fix Text: 

The files "/etc/hosts.equiv" and "~/.rhosts" (in each 

user's home directory) list remote hosts and users that 

are trusted by the local system when using the rshd 

daemon. To remove these files, run the following command 

to delete them from any location. 

# rm /etc/hosts.equiv 

UNCLASSIFIED

UNCLASSIFIED 

$ rm ~/.rhosts 

CCI: CCI-001436 

NIST SP 800-53A :: AC-17 (8).1 (ii) 

NIST SP 800-53 :: AC-17 (8) 

Rule Title: The system must prevent the root account 

from logging in from virtual consoles. 


ID: V-38492 


Discussion: 

Preventing direct root login to virtual console devices 

helps ensure accountability for actions taken on the 

system using the root account. 



To check for virtual console entries which permit root 

login, run the following command: 

# grep '^vc/[0-9]' /etc/securetty 

If any output is returned, then root logins over virtual 

console devices is permitted. 

If root login over virtual console devices is permitted, 

this is a finding. 

Fix Text: 

To restrict root logins through the (deprecated) virtual 

console devices, ensure lines of this form do not appear 

in "/etc/securetty": 

UNCLASSIFIED

UNCLASSIFIED 

vc/1 

vc/2 

vc/3 

vc/4 

Note: Virtual console entries are not limited to those 

listed above. Any lines starting with "vc/" followed by 

numerals should be removed. 

CCI: CCI-000770 

NIST SP 800-53A :: IA-2 (5).2 (ii) 

NIST SP 800-53 :: IA-2 (5) (b) 

Rule Title: The system must prevent the root account 

from logging in from serial consoles. 


ID: V-38494 


Discussion: 

Preventing direct root login to serial port interfaces 

helps ensure accountability for actions taken on the 

systems using the root account. 



To check for serial port entries which permit root login, 

run the following command: 

# grep '^ttyS[0-9]' /etc/securetty 

If any output is returned, then root login over serial 

ports is permitted. 

If root login over serial ports is permitted, this is a 

finding. 

Fix Text: 

UNCLASSIFIED

UNCLASSIFIED 

To restrict root logins on serial ports, ensure lines of 

this form do not appear in "/etc/securetty": 

ttyS0 

ttyS1 

Note: Serial port entries are not limited to those 

listed above. Any lines starting with "ttyS" followed 

by numerals should be removed 

CCI: CCI-000770 

NIST SP 800-53A :: IA-2 (5).2 (ii) 

NIST SP 800-53 :: IA-2 (5) (b) 

Rule Title: Default system accounts, other than root, 

must be locked. 


ID: V-38496 


Discussion: 

Disabling authentication for default system accounts 

makes it more difficult for attackers to make use of them 

to compromise a system. 



To obtain a listing of all users and the contents of their 

shadow password field, run the command: 

$ awk -F: '{print $1 ":" $2}' /etc/shadow 

Identify the system accounts from this listing. These 

will primarily be the accounts with UID numbers less than 

500, other than root. 

If any system account (other than root) has a valid 

password hash, this is a finding. 

UNCLASSIFIED

UNCLASSIFIED 

Fix Text: 

Some accounts are not associated with a human user of the 

system, and exist to perform some administrative 

function. An attacker should not be able to log into these 

accounts. 

Disable login access to these accounts with the command: 

# passwd -l [SYSACCT] 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must not have accounts configured 

with blank or null passwords. 


ID: V-38497 


Discussion: 

If an account has an empty password, anyone could log in 

and run commands with the privileges of that account. 

Accounts with empty passwords should never be used in 

operational environments. 



To verify that null passwords cannot be used, run the 

following command: 

# grep nullok /etc/pam.d/system-auth 

/etc/pam.d/system-auth-ac 

If this produces any output, it may be possible to log 

into accounts with empty passwords. 

UNCLASSIFIED

UNCLASSIFIED 

If NULL passwords can be used, this is a finding. 

Fix Text: 

If an account is configured for password authentication 

but does not have an assigned password, it may be possible 

to log into the account without authentication. Remove 

any instances of the "nullok" option in 

"/etc/pam.d/system-auth-ac" to prevent logins with empty 

passwords. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The /etc/passwd file must not contain 

password hashes. 


ID: V-38499 


Discussion: 

The hashes for all user account passwords should be stored 

in the file "/etc/shadow" and never in "/etc/passwd", 

which is readable by all users. 



To check that no password hashes are stored in 

"/etc/passwd", run the following command: 

# awk -F: '($2 != "x") {print}' /etc/passwd 

If it produces any output, then a password hash is stored 

in "/etc/passwd". 

If any stored hashes are found in /etc/passwd, this is 

a finding. 

UNCLASSIFIED

UNCLASSIFIED 

Fix Text: 

If any password hashes are stored in "/etc/passwd" (in 

the second field, instead of an "x"), the cause of this 

misconfiguration should be investigated. The account 

should have its password reset and the hash should be 

properly stored, or the account should be deleted 

entirely. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The root account must be the only account 

having a UID of 0. 


ID: V-38500 


Discussion: 

An account has root authority if it has a UID of 0. 

Multiple accounts with a UID of 0 afford more opportunity 

for potential intruders to guess a password for a 

privileged account. Proper configuration of sudo is 

recommended to afford multiple system administrators 

access to root privileges in an accountable manner. 



To list all password file entries for accounts with UID 

0, run the following command: 

# awk -F: '($3 == "0") {print}' /etc/passwd 

This should print only one line, for the user root. 

If any account other than root has a UID of 0, this is 

a finding. 

UNCLASSIFIED

UNCLASSIFIED 

Fix Text: 

If any account other than root has a UID of 0, this 

misconfiguration should be investigated and the accounts 

other than root should be removed or have their UID 

changed. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The /etc/shadow file must be owned by root. 


ID: V-38502 


Discussion: 

The "/etc/shadow" file contains the list of local system 

accounts and stores password hashes. Protection of this 

file is critical for system security. Failure to give 

ownership of this file to root provides the designated 

owner with access to sensitive information which could 

weaken the system security posture. 



To check the ownership of "/etc/shadow", run the command: 

$ ls -l /etc/shadow 

If properly configured, the output should indicate the 

following owner: "root" 

If it does not, this is a finding. 

Fix Text: 

To properly set the owner of "/etc/shadow", run the 

command: 

UNCLASSIFIED

UNCLASSIFIED 

# chown root /etc/shadow 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The /etc/shadow file must be group-owned by 

root. 


ID: V-38503 


Discussion: 

The "/etc/shadow" file stores password hashes. 

Protection of this file is critical for system security. 



To check the group ownership of "/etc/shadow", run the 

command: 



following group-owner. "root" 


Fix Text: 

To properly set the group owner of "/etc/shadow", run the 

command: 

# chgrp root /etc/shadow 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

UNCLASSIFIED

UNCLASSIFIED 

Rule Title: The /etc/shadow file must have mode 0000. 


ID: V-38504 


Discussion: 

The "/etc/shadow" file contains the list of local system 

accounts and stores password hashes. Protection of this 

file is critical for system security. Failure to give 

ownership of this file to root provides the designated 

owner with access to sensitive information which could 

weaken the system security posture. 



To check the permissions of "/etc/shadow", run the 

command: 



following permissions: "----------" 


Fix Text: 

To properly set the permissions of "/etc/shadow", run the 

command: 

# chmod 0000 /etc/shadow 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The /etc/gshadow file must be owned by root. 

UNCLASSIFIED

UNCLASSIFIED 


ID: V-38443 


Discussion: 

The "/etc/gshadow" file contains group password hashes. 




To check the ownership of "/etc/gshadow", run the 

command: 

$ ls -l /etc/gshadow 




Fix Text: 

To properly set the owner of "/etc/gshadow", run the 

command: 

# chown root /etc/gshadow 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The /etc/gshadow file must be group-owned 

by root. 


ID: V-38448 


Discussion: 

UNCLASSIFIED

UNCLASSIFIED 

The "/etc/gshadow" file contains group password hashes. 




To check the group ownership of "/etc/gshadow", run the 

command: 





Fix Text: 

To properly set the group owner of "/etc/gshadow", run 

the command: 

# chgrp root /etc/gshadow 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The /etc/gshadow file must have mode 0000. 


ID: V-38449 


Discussion: 

The /etc/gshadow file contains group password hashes. 




To check the permissions of "/etc/gshadow", run the 

UNCLASSIFIED

UNCLASSIFIED 

command: 



following permissions: "----------" 


Fix Text: 

To properly set the permissions of "/etc/gshadow", run 

the command: 

# chmod 0000 /etc/gshadow 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The /etc/passwd file must be owned by root. 


ID: V-38450 


Discussion: 

The "/etc/passwd" file contains information about the 

users that are configured on the system. Protection of 

this file is critical for system security. 



To check the ownership of "/etc/passwd", run the command: 

$ ls -l /etc/passwd 




UNCLASSIFIED

UNCLASSIFIED 

Fix Text: 

To properly set the owner of "/etc/passwd", run the 

command: 

# chown root /etc/passwd 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The /etc/passwd file must be group-owned by 

root. 


ID: V-38451 


Discussion: 

The "/etc/passwd" file contains information about the 

users that are configured on the system. Protection of 

this file is critical for system security. 



To check the group ownership of "/etc/passwd", run the 

command: 





Fix Text: 

To properly set the group owner of "/etc/passwd", run the 

command: 

UNCLASSIFIED

UNCLASSIFIED 

# chgrp root /etc/passwd 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The /etc/passwd file must have mode 0644 or 

less permissive. 


ID: V-38457 


Discussion: 

If the "/etc/passwd" file is writable by a group-owner 

or the world the risk of its compromise is increased. The 

file contains the list of accounts on the system and 

associated information, and protection of this file is 

critical for system security. 



To check the permissions of "/etc/passwd", run the 

command: 



following permissions: "-rw-r--r--" 


Fix Text: 

To properly set the permissions of "/etc/passwd", run the 

command: 

# chmod 0644 /etc/passwd 

CCI: CCI-000366 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The /etc/group file must be owned by root. 


ID: V-38458 


Discussion: 

The "/etc/group" file contains information regarding 

groups that are configured on the system. Protection of 

this file is important for system security. 



To check the ownership of "/etc/group", run the command: 

$ ls -l /etc/group 




Fix Text: 

To properly set the owner of "/etc/group", run the 

command: 

# chown root /etc/group 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The /etc/group file must be group-owned by 

root. 

UNCLASSIFIED

UNCLASSIFIED 


ID: V-38459 


Discussion: 






To check the group ownership of "/etc/group", run the 

command: 





Fix Text: 

To properly set the group owner of "/etc/group", run the 

command: 

# chgrp root /etc/group 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The /etc/group file must have mode 0644 or 

less permissive. 


ID: V-38461 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 






To check the permissions of "/etc/group", run the 

command: 



following permissions: "-rw-r--r--" 


Fix Text: 

To properly set the permissions of "/etc/group", run the 

command: 

# chmod 644 /etc/group 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: Library files must have mode 0755 or less 

permissive. 


ID: V-38465 


Discussion: 

Files from shared library directories are loaded into the 

address space of processes (including privileged ones) 

or of the kernel itself at runtime. Restrictive 

permissions are necessary to protect the integrity of the 

UNCLASSIFIED

UNCLASSIFIED 

system. 



System-wide shared library files, which are linked to 

executables during process load time or run time, are 

stored in the following directories by default: 

/lib 

/lib64 

/usr/lib 

/usr/lib64 

Kernel modules, which can be added to the kernel during 

runtime, are stored in "/lib/modules". All files in these 

directories should not be group-writable or 

world-writable. To find shared libraries that are 

group-writable or world-writable, run the following 

command for each directory [DIR] which contains shared 

libraries: 

$ find -L [DIR] -perm /022 

If any of these files are group-writable or 

world-writable, this is a finding. 

Fix Text: 




/lib 

/lib64 

/usr/lib 

/usr/lib64 

If any file in these directories is found to be 

UNCLASSIFIED

UNCLASSIFIED 

group-writable or world-writeable correct its permission 

with the following command: 

# chmod go-w [FILE] 

CCI: CCI-001499 

NIST SP 800-53 :: CM-5 (6) 

NIST SP 800-53A :: CM-5 (6).1 

Rule Title: Library files must be owned by root. 


ID: V-38466 


Discussion: 

Files from shared library directories are loaded into the 

address space of processes (including privileged ones) 

or of the kernel itself at runtime. Proper ownership is 

necessary to protect the integrity of the system. 






/lib 

/lib64 

/usr/lib 

/usr/lib64 

Kernel modules, which can be added to the kernel during 

runtime, are stored in "/lib/modules". All files in these 

directories should not be group-writable or 

world-writable. To find shared libraries that are not 

owned by "root", run the following command for each 

UNCLASSIFIED

UNCLASSIFIED 

directory [DIR] which contains shared libraries: 

$ find -L [DIR] \! -user root 

If any of these files are not owned by root, this is a 

finding. 

Fix Text: 




/lib 

/lib64 

/usr/lib 

/usr/lib64 

If any file in these directories is found to be owned by 

a user other than root, correct its ownership with the 


# chown root [FILE] 

CCI: CCI-001499 

NIST SP 800-53 :: CM-5 (6) 

NIST SP 800-53A :: CM-5 (6).1 

Rule Title: All system command files must have mode 0755 

or less permissive. 


ID: V-38469 


Discussion: 

System binaries are executed by privileged users, as well 

as system services, and restrictive permissions are 

necessary to ensure execution of these programs cannot 

UNCLASSIFIED

UNCLASSIFIED 

be co-opted. 



System executables are stored in the following 

directories by default: 

/bin 

/usr/bin 

/usr/local/bin 

/sbin 

/usr/sbin 

/usr/local/sbin 

All files in these directories should not be 

group-writable or world-writable. To find system 

executables that are group-writable or world-writable, 

run the following command for each directory [DIR] which 

contains system executables: 

$ find -L [DIR] -perm /022 

If any system executables are found to be group-writable 

or world-writable, this is a finding. 

Fix Text: 



/bin 

/usr/bin 


/sbin 

/usr/sbin 


If any file in these directories is found to be 

group-writable or world-writable, correct its permission 

UNCLASSIFIED

UNCLASSIFIED 


# chmod go-w [FILE] 

CCI: CCI-001499 

NIST SP 800-53 :: CM-5 (6) 

NIST SP 800-53A :: CM-5 (6).1 

Rule Title: All system command files must be owned by 

root. 


ID: V-38472 


Discussion: 

System binaries are executed by privileged users as well 

as system services, and restrictive permissions are 

necessary to ensure that their execution of these 

programs cannot be co-opted. 





/bin 

/usr/bin 


/sbin 

/usr/sbin 


All files in these directories should not be 

group-writable or world-writable. To find system 

executables that are not owned by "root", run the 

following command for each directory [DIR] which contains 

system executables: 

UNCLASSIFIED

UNCLASSIFIED 

$ find -L [DIR] \! -user root 

If any system executables are found to not be owned by 

root, this is a finding. 

Fix Text: 



/bin 

/usr/bin 


/sbin 

/usr/sbin 


If any file [FILE] in these directories is found to be 

owned by a user other than root, correct its ownership 


# chown root [FILE] 

CCI: CCI-001499 

NIST SP 800-53 :: CM-5 (6) 

NIST SP 800-53A :: CM-5 (6).1 

Rule Title: The system must require passwords to contain 

a minimum of 14 characters. 


ID: V-38475 


Discussion: 

Requiring a minimum password length makes password 

cracking attacks more difficult by ensuring a larger 

search space. However, any security benefit from an 

UNCLASSIFIED

UNCLASSIFIED 

onerous requirement must be carefully weighed against 

usability problems, support costs, or counterproductive 

behavior that may result. 

While it does not negate the password length requirement, 

it is preferable to migrate from a password-based 

authentication scheme to a stronger one based on PKI 

(public key infrastructure). 



To check the minimum password length, run the command: 

$ grep PASS_MIN_LEN /etc/login.defs 

The DoD requirement is "14". 

If it is not set to the required value, this is a finding. 

Fix Text: 

To specify password length requirements for new accounts, 

edit the file "/etc/login.defs" and add or correct the 

following lines: 

PASS_MIN_LEN 14 

The DoD requirement is "14". If a program consults 

"/etc/login.defs" and also another PAM module (such as 

"pam_cracklib") during a password change operation, then 

the most restrictive must be satisfied. 

CCI: CCI-000205 

NIST SP 800-53A :: IA-5 (1).1 (i) 

NIST SP 800-53 :: IA-5 (1) (a) 

Rule Title: Users must not be able to change passwords 

more than once every 24 hours. 

UNCLASSIFIED

UNCLASSIFIED 


ID: V-38477 


Discussion: 

Setting the minimum password age protects against users 

cycling back to a favorite password after satisfying the 

password reuse requirement. 



To check the minimum password age, run the command: 

$ grep PASS_MIN_DAYS /etc/login.defs 

The DoD requirement is 1. 


Fix Text: 

To specify password minimum age for new accounts, edit 

the file "/etc/login.defs" and add or correct the 

following line, replacing [DAYS] appropriately: 

PASS_MIN_DAYS [DAYS] 

A value of 1 day is considered sufficient for many 

environments. The DoD requirement is 1. 

CCI: CCI-000198 

NIST SP 800-53A :: IA-5 (1).1 (v) 

NIST SP 800-53 :: IA-5 (1) (d) 

Rule Title: User passwords must be changed at least 

every 60 days. 


ID: V-38479 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 

Setting the password maximum age ensures users are 

required to periodically change their passwords. This 

could possibly decrease the utility of a stolen password. 

Requiring shorter password lifetimes increases the risk 

of users writing down the password in a convenient 

location subject to physical compromise. 



To check the maximum password age, run the command: 

$ grep PASS_MAX_DAYS /etc/login.defs 



Fix Text: 

To specify password maximum age for new accounts, edit 

the file "/etc/login.defs" and add or correct the 

following line, replacing [DAYS] appropriately: 

PASS_MAX_DAYS [DAYS] 


CCI: CCI-000199 

NIST SP 800-53A :: IA-5 (1).1 (v) 

NIST SP 800-53 :: IA-5 (1) (d) 

Rule Title: Users must be warned 7 days in advance of 

password expiration. 


ID: V-38480 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 

Setting the password warning age enables users to make 

the change at a practical time. 



To check the password warning age, run the command: 

$ grep PASS_WARN_AGE /etc/login.defs 



Fix Text: 

To specify how many days prior to password expiration that 

a warning will be issued to users, edit the file 

"/etc/login.defs" and add or correct the following line, 

replacing [DAYS] appropriately: 

PASS_WARN_AGE [DAYS] 


CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 


at least one numeric character. 


ID: V-38482 


Discussion: 

Requiring digits makes password guessing attacks more 

difficult by ensuring a larger search space. 

UNCLASSIFIED

UNCLASSIFIED 



To check how many digits are required in a password, run 

the following command: 

$ grep pam_cracklib /etc/pam.d/system-auth 

The "dcredit" parameter (as a negative number) will 

indicate how many digits are required. The DoD requires 

at least one digit in a password. This would appear as 

"dcredit=-1". 

If dcredit is not found or not set to the required value, 


Fix Text: 

The pam_cracklib module's "dcredit" parameter controls 

requirements for usage of digits in a password. When set 

to a negative number, any password will be required to 

contain that many digits. When set to a positive number, 

pam_cracklib will grant +1 additional length credit for 

each digit. Add "dcredit=-1" after pam_cracklib.so to 

require use of a digit in passwords. 

CCI: CCI-000194 

NIST SP 800-53A :: IA-5 (1).1 (v) 

NIST SP 800-53 :: IA-5 (1) (a) 


at least one uppercase alphabetic character. 


ID: V-38569 


Discussion: 

Requiring a minimum number of uppercase characters makes 

password guessing attacks more difficult by ensuring a 

UNCLASSIFIED

UNCLASSIFIED 

larger search space. 



To check how many uppercase characters are required in 

a password, run the following command: 


The "ucredit" parameter (as a negative number) will 

indicate how many uppercase characters are required. The 

DoD requires at least one uppercase character in a 

password. This would appear as "ucredit=-1". 

If ucredit is not found or not set to the required value, 


Fix Text: 

The pam_cracklib module's "ucredit=" parameter controls 

requirements for usage of uppercase letters in a 

password. When set to a negative number, any password will 

be required to contain that many uppercase characters. 

When set to a positive number, pam_cracklib will grant 

+1 additional length credit for each uppercase character. 

Add "ucredit=-1" after pam_cracklib.so to require use of 

an uppercase character in passwords. 

CCI: CCI-000192 

NIST SP 800-53A :: IA-5 (1).1 (v) 

NIST SP 800-53 :: IA-5 (1) (a) 


at least one special character. 


ID: V-38570 


Discussion: 

UNCLASSIFIED

UNCLASSIFIED 

Requiring a minimum number of special characters makes 





To check how many special characters are required in a 

password, run the following command: 


The "ocredit" parameter (as a negative number) will 

indicate how many special characters are required. The 

DoD requires at least one special character in a password. 

This would appear as "ocredit=-1". 

If ocredit is not found or not set to the required value, 


Fix Text: 

The pam_cracklib module's "ocredit=" parameter controls 

requirements for usage of special (or ``other'') 

characters in a password. When set to a negative number, 

any password will be required to contain that many special 

characters. When set to a positive number, pam_cracklib 

will grant +1 additional length credit for each special 

character. Add "ocredit=-1" after pam_cracklib.so to 

require use of a special character in passwords. 

CCI: CCI-001619 

NIST SP 800-53 :: IA-5 (1) (a) 

NIST SP 800-53A :: IA-5 (1).1 (v) 


at least one lowercase alphabetic character. 


ID: V-38571 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 

Requiring a minimum number of lowercase characters makes 





To check how many lowercase characters are required in 

a password, run the following command: 


The "lcredit" parameter (as a negative number) will 

indicate how many special characters are required. The 

DoD requires at least one lowercase character in a 

password. This would appear as "lcredit=-1". 

If lcredit is not found or not set to the required value, 


Fix Text: 

The pam_cracklib module's "lcredit=" parameter controls 

requirements for usage of lowercase letters in a 

password. When set to a negative number, any password will 

be required to contain that many lowercase characters. 

When set to a positive number, pam_cracklib will grant 

+1 additional length credit for each lowercase character. 

Add "lcredit=-1" after pam_cracklib.so to require use of 

a lowercase character in passwords. 

CCI: CCI-000193 

NIST SP 800-53A :: IA-5 (1).1 (v) 

NIST SP 800-53 :: IA-5 (1) (a) 

Rule Title: The system must require at least four 

characters be changed between the old and new passwords 

during a password change. 


UNCLASSIFIED

UNCLASSIFIED 

ID: V-38572 


Discussion: 

Requiring a minimum number of different characters during 

password changes ensures that newly changed passwords 

should not resemble previously compromised ones. Note 

that passwords which are changed on compromised systems 

will still be compromised, however. 



To check how many characters must differ during a password 

change, run the following command: 


The "difok" parameter will indicate how many characters 

must differ. The DoD requires four characters differ 

during a password change. This would appear as "difok=4". 

If difok is not found or not set to the required value, 


Fix Text: 

The pam_cracklib module's "difok" parameter controls 

requirements for usage of different characters during a 

password change. Add "difok=[NUM]" after pam_cracklib.so 

to require differing characters when changing passwords, 

substituting [NUM] appropriately. The DoD requirement is 

4. 

CCI: CCI-000195 

NIST SP 800-53A :: IA-5 (1).1 (v) 

NIST SP 800-53 :: IA-5 (1) (b) 

Rule Title: The system must disable accounts after three 

consecutive unsuccessful login attempts. 

UNCLASSIFIED

UNCLASSIFIED 


ID: V-38573 


Discussion: 

Locking out user accounts after a number of incorrect 

attempts prevents direct password guessing attacks. 



To ensure the failed password attempt policy is 

configured correctly, run the following command: 

# grep pam_faillock /etc/pam.d/system-auth-ac 

The output should show "deny=3". 

If that is not the case, this is a finding. 

Fix Text: 

To configure the system to lock out accounts after a 

number of incorrect login attempts using 

"pam_faillock.so": 

Add the following lines immediately below the 

"pam_unix.so" statement in the AUTH section of 

"/etc/pam.d/system-auth-ac": 

auth [default=die] pam_faillock.so authfail deny=3 

unlock_time=604800 fail_interval=900 

auth required pam_faillock.so authsucc deny=3 


Note that any updates made to 

"/etc/pam.d/system-auth-ac" will be overwritten by the 

"authconfig" program. The "authconfig" program should 

not be used. 

UNCLASSIFIED

UNCLASSIFIED 

CCI: CCI-000044 

NIST SP 800-53 :: AC-7 a 

NIST SP 800-53A :: AC-7.1 (ii) 

Rule Title: The system must use a FIPS 140-2 approved 

cryptographic hashing algorithm for generating account 

password hashes (system-auth). 


ID: V-38574 


Discussion: 

Using a stronger hashing algorithm makes password 

cracking attacks more difficult. 



Inspect the "password" section of 

"/etc/pam.d/system-auth" and ensure that the 

"pam_unix.so" module includes the argument "sha512". 

$ grep sha512 /etc/pam.d/system-auth" 


Fix Text: 

In "/etc/pam.d/system-auth", the "password" section of 

the file controls which PAM modules execute during a 

password change. Set the "pam_unix.so" module in the 

"password" section to include the argument "sha512", as 

shown below: 

password sufficient pam_unix.so sha512 [other 

arguments...] 

This will help ensure when local users change their 

UNCLASSIFIED

UNCLASSIFIED 

passwords, hashes for the new passwords will be generated 

using the SHA-512 algorithm. This is the default. 

Note that any updates made to "/etc/pam.d/system-auth" 

will be overwritten by the "authconfig" program. The 

"authconfig" program should not be used. 

CCI: CCI-000803 

NIST SP 800-53A :: IA-7.1 

NIST SP 800-53 :: IA-7 



password hashes (login.defs). 


ID: V-38576 


Discussion: 





Inspect "/etc/login.defs" and ensure the following line 

appears: 

ENCRYPT_METHOD SHA512 


Fix Text: 

In "/etc/login.defs", add or correct the following line 

to ensure the system will use SHA-512 as the hashing 

algorithm: 

UNCLASSIFIED

UNCLASSIFIED 

ENCRYPT_METHOD SHA512 

CCI: CCI-000803 

NIST SP 800-53A :: IA-7.1 

NIST SP 800-53 :: IA-7 



password hashes (libuser.conf). 


ID: V-38577 


Discussion: 





Inspect "/etc/libuser.conf" and ensure the following 

line appears in the "[default]" section: 

crypt_style = sha512 


Fix Text: 

In "/etc/libuser.conf", add or correct the following line 

in its "[defaults]" section to ensure the system will use 

the SHA-512 algorithm for password hashing: 

crypt_style = sha512 

CCI: CCI-000803 

NIST SP 800-53A :: IA-7.1 

NIST SP 800-53 :: IA-7 

UNCLASSIFIED

UNCLASSIFIED 

Rule Title: The system boot loader configuration 

file(s) must be owned by root. 


ID: V-38579 


Discussion: 

Only root should be able to modify important boot 

parameters. 



To check the ownership of "/etc/grub.conf", run the 

command: 

$ ls -lL /etc/grub.conf 




Fix Text: 

The file "/etc/grub.conf" should be owned by the "root" 

user to prevent destruction or modification of the file. 

To properly set the owner of "/etc/grub.conf", run the 

command: 

# chown root /etc/grub.conf 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 


UNCLASSIFIED

UNCLASSIFIED 

file(s) must be group-owned by root. 


ID: V-38581 


Discussion: 

The "root" group is a highly-privileged group. 

Furthermore, the group-owner of this file should not have 

any access privileges anyway. 



To check the group ownership of "/etc/grub.conf", run the 

command: 





Fix Text: 

The file "/etc/grub.conf" should be group-owned by the 

"root" group to prevent destruction or modification of 

the file. To properly set the group owner of 

"/etc/grub.conf", run the command: 

# chgrp root /etc/grub.conf 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 


file(s) must have mode 0600 or less permissive. 


ID: V-38583 

UNCLASSIFIED

UNCLASSIFIED 


Discussion: 

Proper permissions ensure that only the root user can 

modify important boot parameters. 



To check the permissions of "/etc/grub.conf", run the 

command: 



following permissions: "-rw-------" 


Fix Text: 

File permissions for "/etc/grub.conf" should be set to 

600, which is the default. To properly set the permissions 

of "/etc/grub.conf", run the command: 

# chmod 600 /etc/grub.conf 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system boot loader must require 

authentication. 


ID: V-38585 


Discussion: 

Password protection on the boot loader configuration 

UNCLASSIFIED

UNCLASSIFIED 

ensures users with physical access cannot trivially alter 

important bootloader settings. These include which 

kernel to use, and whether to enter single-user mode. 



To verify the boot loader password has been set and 

encrypted, run the following command: 

# grep password /etc/grub.conf 

The output should show the following: 

password --encrypted "$6$[rest-of-the-password-hash]" 


Fix Text: 

The grub boot loader should have password protection 

enabled to protect boot-time settings. To do so, select 

a password and then generate a hash from it by running 


# grub-crypt --sha-512 

When prompted to enter a password, insert the following 

line into "/etc/grub.conf" immediately after the header 

comments. (Use the output from "grub-crypt" as the value 

of [password-hash]): 

password --encrypted [password-hash] 

CCI: CCI-000213 

NIST SP 800-53A :: AC-3.1 

NIST SP 800-53 :: AC-3 

Rule Title: The system must require authentication upon 

UNCLASSIFIED

UNCLASSIFIED 

booting into single-user and maintenance modes. 


ID: V-38586 


Discussion: 

This prevents attackers with physical access from 

trivially bypassing security on the machine and gaining 

root access. Such accesses are further prevented by 

configuring the bootloader password. 



To check if authentication is required for single-user 

mode, run the following command: 

$ grep SINGLE /etc/sysconfig/init 

The output should be the following: 

SINGLE=/sbin/sulogin 

If the output is different, this is a finding. 

Fix Text: 

Single-user mode is intended as a system recovery method, 

providing a single user root access to the system by 

providing a boot option at startup. By default, no 

authentication is performed if single-user mode is 

selected. 

To require entry of the root password even if the system 

is started in single-user mode, add or correct the 

following line in the file "/etc/sysconfig/init": 

SINGLE=/sbin/sulogin 

CCI: CCI-000213 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53A :: AC-3.1 

NIST SP 800-53 :: AC-3 

Rule Title: The system must not permit interactive boot. 


ID: V-38588 


Discussion: 

Using interactive boot, the console user could disable 

auditing, firewalls, or other services, weakening system 

security. 



To check whether interactive boot is disabled, run the 


$ grep PROMPT /etc/sysconfig/init 

If interactive boot is disabled, the output will show: 

PROMPT=no 


Fix Text: 

To disable the ability for users to perform interactive 

startups, edit the file "/etc/sysconfig/init". Add or 

correct the line: 

PROMPT=no 

The "PROMPT" option allows the console user to perform 

an interactive system startup, in which it is possible 

to select the set of services which are started on boot. 

UNCLASSIFIED

UNCLASSIFIED 

CCI: CCI-000213 

NIST SP 800-53A :: AC-3.1 

NIST SP 800-53 :: AC-3 

Rule Title: The system must allow locking of the console 

screen in text mode. 


ID: V-38590 


Discussion: 

Installing "screen" ensures a console locking capability 

is available for users who may need to suspend console 

logins. 



Run the following command to determine if the "screen" 


# rpm -q screen 


Fix Text: 

To enable console screen locking when in text mode, 

install the "screen" package: 

# yum install screen 

Instruct users to begin new terminal sessions with the 


$ screen 

UNCLASSIFIED

UNCLASSIFIED 

The console can now be locked with the following key 

combination: 

ctrl+a x 

CCI: CCI-000058 

NIST SP 800-53 :: AC-11 a 

NIST SP 800-53A :: AC-11 

Rule Title: The Department of Defense (DoD) login banner 

must be displayed immediately prior to, or as part of, 

console login prompts. 


ID: V-38593 


Discussion: 

An appropriate warning message reinforces policy 

awareness during the logon process and facilitates 

possible legal action against attackers. 



To check if the system login banner is compliant, run the 


$ cat /etc/issue 

If it does not display the required banner, this is a 

finding. 

Fix Text: 

To configure the system login banner: 

Edit "/etc/issue". Replace the default text with a 

message compliant with the local site policy or a legal 

UNCLASSIFIED

UNCLASSIFIED 

disclaimer. The DoD required text is either: 

"You are accessing a U.S. Government (USG) Information 

System (IS) that is provided for USG-authorized use only. 

By using this IS (which includes any device attached to 

this IS), you consent to the following conditions: 

-The USG routinely intercepts and monitors 

communications on this IS for purposes including, but not 

limited to, penetration testing, COMSEC monitoring, 

network operations and defense, personnel misconduct 

(PM), law enforcement (LE), and counterintelligence (CI) 

investigations. 

-At any time, the USG may inspect and seize data stored 

on this IS. 

-Communications using, or data stored on, this IS are not 

private, are subject to routine monitoring, 

interception, and search, and may be disclosed or used 

for any USG-authorized purpose. 

-This IS includes security measures (e.g., 

authentication and access controls) to protect USG 

interests -- not for your personal benefit or privacy. 

-Notwithstanding the above, using this IS does not 

constitute consent to PM, LE or CI investigative 

searching or monitoring of the content of privileged 

communications, or work product, related to personal 

representation or services by attorneys, 

psychotherapists, or clergy, and their assistants. Such 

communications and work product are private and 

confidential. See User Agreement for details." 

OR: 

"I've read & consent to terms in IS user agreem't." 

CCI: CCI-001384 

NIST SP 800-53 :: AC-8 c 

NIST SP 800-53A :: AC-8.2 (i) 

CCI: CCI-001385 

NIST SP 800-53 :: AC-8 c 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53A :: AC-8.2 (ii) 

CCI: CCI-001386 

NIST SP 800-53 :: AC-8 c 

NIST SP 800-53A :: AC-8.2 (ii) 

CCI: CCI-001387 

NIST SP 800-53 :: AC-8 c 

NIST SP 800-53A :: AC-8.2 (ii) 

CCI: CCI-001388 

NIST SP 800-53 :: AC-8 c 

NIST SP 800-53A :: AC-8.2 (iii) 

Rule Title: The system must implement virtual address 

space randomization. 


ID: V-38596 


Discussion: 

Address space layout randomization (ASLR) makes it more 

difficult for an attacker to predict the location of 

attack code he or she has introduced into a process's 

address space during an attempt at exploitation. 

Additionally, ASLR also makes it more difficult for an 

attacker to know the location of existing code in order 

to repurpose it using return oriented programming (ROP) 

techniques. 



The status of the "kernel.randomize_va_space" kernel 

parameter can be queried by running the following 

command: 

$ sysctl kernel.randomize_va_space 

UNCLASSIFIED

UNCLASSIFIED 

The output of the command should indicate a value of at 

least "1" (preferably "2"). If this value is not the 

default value, investigate how it could have been 

adjusted at runtime, and verify it is not set improperly 

in "/etc/sysctl.conf". 

If the correct value is not returned, this is a finding. 

Fix Text: 

To set the runtime status of the 

"kernel.randomize_va_space" kernel parameter, run the 


# sysctl -w kernel.randomize_va_space=2 

If this is not the system's default value, add the 

following line to "/etc/sysctl.conf": 

kernel.randomize_va_space = 2 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must limit the ability of 

processes to have simultaneous write and execute access 

to memory. 


ID: V-38597 


Discussion: 

ExecShield uses the segmentation feature on all x86 

systems to prevent execution in memory higher than a 

certain address. It writes an address as a limit in the 

code segment descriptor, to control where code can be 

executed, on a per-process basis. When the kernel places 

a process's memory regions such as the stack and heap 

UNCLASSIFIED

UNCLASSIFIED 

higher than this address, the hardware prevents execution 

in that address range. 



The status of the "kernel.exec-shield" kernel parameter 

can be queried by running the following command: 

$ sysctl kernel.exec-shield 

The output of the command should indicate a value of "1". 

If this value is not the default value, investigate how 

it could have been adjusted at runtime, and verify it is 

not set improperly in "/etc/sysctl.conf". 


Fix Text: 

To set the runtime status of the "kernel.exec-shield" 

kernel parameter, run the following command: 

# sysctl -w kernel.exec-shield=1 



kernel.exec-shield = 1 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must not send ICMPv4 redirects 

by default. 


ID: V-38600 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 

Sending ICMP redirects permits the system to instruct 

other systems to update their routing information. The 

ability to send ICMP redirects is only appropriate for 

routers. 



The status of the 

"net.ipv4.conf.default.send_redirects" kernel 


command: 

$ sysctl net.ipv4.conf.default.send_redirects 






Fix Text: 


"net.ipv4.conf.default.send_redirects" kernel 

parameter, run the following command: 

# sysctl -w net.ipv4.conf.default.send_redirects=0 



net.ipv4.conf.default.send_redirects = 0 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must not send ICMPv4 redirects 

UNCLASSIFIED

UNCLASSIFIED 

from any interface. 


ID: V-38601 


Discussion: 

Sending ICMP redirects permits the system to instruct 

other systems to update their routing information. The 

ability to send ICMP redirects is only appropriate for 

routers. 



The status of the "net.ipv4.conf.all.send_redirects" 

kernel parameter can be queried by running the following 

command: 

$ sysctl net.ipv4.conf.all.send_redirects 






Fix Text: 


"net.ipv4.conf.all.send_redirects" kernel parameter, 


# sysctl -w net.ipv4.conf.all.send_redirects=0 



net.ipv4.conf.all.send_redirects = 0 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53 :: CM-6 b 

Rule Title: IP forwarding for IPv4 must not be enabled, 

unless the system is a router. 


ID: V-38511 


Discussion: 

IP forwarding permits the kernel to forward packets from 

one network interface to another. The ability to forward 

packets between two networks is only appropriate for 

routers. 



If the system serves as a router, this is not applicable. 

The status of the "net.ipv4.ip_forward" kernel parameter 

can be queried by running the following command: 

$ sysctl net.ipv4.ip_forward 






Fix Text: 

To set the runtime status of the "net.ipv4.ip_forward" 

kernel parameter, run the following command: 

# sysctl -w net.ipv4.ip_forward=0 



UNCLASSIFIED

UNCLASSIFIED 

net.ipv4.ip_forward = 0 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must not accept IPv4 

source-routed packets on any interface. 


ID: V-38523 


Discussion: 

Accepting source-routed packets in the IPv4 protocol has 

few legitimate uses. It should be disabled unless it is 

absolutely required. 




"net.ipv4.conf.all.accept_source_route" kernel 


command: 

$ sysctl net.ipv4.conf.all.accept_source_route 






Fix Text: 


"net.ipv4.conf.all.accept_source_route" kernel 


UNCLASSIFIED

UNCLASSIFIED 

# sysctl -w net.ipv4.conf.all.accept_source_route=0 



net.ipv4.conf.all.accept_source_route = 0 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must not accept ICMPv4 redirect 

packets on any interface. 


ID: V-38524 


Discussion: 

Accepting ICMP redirects has few legitimate uses. It 

should be disabled unless it is absolutely required. 



The status of the "net.ipv4.conf.all.accept_redirects" 


command: 

$ sysctl net.ipv4.conf.all.accept_redirects 






Fix Text: 

UNCLASSIFIED

UNCLASSIFIED 


"net.ipv4.conf.all.accept_redirects" kernel parameter, 


# sysctl -w net.ipv4.conf.all.accept_redirects=0 



net.ipv4.conf.all.accept_redirects = 0 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must not accept ICMPv4 secure 

redirect packets on any interface. 


ID: V-38526 


Discussion: 

Accepting "secure" ICMP redirects (from those gateways 

listed as default gateways) has few legitimate uses. It 




The status of the "net.ipv4.conf.all.secure_redirects" 


command: 

$ sysctl net.ipv4.conf.all.secure_redirects 




UNCLASSIFIED

UNCLASSIFIED 



Fix Text: 


"net.ipv4.conf.all.secure_redirects" kernel parameter, 


# sysctl -w net.ipv4.conf.all.secure_redirects=0 



net.ipv4.conf.all.secure_redirects = 0 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must log Martian packets. 


ID: V-38528 


Discussion: 

The presence of "martian" packets (which have impossible 

addresses) as well as spoofed packets, source-routed 

packets, and redirects could be a sign of nefarious 

network activity. Logging these packets enables this 

activity to be detected. 



The status of the "net.ipv4.conf.all.log_martians" 


command: 

UNCLASSIFIED

UNCLASSIFIED 

$ sysctl net.ipv4.conf.all.log_martians 






Fix Text: 


"net.ipv4.conf.all.log_martians" kernel parameter, run 


# sysctl -w net.ipv4.conf.all.log_martians=1 



net.ipv4.conf.all.log_martians = 1 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must not accept IPv4 

source-routed packets by default. 


ID: V-38529 


Discussion: 

Accepting source-routed packets in the IPv4 protocol has 

few legitimate uses. It should be disabled unless it is 

absolutely required. 



UNCLASSIFIED

UNCLASSIFIED 


"net.ipv4.conf.default.accept_source_route" kernel 


command: 

$ sysctl net.ipv4.conf.default.accept_source_route 






Fix Text: 


"net.ipv4.conf.default.accept_source_route" kernel 


# sysctl -w net.ipv4.conf.default.accept_source_route=0 



net.ipv4.conf.default.accept_source_route = 0 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must not accept ICMPv4 secure 

redirect packets by default. 


ID: V-38532 


Discussion: 

Accepting "secure" ICMP redirects (from those gateways 

listed as default gateways) has few legitimate uses. It 

UNCLASSIFIED

UNCLASSIFIED 





"net.ipv4.conf.default.secure_redirects" kernel 


command: 

$ sysctl net.ipv4.conf.default.secure_redirects 






Fix Text: 


"net.ipv4.conf.default.secure_redirects" kernel 


# sysctl -w net.ipv4.conf.default.secure_redirects=0 



net.ipv4.conf.default.secure_redirects = 0 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must ignore IPv4 ICMP redirect 

messages. 


ID: V-38533 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 

This feature of the IPv4 protocol has few legitimate uses. 

It should be disabled unless it is absolutely required. 




"net.ipv4.conf.default.accept_redirects" kernel 


command: 

$ sysctl net.ipv4.conf.default.accept_redirects 






Fix Text: 




# sysctl -w net.ipv4.conf.default.accept_redirects=0 



net.ipv4.conf.default.accept_redirects = 0 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must not respond to ICMPv4 sent 

UNCLASSIFIED

UNCLASSIFIED 

to a broadcast address. 


ID: V-38535 


Discussion: 

Ignoring ICMP echo requests (pings) sent to broadcast or 

multicast addresses makes the system slightly more 

difficult to enumerate on the network. 




"net.ipv4.icmp_echo_ignore_broadcasts" kernel 


command: 

$ sysctl net.ipv4.icmp_echo_ignore_broadcasts 






Fix Text: 


"net.ipv4.icmp_echo_ignore_broadcasts" kernel 


# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 



net.ipv4.icmp_echo_ignore_broadcasts = 1 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must ignore ICMPv4 bogus error 

responses. 


ID: V-38537 


Discussion: 

Ignoring bogus ICMP error responses reduces log size, 

although some activity would not be logged. 




"net.ipv4.icmp_ignore_bogus_error_responses" kernel 


command: 

$ sysctl net.ipv4.icmp_ignore_bogus_error_responses 






Fix Text: 


"net.ipv4.icmp_ignore_bogus_error_responses" kernel 


# sysctl -w 

net.ipv4.icmp_ignore_bogus_error_responses=1 



UNCLASSIFIED

UNCLASSIFIED 

net.ipv4.icmp_ignore_bogus_error_responses = 1 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must be configured to use TCP 

syncookies. 


ID: V-38539 


Discussion: 

A TCP SYN flood attack can cause a denial of service by 

filling a system's TCP connection table with connections 

in the SYN_RCVD state. Syncookies can be used to track 

a connection when a subsequent ACK is received, verifying 

the initiator is attempting a valid connection and is not 

a flood source. This feature is activated when a flood 

condition is detected, and enables the system to continue 

servicing valid connection requests. 



The status of the "net.ipv4.tcp_syncookies" kernel 


command: 

$ sysctl net.ipv4.tcp_syncookies 






UNCLASSIFIED

UNCLASSIFIED 

Fix Text: 


"net.ipv4.tcp_syncookies" kernel parameter, run the 


# sysctl -w net.ipv4.tcp_syncookies=1 



net.ipv4.tcp_syncookies = 1 

CCI: CCI-001095 

NIST SP 800-53A :: SC-5 (2).1 

NIST SP 800-53 :: SC-5 (2) 

Rule Title: The system must use a reverse-path filter 

for IPv4 network traffic when possible on all interfaces. 


ID: V-38542 


Discussion: 

Enabling reverse path filtering drops packets with source 

addresses that should not have been able to be received 

on the interface they were received on. It should not be 

used on systems which are routers for complicated 

networks, but is helpful for end hosts and routers serving 

small networks. 



The status of the "net.ipv4.conf.all.rp_filter" kernel 


command: 

$ sysctl net.ipv4.conf.all.rp_filter 

UNCLASSIFIED

UNCLASSIFIED 






Fix Text: 


"net.ipv4.conf.all.rp_filter" kernel parameter, run the 


# sysctl -w net.ipv4.conf.all.rp_filter=1 



net.ipv4.conf.all.rp_filter = 1 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must use a reverse-path filter 

for IPv4 network traffic when possible by default. 


ID: V-38544 


Discussion: 

Enabling reverse path filtering drops packets with source 

addresses that should not have been able to be received 

on the interface they were received on. It should not be 

used on systems which are routers for complicated 

networks, but is helpful for end hosts and routers serving 

small networks. 


UNCLASSIFIED

UNCLASSIFIED 


The status of the "net.ipv4.conf.default.rp_filter" 


command: 

$ sysctl net.ipv4.conf.default.rp_filter 






Fix Text: 


"net.ipv4.conf.default.rp_filter" kernel parameter, run 


# sysctl -w net.ipv4.conf.default.rp_filter=1 



net.ipv4.conf.default.rp_filter = 1 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The IPv6 protocol handler must not be bound 

to the network stack unless needed. 


ID: V-38546 


Discussion: 

Any unnecessary network stacks - including IPv6 - should 

UNCLASSIFIED

UNCLASSIFIED 

be disabled, to reduce the vulnerability to exploitation. 



If the system uses IPv6, this is not applicable. 

If the system is configured to prevent the loading of the 

"ipv6" kernel module, it will contain a line of the form: 

options ipv6 disable=1 

Such lines may be inside any file in "/etc/modprobe.d" 

or the deprecated "/etc/modprobe.conf". This permits 

insertion of the IPv6 kernel module (which other parts 

of the system expect to be present), but otherwise keeps 

it inactive. Run the following command to search for such 

lines in all files in "/etc/modprobe.d" and the 

deprecated "/etc/modprobe.conf": 

$ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d 

If the IPv6 kernel module is loaded, this is a finding. 

Fix Text: 

To prevent the IPv6 kernel module ("ipv6") from loading 

the IPv6 networking stack, add the following line to 

"/etc/modprobe.d/disabled.conf" (or another file in 

"/etc/modprobe.d"): 

options ipv6 disable=1 

This permits the IPv6 module to be loaded (and thus 

satisfy other modules that depend on it), while disabling 

support for the IPv6 protocol. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

UNCLASSIFIED

UNCLASSIFIED 

Rule Title: The system must ignore ICMPv6 redirects by 

default. 


ID: V-38548 


Discussion: 

An illicit ICMP redirect message could result in a 

man-in-the-middle attack. 






command: 

$ sysctl net.ipv6.conf.default.accept_redirects 






Fix Text: 




# sysctl -w net.ipv6.conf.default.accept_redirects=0 



net.ipv6.conf.default.accept_redirects = 0 

UNCLASSIFIED

UNCLASSIFIED 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must employ a local IPv6 

firewall. 


ID: V-38549 


Discussion: 

The "ip6tables" service provides the system's host-based 

firewalling capability for IPv6 and ICMPv6. 



If IPv6 is disabled, this is not applicable. 

Run the following command to determine the current status 

of the "ip6tables" service: 

# service ip6tables status 

If the service is enabled, it should return the following: 

ip6tables is running... 

If the service is not running, this is a finding. 

Fix Text: 

The "ip6tables" service can be enabled with the following 

command: 

# chkconfig ip6tables on 

UNCLASSIFIED

UNCLASSIFIED 

CCI: CCI-001118 

NIST SP 800-53A :: SC-7 (12).1 

NIST SP 800-53 :: SC-7 (12) 

Rule Title: The operating system must connect to 

external networks or information systems only through 

managed IPv6 interfaces consisting of boundary 

protection devices arranged in accordance with an 

organizational security architecture. 


ID: V-38551 


Discussion: 












Fix Text: 


command: 

UNCLASSIFIED

UNCLASSIFIED 


CCI: CCI-001098 

NIST SP 800-53A :: SC-7.1 (iv) 

NIST SP 800-53 :: SC-7 b 

Rule Title: The operating system must prevent public 

IPv6 access into an organizations internal networks, 

except as appropriately mediated by managed interfaces 

employing boundary protection devices. 


ID: V-38553 


Discussion: 












Fix Text: 


command: 

UNCLASSIFIED

UNCLASSIFIED 


CCI: CCI-001100 

NIST SP 800-53A :: SC-7 (2).1 (ii) 

NIST SP 800-53 :: SC-7 (2) 

Rule Title: The system must employ a local IPv4 

firewall. 


ID: V-38555 


Discussion: 

The "iptables" service provides the system's host-based 

firewalling capability for IPv4 and ICMP. 



If the system is a cross-domain system, this is not 

applicable. 


of the "iptables" service: 

# service iptables status 


iptables is running... 


Fix Text: 

The "iptables" service can be enabled with the following 

command: 

UNCLASSIFIED

UNCLASSIFIED 

# chkconfig iptables on 

CCI: CCI-001118 

NIST SP 800-53A :: SC-7 (12).1 

NIST SP 800-53 :: SC-7 (12) 

Rule Title: The operating system must connect to 

external networks or information systems only through 

managed IPv4 interfaces consisting of boundary 

protection devices arranged in accordance with an 

organizational security architecture. 


ID: V-38560 


Discussion: 






applicable. 







UNCLASSIFIED

UNCLASSIFIED 

Fix Text: 


command: 


CCI: CCI-001098 

NIST SP 800-53A :: SC-7.1 (iv) 

NIST SP 800-53 :: SC-7 b 

Rule Title: The operating system must prevent public 

IPv4 access into an organizations internal networks, 

except as appropriately mediated by managed interfaces 

employing boundary protection devices. 


ID: V-38512 


Discussion: 






applicable. 






UNCLASSIFIED

UNCLASSIFIED 


Fix Text: 


command: 


CCI: CCI-001100 

NIST SP 800-53A :: SC-7 (2).1 (ii) 

NIST SP 800-53 :: SC-7 (2) 

Rule Title: The systems local IPv4 firewall must 

implement a deny-all, allow-by-exception policy for 

inbound packets. 


ID: V-38513 


Discussion: 

In "iptables" the default policy is applied only after 

all the applicable rules in the table are examined for 

a match. Setting the default policy to "DROP" implements 

proper design for a firewall, i.e., any packets which are 

not explicitly permitted should not be accepted. 



Inspect the file "/etc/sysconfig/iptables" to determine 

the default policy for the INPUT chain. It should be set 

to DROP. 

# grep ":INPUT" /etc/sysconfig/iptables 

If the default policy for the INPUT chain is not set to 

DROP, this is a finding. 

UNCLASSIFIED

UNCLASSIFIED 

Fix Text: 

To set the default policy to DROP (instead of ACCEPT) for 

the built-in INPUT chain which processes incoming 

packets, add or correct the following line in 

"/etc/sysconfig/iptables": 

:INPUT DROP [0:0] 

CCI: CCI-000066 

NIST SP 800-53A :: AC-17.1 (v) 

NIST SP 800-53 :: AC-17 e 

Rule Title: The Datagram Congestion Control Protocol 

(DCCP) must be disabled unless required. 


ID: V-38514 


Discussion: 

Disabling DCCP protects the system against exploitation 

of any flaws in its implementation. 




"dccp" kernel module, it will contain lines inside any 

file in "/etc/modprobe.d" or the 

deprecated"/etc/modprobe.conf". These lines instruct 

the module loading system to run another program (such 

as "/bin/true") upon a module "install" event. Run the 

following command to search for such lines in all files 

in "/etc/modprobe.d" and the deprecated 

"/etc/modprobe.conf": 

$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d 

UNCLASSIFIED

UNCLASSIFIED 


Fix Text: 

The Datagram Congestion Control Protocol (DCCP) is a 

relatively new transport layer protocol, designed to 

support streaming media and telephony. To configure the 

system to prevent the "dccp" kernel module from being 

loaded, add the following line to a file in the directory 

"/etc/modprobe.d": 

install dccp /bin/true 

CCI: CCI-000382 

NIST SP 800-53A :: CM-7.1 (iii) 

NIST SP 800-53 :: CM-7 

Rule Title: The Stream Control Transmission Protocol 

(SCTP) must be disabled unless required. 


ID: V-38515 


Discussion: 

Disabling SCTP protects the system against exploitation 





"sctp" kernel module, it will contain lines inside any 








UNCLASSIFIED

UNCLASSIFIED 

$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d 


Fix Text: 

The Stream Control Transmission Protocol (SCTP) is a 

transport layer protocol, designed to support the idea 

of message-oriented communication, with several streams 

of messages within one connection. To configure the 

system to prevent the "sctp" kernel module from being 



install sctp /bin/true 

CCI: CCI-000382 

NIST SP 800-53A :: CM-7.1 (iii) 

NIST SP 800-53 :: CM-7 

Rule Title: The Reliable Datagram Sockets (RDS) 

protocol must be disabled unless required. 


ID: V-38516 


Discussion: 

Disabling RDS protects the system against exploitation 





"rds" kernel module, it will contain lines inside any file 

in "/etc/modprobe.d" or the 


UNCLASSIFIED

UNCLASSIFIED 






$ grep -r rds /etc/modprobe.conf /etc/modprobe.d 


Fix Text: 

The Reliable Datagram Sockets (RDS) protocol is a 

transport layer protocol designed to provide reliable 

high- bandwidth, low-latency communications between 

nodes in a cluster. To configure the system to prevent 

the "rds" kernel module from being loaded, add the 

following line to a file in the directory 


install rds /bin/true 

CCI: CCI-000382 

NIST SP 800-53A :: CM-7.1 (iii) 

NIST SP 800-53 :: CM-7 

Rule Title: The Transparent Inter-Process 

Communication (TIPC) protocol must be disabled unless 

required. 


ID: V-38517 


Discussion: 

Disabling TIPC protects the system against exploitation 



UNCLASSIFIED

UNCLASSIFIED 



"tipc" kernel module, it will contain lines inside any 








$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d 


Fix Text: 

The Transparent Inter-Process Communication (TIPC) 

protocol is designed to provide communications between 

nodes in a cluster. To configure the system to prevent 

the "tipc" kernel module from being loaded, add the 

following line to a file in the directory 


install tipc /bin/true 

CCI: CCI-000382 

NIST SP 800-53A :: CM-7.1 (iii) 

NIST SP 800-53 :: CM-7 

Rule Title: All rsyslog-generated log files must be 

owned by root. 


ID: V-38518 


Discussion: 

UNCLASSIFIED

UNCLASSIFIED 

The log files generated by rsyslog contain valuable 

information regarding system configuration, user 

authentication, and other such information. Log files 

should be protected from unauthorized access. 



The owner of all log files written by "rsyslog" should 

be root. These log files are determined by the second part 

of each Rule line in "/etc/rsyslog.conf" and typically 

all appear in "/var/log". For each log file [LOGFILE] 

referenced in "/etc/rsyslog.conf", run the following 

command to inspect the file's owner: 

$ ls -l [LOGFILE] 

If the owner is not root, this is a finding. 

Fix Text: 

The owner of all log files written by "rsyslog" should 

be root. These log files are determined by the second part 

of each Rule line in "/etc/rsyslog.conf" typically all 

appear in "/var/log". For each log file [LOGFILE] 

referenced in "/etc/rsyslog.conf", run the following 

command to inspect the file's owner: 


If the owner is not "root", run the following command to 

correct this: 

# chown root [LOGFILE] 

CCI: CCI-001314 

NIST SP 800-53 :: SI-11 c 

NIST SP 800-53A :: SI-11.1 (iv) 

Rule Title: All rsyslog-generated log files must be 

UNCLASSIFIED

UNCLASSIFIED 

group-owned by root. 


ID: V-38519 


Discussion: 

The log files generated by rsyslog contain valuable 

information regarding system configuration, user 

authentication, and other such information. Log files 

should be protected from unauthorized access. 



The group-owner of all log files written by "rsyslog" 

should be root. These log files are determined by the 

second part of each Rule line in "/etc/rsyslog.conf" and 

typically all appear in "/var/log". For each log file 

[LOGFILE] referenced in "/etc/rsyslog.conf", run the 

following command to inspect the file's group owner: 


If the group-owner is not root, this is a finding. 

Fix Text: 

The group-owner of all log files written by "rsyslog" 

should be root. These log files are determined by the 

second part of each Rule line in "/etc/rsyslog.conf" and 

typically all appear in "/var/log". For each log file 

[LOGFILE] referenced in "/etc/rsyslog.conf", run the 

following command to inspect the file's group owner: 


If the owner is not "root", run the following command to 

correct this: 

# chgrp root [LOGFILE] 

UNCLASSIFIED

UNCLASSIFIED 

CCI: CCI-001314 

NIST SP 800-53 :: SI-11 c 

NIST SP 800-53A :: SI-11.1 (iv) 

Rule Title: All rsyslog-generated log files must have 

mode 0600 or less permissive. 


ID: V-38623 


Discussion: 

Log files can contain valuable information regarding 

system configuration. If the system log files are not 

protected, unauthorized users could change the logged 

data, eliminating their forensic value. 



The file permissions for all log files written by rsyslog 

should be set to 600, or more restrictive. These log files 

are determined by the second part of each Rule line in 

"/etc/rsyslog.conf" and typically all appear in 

"/var/log". For each log file [LOGFILE] referenced in 

"/etc/rsyslog.conf", run the following command to 

inspect the file's permissions: 


The permissions should be 600, or more restrictive. 

If the permissions are not correct, this is a finding. 

Fix Text: 

The file permissions for all log files written by rsyslog 

should be set to 600, or more restrictive. These log files 

are determined by the second part of each Rule line in 

"/etc/rsyslog.conf" and typically all appear in 

"/var/log". For each log file [LOGFILE] referenced in 

UNCLASSIFIED

UNCLASSIFIED 

"/etc/rsyslog.conf", run the following command to 

inspect the file's permissions: 


If the permissions are not 600 or more restrictive, run 

the following command to correct this: 

# chmod 0600 [LOGFILE] 

CCI: CCI-001314 

NIST SP 800-53 :: SI-11 c 

NIST SP 800-53A :: SI-11.1 (iv) 

Rule Title: The operating system must back up audit 

records on an organization defined frequency onto a 

different system or media than the system being audited. 


ID: V-38520 


Discussion: 

A log server (loghost) receives syslog messages from one 

or more systems. This data can be used as an additional 

log source in the event a system is compromised and its 

local logs are suspect. Forwarding log messages to a 

remote loghost also provides system administrators with 

a centralized place to view the status of multiple hosts 

within the enterprise. 



To ensure logs are sent to a remote host, examine the file 

"/etc/rsyslog.conf". If using UDP, a line similar to the 

following should be present: 

*.* @[loghost.example.com] 

UNCLASSIFIED

UNCLASSIFIED 

If using TCP, a line similar to the following should be 

present: 

*.* @@[loghost.example.com] 

If using RELP, a line similar to the following should be 

present: 

*.* :omrelp:[loghost.example.com] 

If none of these are present, this is a finding. 

Fix Text: 

To configure rsyslog to send logs to a remote log server, 

open "/etc/rsyslog.conf" and read and understand the last 

section of the file, which describes the multiple 

directives necessary to activate remote logging. Along 

with these other directives, the system can be configured 

to forward its logs to a particular log server by adding 

or correcting one of the following lines, substituting 

"[loghost.example.com]" appropriately. The choice of 

protocol depends on the environment of the system; 

although TCP and RELP provide more reliable message 

delivery, they may not be supported in all environments. 

To use UDP for log message delivery: 


To use TCP for log message delivery: 


To use RELP for log message delivery: 


UNCLASSIFIED

UNCLASSIFIED 

CCI: CCI-001348 

NIST SP 800-53 :: AU-9 (2) 

NIST SP 800-53A :: AU-9 (2).1 (iii) 

Rule Title: The operating system must support the 

requirement to centrally manage the content of audit 

records generated by organization defined information 

system components. 


ID: V-38521 


Discussion: 

A log server (loghost) receives syslog messages from one 

or more systems. This data can be used as an additional 

log source in the event a system is compromised and its 

local logs are suspect. Forwarding log messages to a 

remote loghost also provides system administrators with 

a centralized place to view the status of multiple hosts 

within the enterprise. 



To ensure logs are sent to a remote host, examine the file 

"/etc/rsyslog.conf". If using UDP, a line similar to the 

following should be present: 


If using TCP, a line similar to the following should be 

present: 


If using RELP, a line similar to the following should be 

present: 

UNCLASSIFIED

UNCLASSIFIED 


If none of these are present, this is a finding. 

Fix Text: 

To configure rsyslog to send logs to a remote log server, 

open "/etc/rsyslog.conf" and read and understand the last 

section of the file, which describes the multiple 

directives necessary to activate remote logging. Along 

with these other directives, the system can be configured 

to forward its logs to a particular log server by adding 

or correcting one of the following lines, substituting 

"[loghost.example.com]" appropriately. The choice of 

protocol depends on the environment of the system; 

although TCP and RELP provide more reliable message 

delivery, they may not be supported in all environments. 

To use UDP for log message delivery: 


To use TCP for log message delivery: 


To use RELP for log message delivery: 


CCI: CCI-000169 

NIST SP 800-53A :: AU-12.1 (ii) 

NIST SP 800-53 :: AU-12 a 

Rule Title: System logs must be rotated daily. 


ID: V-38624 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 

Log files that are not properly rotated run the risk of 

growing so large that they fill up the /var/log partition. 

Valuable logging information could be lost if the 

/var/log partition becomes full. 



Run the following commands to determine the current 

status of the "logrotate" service: 

# grep logrotate /var/log/cron* 

If the logrotate service is not run on a daily basis by 

cron, this is a finding. 

Fix Text: 

The "logrotate" service should be installed or 

reinstalled if it is not installed and operating 

properly, by running the following command: 

# yum reinstall logrotate 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The operating system must produce audit 

records containing sufficient information to establish 

the identity of any user/subject associated with the 

event. 


ID: V-38628 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 

Ensuring the "auditd" service is active ensures audit 

records generated by the kernel can be written to disk, 

or that appropriate actions will be taken if other 

obstacles exist. 




of the "auditd" service: 

# service auditd status 


auditd is running... 


Fix Text: 

The "auditd" service is an essential userspace component 

of the Linux Auditing System, as it is responsible for 

writing audit records to disk. The "auditd" service can 

be enabled with the following command: 

# chkconfig auditd on 

CCI: CCI-001487 

NIST SP 800-53 :: AU-3 

NIST SP 800-53A :: AU-3.1 

Rule Title: The operating system must employ automated 

mechanisms to facilitate the monitoring and control of 

remote access methods. 


ID: V-38631 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 













Fix Text: 






CCI: CCI-000067 

NIST SP 800-53A :: AC-17 (1).1 

NIST SP 800-53 :: AC-17 (1) 

Rule Title: The operating system must produce audit 

records containing sufficient information to establish 

what type of events occurred. 


UNCLASSIFIED

UNCLASSIFIED 

ID: V-38632 


Discussion: 













Fix Text: 






CCI: CCI-000130 

NIST SP 800-53A :: AU-3.1 

NIST SP 800-53 :: AU-3 

Rule Title: The system must retain enough rotated audit 

logs to cover the required log retention period. 

UNCLASSIFIED

UNCLASSIFIED 


ID: V-38636 


Discussion: 

The total storage for audit log files must be large enough 

to retain log information over the period required. This 

is a function of the maximum log file size and the number 

of logs retained. 




following line to determine how many logs the system is 

configured to retain after rotation: "# grep num_logs 

/etc/audit/auditd.conf" 

num_logs = 5 

If the overall system log file(s) retention hasn't been 

properly set up, this is a finding. 

Fix Text: 

Determine how many log files "auditd" should retain when 

it rotates logs. Edit the file "/etc/audit/auditd.conf". 

Add or modify the following line, substituting [NUMLOGS] 

with the correct value: 

num_logs = [NUMLOGS] 

Set the value to 5 for general-purpose systems. Note that 

values less than 2 result in no log rotation. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

UNCLASSIFIED

UNCLASSIFIED 

Rule Title: The system must set a maximum audit log file 

size. 


ID: V-38633 


Discussion: 

The total storage for audit log files must be large enough 

to retain log information over the period required. This 

is a function of the maximum log file size and the number 

of logs retained. 




following line to determine how much data the system will 

retain in each audit log file: "# grep max_log_file 

/etc/audit/auditd.conf" 

max_log_file = 6 

If the system audit data threshold hasn't been properly 

set up, this is a finding. 

Fix Text: 

Determine the amount of audit data (in megabytes) which 

should be retained in each log file. Edit the file 

"/etc/audit/auditd.conf". Add or modify the following 

line, substituting the correct value for [STOREMB]: 

max_log_file = [STOREMB] 

Set the value to "6" (MB) or higher for general-purpose 

systems. Larger values, of course, support retention of 

even more audit data. 

CCI: CCI-000366 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must rotate audit log files that 

reach the maximum file size. 


ID: V-38634 


Discussion: 

Automatically rotating logs (by setting this to "rotate") 

minimizes the chances of the system unexpectedly running 

out of disk space by being overwhelmed with log data. 

However, for systems that must never discard log data, 

or which use external processes to transfer it and reclaim 

space, "keep_logs" can be employed. 





to rotate logs when they reach their maximum size: "# grep 

max_log_file_action /etc/audit/auditd.conf" 

max_log_file_action "rotate" 

If the system has not been properly set up to rotate audit 

logs, this is a finding. 

Fix Text: 

The default action to take when the logs reach their 

maximum size is to rotate the log files, discarding the 

oldest one. To configure the action taken by "auditd", 

add or correct the line in "/etc/audit/auditd.conf": 

max_log_file_action = [ACTION] 

UNCLASSIFIED

UNCLASSIFIED 



"ignore" 

"syslog" 

"suspend" 

"rotate" 

"keep_logs" 

Set the "[ACTION]" to "rotate" to ensure log rotation 

occurs. This is the default. The setting is 

case-insensitive. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The audit system must be configured to audit 

all attempts to alter system time through adjtimex. 


ID: V-38635 


Discussion: 

Arbitrary changes to the system time can be used to 

obfuscate nefarious activities in log files, as well as 

to confuse network services that are highly dependent 

upon an accurate system time (such as sshd). All changes 

to the system time should be audited. 



To determine if the system is configured to audit calls 

to the "adjtimex" system call, run the following command: 

UNCLASSIFIED

UNCLASSIFIED 

# auditctl -l | grep syscall | grep adjtimex 

If the system is configured to audit this activity, it 

will return a line. 

If the system is not configured to audit time changes, 


Fix Text: 

On a 32-bit system, add the following to 

"/etc/audit/audit.rules": 

# audit_time_rules 

-a always,exit -F arch=b32 -S adjtimex -k 

audit_time_rules 




-a always,exit -F arch=b64 -S adjtimex -k 


The -k option allows for the specification of a key in 

string form that can be used for better reporting 

capability through ausearch and aureport. Multiple 

system calls can be defined on the same line to save space 

if desired, but is not required. See an example of 

multiple combined syscalls: 

-a always,exit -F arch=b64 -S adjtimex -S settimeofday 

-S clock_settime 

-k audit_time_rules 

CCI: CCI-000169 

NIST SP 800-53A :: AU-12.1 (ii) 

NIST SP 800-53 :: AU-12 a 


all attempts to alter system time through settimeofday. 

UNCLASSIFIED

UNCLASSIFIED 


ID: V-38522 


Discussion: 









to the "settimeofday" system call, run the following 

command: 

# auditctl -l | grep syscall | grep settimeofday 





Fix Text: 




-a always,exit -F arch=b32 -S settimeofday -k 





-a always,exit -F arch=b64 -S settimeofday -k 


UNCLASSIFIED

UNCLASSIFIED 










CCI: CCI-000169 

NIST SP 800-53A :: AU-12.1 (ii) 

NIST SP 800-53 :: AU-12 a 


all attempts to alter system time through stime. 


ID: V-38525 


Discussion: 









to the "stime" system call, run the following command: 

# auditctl -l | grep syscall | grep stime 



UNCLASSIFIED

UNCLASSIFIED 



Fix Text: 




-a always,exit -F arch=b32 -S stime -k audit_time_rules 

On a 64-bit system, the "-S time" is not necessary. The 

-k option allows for the specification of a key in string 

form that can be used for better reporting capability 

through ausearch and aureport. Multiple system calls can 

be defined on the same line to save space if desired, but 

is not required. See an example of multiple combined 

syscalls: 




CCI: CCI-000169 

NIST SP 800-53A :: AU-12.1 (ii) 

NIST SP 800-53 :: AU-12 a 


all attempts to alter system time through clock_settime. 


ID: V-38527 


Discussion: 






UNCLASSIFIED

UNCLASSIFIED 




to the "clock_settime" system call, run the following 

command: 

# auditctl -l | grep syscall | grep clock_settime 





Fix Text: 




-a always,exit -F arch=b32 -S clock_settime -k 





-a always,exit -F arch=b64 -S clock_settime -k 











UNCLASSIFIED

UNCLASSIFIED 

CCI: CCI-000169 

NIST SP 800-53A :: AU-12.1 (ii) 

NIST SP 800-53 :: AU-12 a 


all attempts to alter system time through /etc/localtime. 


ID: V-38530 


Discussion: 








To determine if the system is configured to audit attempts 

to alter time via the /etc/localtime file, run the 


# auditctl -l | grep "watch=/etc/localtime" 





Fix Text: 

Add the following to "/etc/audit/audit.rules": 

-w /etc/localtime -p wa -k audit_time_rules 


UNCLASSIFIED

UNCLASSIFIED 


capability through ausearch and aureport and should 

always be used. 

CCI: CCI-000169 

NIST SP 800-53A :: AU-12.1 (ii) 

NIST SP 800-53 :: AU-12 a 

Rule Title: The operating system must automatically 

audit account creation. 


ID: V-38531 


Discussion: 

In addition to auditing new user and group accounts, these 

watches will alert the system administrator(s) to any 

modifications. Any unexpected users, groups, or 

modifications should be investigated for legitimacy. 



To determine if the system is configured to audit account 

changes, run the following command: 

auditctl -l | egrep 

'(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/et 

c/security/opasswd)' 

If the system is configured to watch for account changes, 

lines should be returned for each file specified (and with 

"perm=wa" for each). 

If the system is not configured to audit account changes, 


Fix Text: 

Add the following to "/etc/audit/audit.rules", in order 

UNCLASSIFIED

UNCLASSIFIED 

to capture events that modify account changes: 

# audit_account_changes 

-w /etc/group -p wa -k audit_account_changes 

-w /etc/passwd -p wa -k audit_account_changes 

-w /etc/gshadow -p wa -k audit_account_changes 

-w /etc/shadow -p wa -k audit_account_changes 

-w /etc/security/opasswd -p wa -k audit_account_changes 

CCI: CCI-000018 

NIST SP 800-53 :: AC-2 (4) 

NIST SP 800-53A :: AC-2 (4).1 (i&ii) 


audit account modification. 


ID: V-38534 


Discussion: 















UNCLASSIFIED

UNCLASSIFIED 



Fix Text: 









CCI: CCI-001403 

NIST SP 800-53A :: AC-2 (4).1 (i&ii) 

NIST SP 800-53 :: AC-2 (4) 


audit account disabling actions. 


ID: V-38536 


Discussion: 











UNCLASSIFIED

UNCLASSIFIED 







Fix Text: 









CCI: CCI-001404 

NIST SP 800-53A :: AC-2 (4).1 (i&ii) 

NIST SP 800-53 :: AC-2 (4) 


audit account termination. 


ID: V-38538 


Discussion: 







UNCLASSIFIED

UNCLASSIFIED 











Fix Text: 









CCI: CCI-001405 

NIST SP 800-53A :: AC-2 (4).1 (i&ii) 

NIST SP 800-53 :: AC-2 (4) 


modifications to the systems network configuration. 


ID: V-38540 


Discussion: 

The network environment should not be modified by 

anything other than administrator action. Any change to 

network parameters should be audited. 

UNCLASSIFIED

UNCLASSIFIED 



To determine if the system is configured to audit changes 

to its network configuration, run the following command: 


'(sethostname|setdomainname|/etc/issue|/etc/issue.net 

|/etc/hosts|/etc/sysconfig/network)' 

If the system is configured to watch for network 

configuration changes, a line should be returned for each 

file specified (and "perm=wa" should be indicated for 

each). 

If the system is not configured to audit changes of the 

network configuration, this is a finding. 

Fix Text: 

Add the following to "/etc/audit/audit.rules", setting 

ARCH to either b32 or b64 as appropriate for your system: 

# audit_network_modifications 

-a exit,always -F arch=ARCH -S sethostname -S 

setdomainname -k audit_network_modifications 

-w /etc/issue -p wa -k audit_network_modifications 

-w /etc/issue.net -p wa -k audit_network_modifications 

-w /etc/hosts -p wa -k audit_network_modifications 

-w /etc/sysconfig/network -p wa -k 

audit_network_modifications 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 


modifications to the systems Mandatory Access Control 

(MAC) configuration (SELinux). 


UNCLASSIFIED

UNCLASSIFIED 

ID: V-38541 


Discussion: 

The system's mandatory access policy (SELinux) should not 

be arbitrarily changed by anything other than 

administrator action. All changes to MAC policy should 

be audited. 



To determine if the system is configured to audit changes 

to its SELinux configuration files, run the following 

command: 

# auditctl -l | grep "dir=/etc/selinux" 

If the system is configured to watch for changes to its 

SELinux configuration, a line should be returned 

(including "perm=wa" indicating permissions that are 

watched). 

If the system is not configured to audit attempts to 

change the MAC policy, this is a finding. 

Fix Text: 

Add the following to "/etc/audit/audit.rules": 

-w /etc/selinux/ -p wa -k MAC-policy 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 


all discretionary access control permission 

modifications using chmod. 


UNCLASSIFIED

UNCLASSIFIED 

ID: V-38543 


Discussion: 

The changing of file permissions could indicate that a 

user is attempting to gain access to information that 

would otherwise be disallowed. Auditing DAC 

modifications can facilitate the identification of 

patterns of abuse among both authorized and unauthorized 

users. 




to the "chmod" system call, run the following command: 

# auditctl -l | grep syscall | grep chmod 


will return several lines. 

If no lines are returned, this is a finding. 

Fix Text: 

At a minimum, the audit system should collect file 

permission changes for all users and root. Add the 

following to "/etc/audit/audit.rules": 

-a always,exit -F arch=b32 -S chmod -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b32 -S chmod -F auid==0 -k perm_mod 

If the system is 64-bit, then also add the following: 

-a always,exit -F arch=b64 -S chmod -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b64 -S chmod -F auid==0 -k perm_mod 

UNCLASSIFIED

UNCLASSIFIED 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 



modifications using chown. 


ID: V-38545 


Discussion: 






users. 




to the "chown" system call, run the following command: 

# auditctl -l | grep syscall | grep chown 




Fix Text: 




-a always,exit -F arch=b32 -S chown -F auid>=500 -F 

auid!=4294967295 \ 

UNCLASSIFIED

UNCLASSIFIED 

-k perm_mod 

-a always,exit -F arch=b32 -S chown -F auid==0 -k perm_mod 


-a always,exit -F arch=b64 -S chown -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b64 -S chown -F auid==0 -k perm_mod 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 



modifications using fchmod. 


ID: V-38547 


Discussion: 






users. 




to the "fchmod" system call, run the following command: 

# auditctl -l | grep syscall | grep fchmod 


UNCLASSIFIED

UNCLASSIFIED 



Fix Text: 




-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b32 -S fchmod -F auid==0 -k 

perm_mod 


-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b64 -S fchmod -F auid==0 -k 

perm_mod 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 



modifications using fchmodat. 


ID: V-38550 


Discussion: 





UNCLASSIFIED

UNCLASSIFIED 


users. 




to the "fchmodat" system call, run the following command: 

# auditctl -l | grep syscall | grep fchmodat 




Fix Text: 




-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b32 -S fchmodat -F auid==0 -k 

perm_mod 


-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b64 -S fchmodat -F auid==0 -k 

perm_mod 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 


UNCLASSIFIED

UNCLASSIFIED 


modifications using fchown. 


ID: V-38552 


Discussion: 






users. 




to the "fchown" system call, run the following command: 

# auditctl -l | grep syscall | grep fchown 




Fix Text: 




-a always,exit -F arch=b32 -S fchown -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b32 -S fchown -F auid==0 -k 

perm_mod 


-a always,exit -F arch=b64 -S fchown -F auid>=500 -F 

UNCLASSIFIED

UNCLASSIFIED 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b64 -S fchown -F auid==0 -k 

perm_mod 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 



modifications using fchownat. 


ID: V-38554 


Discussion: 






users. 




to the "fchownat" system call, run the following command: 

# auditctl -l | grep syscall | grep fchownat 




Fix Text: 


UNCLASSIFIED

UNCLASSIFIED 



-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b32 -S fchownat -F auid==0 -k 

perm_mod 


-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b64 -S fchownat -F auid==0 -k 

perm_mod 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 



modifications using fremovexattr. 


ID: V-38556 


Discussion: 






users. 


UNCLASSIFIED

UNCLASSIFIED 



to the "fremovexattr" system call, run the following 

command: 

# auditctl -l | grep syscall | grep fremovexattr 




Fix Text: 




-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 

-F auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b32 -S fremovexattr -F auid==0 -k 

perm_mod 


-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 

-F auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b64 -S fremovexattr -F auid==0 -k 

perm_mod 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 



modifications using fsetxattr. 


ID: V-38557 

UNCLASSIFIED

UNCLASSIFIED 


Discussion: 






users. 




to the "fsetxattr" system call, run the following 

command: 

# auditctl -l | grep syscall | grep fsetxattr 




Fix Text: 




-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b32 -S fsetxattr -F auid==0 -k 

perm_mod 


-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b64 -S fsetxattr -F auid==0 -k 

UNCLASSIFIED

UNCLASSIFIED 

perm_mod 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 



modifications using lchown. 


ID: V-38558 


Discussion: 






users. 




to the "lchown" system call, run the following command: 

# auditctl -l | grep syscall | grep lchown 




Fix Text: 




UNCLASSIFIED

UNCLASSIFIED 

-a always,exit -F arch=b32 -S lchown -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b32 -S lchown -F auid==0 -k 

perm_mod 


-a always,exit -F arch=b64 -S lchown -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b64 -S lchown -F auid==0 -k 

perm_mod 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 



modifications using lremovexattr. 


ID: V-38559 


Discussion: 






users. 




to the "lremovexattr" system call, run the following 

UNCLASSIFIED

UNCLASSIFIED 

command: 

# auditctl -l | grep syscall | grep lremovexattr 




Fix Text: 




-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 

-F auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b32 -S lremovexattr -F auid==0 -k 

perm_mod 


-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 

-F auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b64 -S lremovexattr -F auid==0 -k 

perm_mod 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 



modifications using lsetxattr. 


ID: V-38561 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 






users. 




to the "lsetxattr" system call, run the following 

command: 

# auditctl -l | grep syscall | grep lsetxattr 




Fix Text: 




-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b32 -S lsetxattr -F auid==0 -k 

perm_mod 


-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b64 -S lsetxattr -F auid==0 -k 

perm_mod 

UNCLASSIFIED

UNCLASSIFIED 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 



modifications using removexattr. 


ID: V-38563 


Discussion: 






users. 




to the "removexattr" system call, run the following 

command: 

# auditctl -l | grep syscall | grep removexattr 




Fix Text: 




-a always,exit -F arch=b32 -S removexattr -F auid>=500 

UNCLASSIFIED

UNCLASSIFIED 

-F auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b32 -S removexattr -F auid==0 -k 

perm_mod 


-a always,exit -F arch=b64 -S removexattr -F auid>=500 

-F auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b64 -S removexattr -F auid==0 -k 

perm_mod 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 



modifications using setxattr. 


ID: V-38565 


Discussion: 






users. 




to the "setxattr" system call, run the following command: 

UNCLASSIFIED

UNCLASSIFIED 

# auditctl -l | grep syscall | grep setxattr 




Fix Text: 




-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b32 -S setxattr -F auid==0 -k 

perm_mod 


-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F 

auid!=4294967295 \ 

-k perm_mod 

-a always,exit -F arch=b64 -S setxattr -F auid==0 -k 

perm_mod 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 


failed attempts to access files and programs. 


ID: V-38566 


Discussion: 

Unsuccessful attempts to access files could be an 

indicator of malicious activity on a system. Auditing 

UNCLASSIFIED

UNCLASSIFIED 

these events could serve as evidence of potential system 

compromise. 



To verify that the audit system collects unauthorized 

file accesses, run the following commands: 

# grep EACCES /etc/audit/audit.rules 

# grep EPERM /etc/audit/audit.rules 

If either command lacks output, this is a finding. 

Fix Text: 

At a minimum, the audit system should collect 

unauthorized file accesses for all users and root. Add 

the following to "/etc/audit/audit.rules", setting ARCH 

to either b32 or b64 as appropriate for your system: 

-a always,exit -F arch=ARCH -S creat -S open -S openat 

-S truncate \ 

-S ftruncate -F exit=-EACCES -F auid>=500 -F 

auid!=4294967295 -k access 


-S truncate \ 

-S ftruncate -F exit=-EPERM -F auid>=500 -F 

auid!=4294967295 -k access 


-S truncate \ 

-S ftruncate -F exit=-EACCES -F auid==0 -k access 


-S truncate \ 

-S ftruncate -F exit=-EPERM -F auid==0 -k access 

CCI: CCI-000172 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 


all use of setuid programs. 


ID: V-38567 


Discussion: 

Privileged programs are subject to 

escalation-of-privilege attacks, which attempt to 

subvert their normal role of providing some necessary but 

limited capability. As such, motivation exists to monitor 

these programs for unusual activity. 



To verify that auditing of privileged command use is 

configured, run the following command to find relevant 

setuid programs: 

# find / -xdev -type f -perm -4000 -o -perm -2000 

2>/dev/null 

Run the following command to verify entries in the audit 

rules for all programs found with the previous command: 

# grep path /etc/audit/audit.rules 

It should be the case that all relevant setuid programs 

have a line in the audit rules. 

If it is not the case, this is a finding. 

Fix Text: 

At a minimum, the audit system should collect the 

execution of privileged commands for all users and root. 

UNCLASSIFIED

UNCLASSIFIED 

To find the relevant setuid programs: 

# find / -xdev -type f -perm -4000 -o -perm -2000 

2>/dev/null 

Then, for each setuid program on the system, add a line 

of the following form to "/etc/audit/audit.rules", where 

[SETUID_PROG_PATH] is the full path to each setuid 

program in the list: 

-a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F 

auid>=500 -F auid!=4294967295 -k privileged 

CCI: CCI-000040 

NIST SP 800-53 :: AC-6 (2) 

NIST SP 800-53A :: AC-6 (2).1 (iii) 


successful file system mounts. 


ID: V-38568 


Discussion: 

The unauthorized exportation of data to external media 

could result in an information leak where classified 

information, Privacy Act information, and intellectual 

property could be lost. An audit trail should be created 

each time a filesystem is mounted to help identify and 

guard against information loss. 



To verify that auditing is configured for all media 

exportation events, run the following command: 

# auditctl -l | grep syscall | grep mount 

UNCLASSIFIED

UNCLASSIFIED 

If there is no output, this is a finding. 

Fix Text: 

At a minimum, the audit system should collect media 

exportation events for all users and root. Add the 

following to "/etc/audit/audit.rules", setting ARCH to 

either b32 or b64 as appropriate for your system: 

-a always,exit -F arch=ARCH -S mount -F auid>=500 -F 

auid!=4294967295 -k export 

-a always,exit -F arch=ARCH -S mount -F auid==0 -k export 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 


user deletions of files and programs. 


ID: V-38575 


Discussion: 

Auditing file deletions will create an audit trail for 

files that are removed from the system. The audit trail 

could aid in system troubleshooting, as well as detecting 

malicious processes that attempt to delete log files to 

conceal their presence. 




to the "unlink" system call, run the following command: 

# auditctl -l | grep syscall | grep unlink | grep -v 

UNCLASSIFIED

UNCLASSIFIED 

unlinkat 




to the "unlinkat" system call, run the following command: 

# auditctl -l | grep syscall | grep unlinkat 


will return several lines. To determine if the system is 

configured to audit calls to the "rename" system call, 


# auditctl -l | grep syscall | grep rename | grep -v 

renameat 


will return several lines. To determine if the system is 

configured to audit calls to the "renameat" system call, 


# auditctl -l | grep syscall | grep renameat 




Fix Text: 


deletion events for all users and root. Add the following 

to "/etc/audit/audit.rules", setting ARCH to either b32 

or b64 as appropriate for your system: 

-a always,exit -F arch=ARCH -S unlink -S unlinkat -S 

rename -S renameat \ 

-F auid>=500 -F auid!=4294967295 -k delete 

-a always,exit -F arch=ARCH -S unlink -S unlinkat -S 

rename -S renameat \ 

-F auid==0 -k delete 

UNCLASSIFIED

UNCLASSIFIED 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 


changes to the /etc/sudoers file. 


ID: V-38578 


Discussion: 

The actions taken by system administrators should be 

audited to keep a record of what was executed on the 

system, as well as, for accountability purposes. 



To verify that auditing is configured for system 

administrator actions, run the following command: 

# auditctl -l | grep "watch=/etc/sudoers" 


Fix Text: 

At a minimum, the audit system should collect 

administrator actions for all users and root. Add the 


-w /etc/sudoers -p wa -k actions 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 

UNCLASSIFIED

UNCLASSIFIED 


the loading and unloading of dynamic kernel modules. 


ID: V-38580 


Discussion: 

The addition/removal of kernel modules can be used to 

alter the behavior of the kernel and potentially 

introduce malicious code into kernel space. It is 

important to have an audit trail of modules that have been 

introduced into the kernel. 




to the "init_module" system call, run the following 

command: 

# auditctl -l | grep syscall | grep init_module 


will return a line. To determine if the system is 

configured to audit calls to the "delete_module" system 

call, run the following command: 

# auditctl -l | grep syscall | grep delete_module 




Fix Text: 

Add the following to "/etc/audit/audit.rules" in order 

to capture kernel module loading and unloading events, 

setting ARCH to either b32 or b64 as appropriate for your 

system: 

UNCLASSIFIED

UNCLASSIFIED 

-w /sbin/insmod -p x -k modules 

-w /sbin/rmmod -p x -k modules 

-w /sbin/modprobe -p x -k modules 

-a always,exit -F arch=[ARCH] -S init_module -S 

delete_module -k modules 

CCI: CCI-000172 

NIST SP 800-53A :: AU-12.1 (iv) 

NIST SP 800-53 :: AU-12 c 

Rule Title: The xinetd service must be disabled if no 

network services utilizing it are enabled. 


ID: V-38582 


Discussion: 

The xinetd service provides a dedicated listener service 

for some programs, which is no longer necessary for 

commonly-used network services. Disabling it ensures 

that these uncommon services are not running, and also 

prevents attacks against xinetd itself. 



If network services are using the xinetd service, this 

is not applicable. 

To check that the "xinetd" service is disabled in system 


# chkconfig "xinetd" --list 

Output should indicate the "xinetd" service has either 

not been installed, or has been disabled at all runlevels, 


UNCLASSIFIED

UNCLASSIFIED 

# chkconfig "xinetd" --list 

"xinetd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Run the following command to verify "xinetd" is disabled 


# service xinetd status 



xinetd is stopped 


Fix Text: 

The "xinetd" service can be disabled with the following 

command: 

# chkconfig xinetd off 

CCI: CCI-000382 

NIST SP 800-53A :: CM-7.1 (iii) 

NIST SP 800-53 :: CM-7 

Rule Title: The xinetd service must be uninstalled if 

no network services utilizing it are enabled. 


ID: V-38584 


Discussion: 

Removing the "xinetd" package decreases the risk of the 

xinetd service's accidental (or intentional) activation. 


UNCLASSIFIED

UNCLASSIFIED 


If network services are using the xinetd service, this 

is not applicable. 

Run the following command to determine if the "xinetd" 


# rpm -q xinetd 

If the package is installed, this is a finding. 

Fix Text: 

The "xinetd" package can be uninstalled with the 


# yum erase xinetd 

CCI: CCI-000382 

NIST SP 800-53A :: CM-7.1 (iii) 

NIST SP 800-53 :: CM-7 

Rule Title: The telnet-server package must not be 

installed. 


ID: V-38587 


Discussion: 

Removing the "telnet-server" package decreases the risk 

of the unencrypted telnet service's accidental (or 

intentional) activation. 

Mitigation: If the telnet-server package is configured 

to only allow encrypted sessions, such as with Kerberos 

or the use of encrypted network tunnels, the risk of 

exposing sensitive information is mitigated. 

UNCLASSIFIED

UNCLASSIFIED 



Run the following command to determine if the 

"telnet-server" package is installed: 

# rpm -q telnet-server 


Fix Text: 

The "telnet-server" package can be uninstalled with the 


# yum erase telnet-server 

CCI: CCI-000381 

NIST SP 800-53A :: CM-7.1 (ii) 

NIST SP 800-53 :: CM-7 

Rule Title: The telnet daemon must not be running. 


ID: V-38589 


Discussion: 

The telnet protocol uses unencrypted network 

communication, which means that data from the login 

session, including passwords and all other information 

transmitted during the session, can be stolen by 

eavesdroppers on the network. The telnet protocol is also 

subject to man-in-the-middle attacks. 

Mitigation: If an enabled telnet daemon is configured 

to only allow encrypted sessions, such as with Kerberos 

or the use of encrypted network tunnels, the risk of 

UNCLASSIFIED

UNCLASSIFIED 

exposing sensitive information is mitigated. 



To check that the "telnet" service is disabled in system 


# chkconfig "telnet" --list 

Output should indicate the "telnet" service has either 



# chkconfig "telnet" --list 

"telnet" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Run the following command to verify "telnet" is disabled 


# service telnet status 



telnet is stopped 


Fix Text: 

The "telnet" service can be disabled with the following 

command: 

# chkconfig telnet off 

CCI: CCI-000888 

NIST SP 800-53A :: MA-4 (6).1 

NIST SP 800-53 :: MA-4 (6) 

UNCLASSIFIED

UNCLASSIFIED 

Rule Title: The rsh-server package must not be 

installed. 


ID: V-38591 


Discussion: 

The "rsh-server" package provides several obsolete and 

insecure network services. Removing it decreases the risk 

of those services' accidental (or intentional) 

activation. 




"rsh-server" package is installed: 

# rpm -q rsh-server 


Fix Text: 

The "rsh-server" package can be uninstalled with the 


# yum erase rsh-server 

CCI: CCI-000381 

NIST SP 800-53A :: CM-7.1 (ii) 

NIST SP 800-53 :: CM-7 

Rule Title: The rshd service must not be running. 


ID: V-38594 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 

The rsh service uses unencrypted network communications, 

which means that data from the login session, including 

passwords and all other information transmitted during 

the session, can be stolen by eavesdroppers on the 

network. 



To check that the "rsh" service is disabled in system boot 

configuration, run the following command: 

# chkconfig "rsh" --list 

Output should indicate the "rsh" service has either not 



# chkconfig "rsh" --list 

"rsh" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Run the following command to verify "rsh" is disabled 


# service rsh status 



rsh is stopped 


Fix Text: 

The "rsh" service, which is available with the 

"rsh-server" package and runs as a service through 

xinetd, should be disabled. The "rsh" service can be 

UNCLASSIFIED

UNCLASSIFIED 

disabled with the following command: 

# chkconfig rsh off 

CCI: CCI-000068 

NIST SP 800-53A :: AC-17 (2).1 

NIST SP 800-53 :: AC-17 (2) 

Rule Title: The rexecd service must not be running. 


ID: V-38598 


Discussion: 

The rexec service uses unencrypted network 

communications, which means that data from the login 



eavesdroppers on the network. 



To check that the "rexec" service is disabled in system 


# chkconfig "rexec" --list 

Output should indicate the "rexec" service has either not 



# chkconfig "rexec" --list 

"rexec" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Run the following command to verify "rexec" is disabled 


UNCLASSIFIED

UNCLASSIFIED 

# service rexec status 



rexec is stopped 


Fix Text: 

The "rexec" service, which is available with the 


xinetd, should be disabled. The "rexec" service can be 


# chkconfig rexec off 

CCI: CCI-000068 

NIST SP 800-53A :: AC-17 (2).1 

NIST SP 800-53 :: AC-17 (2) 

Rule Title: The rlogind service must not be running. 


ID: V-38602 


Discussion: 

The rlogin service uses unencrypted network 

communications, which means that data from the login 



eavesdroppers on the network. 



To check that the "rlogin" service is disabled in system 

UNCLASSIFIED

UNCLASSIFIED 


# chkconfig "rlogin" --list 

Output should indicate the "rlogin" service has either 



# chkconfig "rlogin" --list 

"rlogin" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Run the following command to verify "rlogin" is disabled 


# service rlogin status 



rlogin is stopped 


Fix Text: 

The "rlogin" service, which is available with the 


xinetd, should be disabled. The "rlogin" service can be 


# chkconfig rlogin off 

CCI: CCI-001436 

NIST SP 800-53A :: AC-17 (8).1 (ii) 

NIST SP 800-53 :: AC-17 (8) 

Rule Title: The ypserv package must not be installed. 


ID: V-38603 

UNCLASSIFIED

UNCLASSIFIED 


Discussion: 

Removing the "ypserv" package decreases the risk of the 

accidental (or intentional) activation of NIS or NIS+ 

services. 



Run the following command to determine if the "ypserv" 


# rpm -q ypserv 


Fix Text: 

The "ypserv" package can be uninstalled with the 


# yum erase ypserv 

CCI: CCI-000381 

NIST SP 800-53A :: CM-7.1 (ii) 

NIST SP 800-53 :: CM-7 

Rule Title: The ypbind service must not be running. 


ID: V-38604 


Discussion: 

Disabling the "ypbind" service ensures the system is not 

acting as a client in a NIS or NIS+ domain. 

UNCLASSIFIED

UNCLASSIFIED 



To check that the "ypbind" service is disabled in system 


# chkconfig "ypbind" --list 

Output should indicate the "ypbind" service has either 



# chkconfig "ypbind" --list 

"ypbind" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Run the following command to verify "ypbind" is disabled 


# service ypbind status 



ypbind is stopped 


Fix Text: 

The "ypbind" service, which allows the system to act as 

a client in a NIS or NIS+ domain, should be disabled. The 

"ypbind" service can be disabled with the following 

command: 

# chkconfig ypbind off 

CCI: CCI-000382 

NIST SP 800-53A :: CM-7.1 (iii) 

NIST SP 800-53 :: CM-7 

UNCLASSIFIED

UNCLASSIFIED 

Rule Title: The tftp-server package must not be 

installed. 


ID: V-38606 


Discussion: 

Removing the "tftp-server" package decreases the risk of 

the accidental (or intentional) activation of tftp 

services. 




"tftp-server" package is installed: 

# rpm -q tftp-server 


Fix Text: 

The "tftp-server" package can be removed with the 


# yum erase tftp-server 

CCI: CCI-000381 

NIST SP 800-53A :: CM-7.1 (ii) 

NIST SP 800-53 :: CM-7 

Rule Title: The TFTP service must not be running. 


ID: V-38609 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 

Disabling the "tftp" service ensures the system is not 

acting as a tftp server, which does not provide encryption 

or authentication. 



To check that the "tftp" service is disabled in system 


# chkconfig "tftp" --list 

Output should indicate the "tftp" service has either not 



# chkconfig "tftp" --list 

"tftp" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Run the following command to verify "tftp" is disabled 


# service tftp status 



tftp is stopped 


Fix Text: 

The "tftp" service should be disabled. The "tftp" service 

can be disabled with the following command: 

# chkconfig tftp off 

CCI: CCI-001436 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53A :: AC-17 (8).1 (ii) 

NIST SP 800-53 :: AC-17 (8) 

Rule Title: The cron service must be running. 


ID: V-38605 


Discussion: 

Due to its usage for maintenance and security-supporting 

tasks, enabling the cron daemon is essential. 




of the "crond" service: 

# service crond status 


crond is running... 


Fix Text: 

The "crond" service is used to execute commands at 

preconfigured times. It is required by almost all systems 

to perform necessary maintenance tasks, such as notifying 

root of system activity. The "crond" service can be 

enabled with the following command: 

# chkconfig crond on 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53 :: CM-6 b 

Rule Title: The SSH daemon must be configured to use only 

the SSHv2 protocol. 


ID: V-38607 


Discussion: 

SSH protocol version 1 suffers from design flaws that 

result in security vulnerabilities and should not be 

used. 



To check which SSH protocol version is allowed, run the 


# grep Protocol /etc/ssh/sshd_config 

If configured properly, output should be 

Protocol 2 

If it is not, this is a finding. 

Fix Text: 

Only SSH protocol version 2 connections should be 

permitted. The default setting in "/etc/ssh/sshd_config" 

is correct, and can be verified by ensuring that the 

following line appears: 

Protocol 2 

CCI: CCI-000774 

NIST SP 800-53A :: IA-2 (8).1 (ii) 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53 :: IA-2 (8) 

Rule Title: The SSH daemon must set a timeout interval 

on idle sessions. 


ID: V-38608 


Discussion: 

Causing idle users to be automatically logged out guards 

against compromises one system leading trivially to 

compromises on another. 



Run the following command to see what the timeout interval 

is: 

# grep ClientAliveInterval /etc/ssh/sshd_config 

If properly configured, the output should be: 

ClientAliveInterval 900 


Fix Text: 

SSH allows administrators to set an idle timeout 

interval. After this interval has passed, the idle user 

will be automatically logged out. 

To set an idle timeout interval, edit the following line 

in "/etc/ssh/sshd_config" as follows: 

ClientAliveInterval [interval] 

UNCLASSIFIED

UNCLASSIFIED 

The timeout [interval] is given in seconds. To have a 

timeout of 15 minutes, set [interval] to 900. 

If a shorter timeout has already been set for the login 

shell, that value will preempt any SSH setting made here. 

Keep in mind that some processes may stop SSH from 

correctly detecting that the user is idle. 

CCI: CCI-001133 

NIST SP 800-53A :: SC-10.1 (ii) 

NIST SP 800-53 :: SC-10 

Rule Title: The SSH daemon must set a timeout count on 

idle sessions. 


ID: V-38610 


Discussion: 

This ensures a user login will be terminated as soon as 

the "ClientAliveCountMax" is reached. 



To ensure the SSH idle timeout will occur when the 

"ClientAliveCountMax" is set, run the following command: 

# grep ClientAliveCountMax /etc/ssh/sshd_config 

If properly configured, output should be: 

ClientAliveCountMax 0 


Fix Text: 

UNCLASSIFIED

UNCLASSIFIED 

To ensure the SSH idle timeout occurs precisely when the 

"ClientAliveCountMax" is set, edit 

"/etc/ssh/sshd_config" as follows: 

ClientAliveCountMax 0 

CCI: CCI-000879 

NIST SP 800-53A :: MA-4.1 (vi) 

NIST SP 800-53 :: MA-4 e 

Rule Title: The SSH daemon must ignore .rhosts files. 


ID: V-38611 


Discussion: 

SSH trust relationships mean a compromise on one host can 

allow an attacker to move trivially to other hosts. 



To determine how the SSH daemon's "IgnoreRhosts" option 

is set, run the following command: 

# grep -i IgnoreRhosts /etc/ssh/sshd_config 

If no line, a commented line, or a line indicating the 

value "yes" is returned, then the required value is set. 

If the required value is not set, this is a finding. 

Fix Text: 

SSH can emulate the behavior of the obsolete rsh command 

in allowing users to enable insecure access to their 

accounts via ".rhosts" files. 

To ensure this behavior is disabled, add or correct the 

following line in "/etc/ssh/sshd_config": 

UNCLASSIFIED

UNCLASSIFIED 

IgnoreRhosts yes 

CCI: CCI-000766 

NIST SP 800-53A :: IA-2 (2).1 

NIST SP 800-53 :: IA-2 (2) 

Rule Title: The SSH daemon must not allow host-based 

authentication. 


ID: V-38612 


Discussion: 

SSH trust relationships mean a compromise on one host can 

allow an attacker to move trivially to other hosts. 



To determine how the SSH daemon's 

"HostbasedAuthentication" option is set, run the 


# grep -i HostbasedAuthentication /etc/ssh/sshd_config 


value "no" is returned, then the required value is set. 


Fix Text: 

SSH's cryptographic host-based authentication is more 

secure than ".rhosts" authentication, since hosts are 

cryptographically authenticated. However, it is not 

recommended that hosts unilaterally trust one another, 

even within an organization. 

To disable host-based authentication, add or correct the 

UNCLASSIFIED

UNCLASSIFIED 

following line in "/etc/ssh/sshd_config": 

HostbasedAuthentication no 

CCI: CCI-000766 

NIST SP 800-53A :: IA-2 (2).1 

NIST SP 800-53 :: IA-2 (2) 

Rule Title: The system must not permit root logins using 

remote access programs such as ssh. 


ID: V-38613 


Discussion: 

Permitting direct root login reduces auditable 

information about who ran privileged commands on the 

system and also allows direct attack attempts on root's 

password. 



To determine how the SSH daemon's "PermitRootLogin" 

option is set, run the following command: 

# grep -i PermitRootLogin /etc/ssh/sshd_config 

If a line indicating "no" is returned, then the required 

value is set. 


Fix Text: 

The root user should never be allowed to log in to a system 

directly over a network. To disable root login via SSH, 

add or correct the following line in 

"/etc/ssh/sshd_config": 

UNCLASSIFIED

UNCLASSIFIED 

PermitRootLogin no 

CCI: CCI-000770 

NIST SP 800-53A :: IA-2 (5).2 (ii) 

NIST SP 800-53 :: IA-2 (5) (b) 

Rule Title: The SSH daemon must not allow authentication 

using an empty password. 


ID: V-38614 


Discussion: 

Configuring this setting for the SSH daemon provides 

additional assurance that remote login via SSH will 

require a password, even in the event of misconfiguration 

elsewhere. 



To determine how the SSH daemon's "PermitEmptyPasswords" 

option is set, run the following command: 

# grep -i PermitEmptyPasswords /etc/ssh/sshd_config 


value "no" is returned, then the required value is set. 


Fix Text: 

To explicitly disallow remote login from accounts with 

empty passwords, add or correct the following line in 


PermitEmptyPasswords no 

Any accounts with empty passwords should be disabled 

UNCLASSIFIED

UNCLASSIFIED 

immediately, and PAM configuration should prevent users 

from being able to assign themselves empty passwords. 

CCI: CCI-000766 

NIST SP 800-53A :: IA-2 (2).1 

NIST SP 800-53 :: IA-2 (2) 

Rule Title: The SSH daemon must be configured with the 

Department of Defense (DoD) login banner. 


ID: V-38615 


Discussion: 

The warning message reinforces policy awareness during 

the logon process and facilitates possible legal action 

against attackers. Alternatively, systems whose 

ownership should not be obvious should ensure usage of 

a banner that does not provide easy attribution. 



To determine how the SSH daemon's "Banner" option is set, 


# grep -i Banner /etc/ssh/sshd_config 

If a line indicating /etc/issue is returned, then the 

required value is set. 


Fix Text: 

To enable the warning banner and ensure it is consistent 

across the system, add or correct the following line in 


Banner /etc/issue 

UNCLASSIFIED

UNCLASSIFIED 

Another section contains information on how to create an 

appropriate system-wide warning banner. 

CCI: CCI-000048 

NIST SP 800-53 :: AC-8 a 

NIST SP 800-53A :: AC-8.1 (ii) 

Rule Title: The SSH daemon must not permit user 

environment settings. 


ID: V-38616 


Discussion: 

SSH environment options potentially allow users to bypass 

access restriction in some configurations. 



To ensure users are not able to present environment 

daemons, run the following command: 

# grep PermitUserEnvironment /etc/ssh/sshd_config 

If properly configured, output should be: 

PermitUserEnvironment no 


Fix Text: 

To ensure users are not able to present environment 

options to the SSH daemon, add or correct the following 

line in "/etc/ssh/sshd_config": 

UNCLASSIFIED

UNCLASSIFIED 

PermitUserEnvironment no 

CCI: CCI-001414 

NIST SP 800-53A :: AC-4.1 (iii) 

NIST SP 800-53 :: AC-4 

Rule Title: The SSH daemon must be configured to use only 

FIPS 140-2 approved ciphers. 


ID: V-38617 


Discussion: 

Approved algorithms should impart some level of 

confidence in their implementation. These are also 

required for compliance. 



Only FIPS-approved ciphers should be used. To verify that 

only FIPS-approved ciphers are in use, run the following 

command: 

# grep Ciphers /etc/ssh/sshd_config 

The output should contain only those ciphers which are 

FIPS-approved, namely, the AES and 3DES ciphers. 


Fix Text: 

Limit the ciphers to those algorithms which are 

FIPS-approved. Counter (CTR) mode is also preferred over 

cipher-block chaining (CBC) mode. The following line in 

"/etc/ssh/sshd_config" demonstrates use of 

FIPS-approved ciphers: 

Ciphers 

UNCLASSIFIED

UNCLASSIFIED 

aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc, 

aes192-cbc,aes256-cbc 

The man page "sshd_config(5)" contains a list of 

supported ciphers. 

CCI: CCI-001144 

NIST SP 800-53A :: SC-13.1 

NIST SP 800-53 :: SC-13 

Rule Title: The avahi service must be disabled. 


ID: V-38618 


Discussion: 

Because the Avahi daemon service keeps an open network 

port, it is subject to network attacks. Its functionality 

is convenient but is only appropriate if the local network 

can be trusted. 



To check that the "avahi-daemon" service is disabled in 

system boot configuration, run the following command: 

# chkconfig "avahi-daemon" --list 

Output should indicate the "avahi-daemon" service has 

either not been installed, or has been disabled at all 

runlevels, as shown in the example below: 

# chkconfig "avahi-daemon" --list 

"avahi-daemon" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Run the following command to verify "avahi-daemon" is 

disabled through current runtime configuration: 

UNCLASSIFIED

UNCLASSIFIED 

# service avahi-daemon status 



avahi-daemon is stopped 


Fix Text: 

The "avahi-daemon" service can be disabled with the 


# chkconfig avahi-daemon off 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system clock must be synchronized 

continuously, or at least daily. 


ID: V-38620 


Discussion: 

Enabling the "ntpd" service ensures that the "ntpd" 

service will be running and that the system will 

synchronize its time to any servers specified. This is 

important whether the system is configured to be a client 

(and synchronize only its own clock) or it is also acting 

as an NTP server to other systems. Synchronizing time is 

essential for authentication services such as Kerberos, 

but it is also important for maintaining accurate logs 

and auditing possible security breaches. 

UNCLASSIFIED

UNCLASSIFIED 




of the "ntpd" service: 

# service ntpd status 


ntpd is running... 


Fix Text: 

The "ntpd" service can be enabled with the following 

command: 

# chkconfig ntpd on 

# service ntpd start 

CCI: CCI-000160 

NIST SP 800-53A :: AU-8 (1).1 (iii) 

NIST SP 800-53 :: AU-8 (1) 

Rule Title: The system clock must be synchronized to an 

authoritative DoD time source. 


ID: V-38621 


Discussion: 

Synchronizing with an NTP server makes it possible to 

collate system logs from multiple sources or correlate 

computer events with real time events. Using a trusted 

NTP server provided by your organization is recommended. 

UNCLASSIFIED

UNCLASSIFIED 



A remote NTP server should be configured for time 

synchronization. To verify one is configured, open the 

following file. 

/etc/ntp.conf 

In the file, there should be a section similar to the 

following: 

# --- OUR TIMESERVERS ----- 

server [ntpserver] 

If this is not the case, this is a finding. 

Fix Text: 

To specify a remote NTP server for time synchronization, 

edit the file "/etc/ntp.conf". Add or correct the 

following lines, substituting the IP or hostname of a 

remote NTP server for ntpserver. 

server [ntpserver] 

This instructs the NTP software to contact that remote 

server to obtain time data. 

CCI: CCI-000160 

NIST SP 800-53A :: AU-8 (1).1 (iii) 

NIST SP 800-53 :: AU-8 (1) 

Rule Title: Mail relaying must be restricted. 


ID: V-38622 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 

This ensures "postfix" accepts mail messages (such as 

cron job reports) from the local system only, and not from 

the network, which protects it from network attack. 



Run the following command to ensure postfix accepts mail 

messages from only the local system: 

$ grep inet_interfaces /etc/postfix/main.cf 

If properly configured, the output should show only 

"localhost". 


Fix Text: 

Edit the file "/etc/postfix/main.cf" to ensure that only 

the following "inet_interfaces" line appears: 

inet_interfaces = localhost 

CCI: CCI-000382 

NIST SP 800-53A :: CM-7.1 (iii) 

NIST SP 800-53 :: CM-7 

Rule Title: If the system is using LDAP for 

authentication or account information, the system must 

use a TLS connection using FIPS 140-2 approved 

cryptographic algorithms. 


ID: V-38625 


Discussion: 

The ssl directive specifies whether to use ssl or not. 

If not specified it will default to "no". It should be 

UNCLASSIFIED

UNCLASSIFIED 

set to "start_tls" rather than doing LDAP over SSL. 



If the system does not use LDAP for authentication or 

account information, this is not applicable. 

To ensure LDAP is configured to use TLS for all 

transactions, run the following command: 

$ grep start_tls /etc/pam_ldap.conf 


Fix Text: 

Configure LDAP to enforce TLS use. First, edit the file 

"/etc/pam_ldap.conf", and add or correct the following 

lines: 

ssl start_tls 

Then review the LDAP server and ensure TLS has been 

configured. 

CCI: CCI-001453 

NIST SP 800-53A :: AC-17 (2).1 

NIST SP 800-53 :: AC-17 (2) 

Rule Title: The LDAP client must use a TLS connection 

using trust certificates signed by the site CA. 


ID: V-38626 


Discussion: 

The tls_cacertdir or tls_cacertfile directives are 

UNCLASSIFIED

UNCLASSIFIED 

required when tls_checkpeer is configured (which is the 

default for openldap versions 2.1 and up). These 

directives define the path to the trust certificates 

signed by the site CA. 



If the system does not use LDAP for authentication or 

account information, this is not applicable. 

To ensure TLS is configured with trust certificates, run 


# grep cert /etc/pam_ldap.conf 

If there is no output, or the lines are commented out, 


Fix Text: 

Ensure a copy of the site's CA certificate has been placed 

in the file "/etc/pki/tls/CA/cacert.pem". Configure LDAP 

to enforce TLS use and to trust certificates signed by 

the site's CA. First, edit the file "/etc/pam_ldap.conf", 

and add or correct either of the following lines: 

tls_cacertdir /etc/pki/tls/CA 

or 

tls_cacertfile /etc/pki/tls/CA/cacert.pem 

Then review the LDAP server and ensure TLS has been 

configured. 

CCI: CCI-000776 

NIST SP 800-53A :: IA-2 (9).1 (ii) 

NIST SP 800-53 :: IA-2 (9) 

UNCLASSIFIED

UNCLASSIFIED 

Rule Title: The openldap-servers package must not be 

installed unless required. 


ID: V-38627 


Discussion: 

Unnecessary packages should not be installed to decrease 

the attack surface of the system. 



To verify the "openldap-servers" package is not 

installed, run the following command: 

$ rpm -q openldap-servers 

The output should show the following. 

package openldap-servers is not installed 


Fix Text: 

The "openldap-servers" package should be removed if not 

in use. Is this machine the OpenLDAP server? If not, 

remove the package. 

# yum erase openldap-servers 

The openldap-servers RPM is not installed by default on 

RHEL6 machines. It is needed only by the OpenLDAP server, 

not by the clients which use LDAP for authentication. If 

the system is not intended for use as an LDAP Server it 

should be removed. 

CCI: CCI-000366 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The graphical desktop environment must set 

the idle timeout to no more than 15 minutes. 


ID: V-38629 


Discussion: 

Setting the idle delay controls when the screensaver will 

start, and can be combined with screen locking to prevent 

access from passersby. 



To check the current idle time-out value, run the 


$ gconftool-2 -g /apps/gnome-screensaver/idle_delay 

If properly configured, the output should be "15". 


Fix Text: 

Run the following command to set the idle time-out value 

for inactivity in the GNOME desktop to 15 minutes: 

# gconftool-2 \ 

--direct \ 

--config-source 

xml:readwrite:/etc/gconf/gconf.xml.mandatory \ 

--type int \ 

--set /apps/gnome-screensaver/idle_delay 15 

CCI: CCI-000057 

NIST SP 800-53 :: AC-11 a 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53A :: AC-11.1 (ii) 

Rule Title: The graphical desktop environment must 

automatically lock after 15 minutes of inactivity and the 

system must require user to re-authenticate to unlock the 

environment. 


ID: V-38630 


Discussion: 

Enabling idle activation of the screen saver ensures the 

screensaver will be activated after the idle delay. 

Applications requiring continuous, real-time screen 

display (such as network management products) require the 

login session does not have administrator rights and the 

display station is located in a controlled-access area. 



To check the screensaver mandatory use status, run the 


$ gconftool-2 -g 

/apps/gnome-screensaver/idle_activation_enabled 

If properly configured, the output should be "true". 


Fix Text: 

Run the following command to activate the screensaver in 

the GNOME desktop after a period of inactivity: 

# gconftool-2 --direct \ 



--type bool \ 

UNCLASSIFIED

UNCLASSIFIED 

--set /apps/gnome-screensaver/idle_activation_enabled 

true 

CCI: CCI-000057 

NIST SP 800-53 :: AC-11 a 

NIST SP 800-53A :: AC-11.1 (ii) 

Rule Title: The graphical desktop environment must have 

automatic lock enabled. 


ID: V-38638 


Discussion: 

Enabling the activation of the screen lock after an idle 

period ensures password entry will be required in order 

to access the system, preventing access by passersby. 



To check the status of the idle screen lock activation, 


$ gconftool-2 -g /apps/gnome-screensaver/lock_enabled 

If properly configured, the output should be "true". 


Fix Text: 

Run the following command to activate locking of the 

screensaver in the GNOME desktop when it is activated: 

# gconftool-2 --direct \ 



--type bool \ 

--set /apps/gnome-screensaver/lock_enabled true 

UNCLASSIFIED

UNCLASSIFIED 

CCI: CCI-000057 

NIST SP 800-53 :: AC-11 a 

NIST SP 800-53A :: AC-11.1 (ii) 

Rule Title: The system must display a publicly-viewable 

pattern during a graphical desktop environment session 

lock. 


ID: V-38639 


Discussion: 

Setting the screensaver mode to blank-only conceals the 

contents of the display from passersby. 



To ensure the screensaver is configured to be blank, run 


$ gconftool-2 -g /apps/gnome-screensaver/mode 

If properly configured, the output should be "blank-only" 


Fix Text: 

Run the following command to set the screensaver mode in 

the GNOME desktop to a blank screen: 

# gconftool-2 

--direct \ 



--type string \ 

--set /apps/gnome-screensaver/mode blank-only 

UNCLASSIFIED

UNCLASSIFIED 

CCI: CCI-000060 

NIST SP 800-53 :: AC-11 (1) 

NIST SP 800-53A :: AC-11 (1).1 

Rule Title: The Automatic Bug Reporting Tool (abrtd) 

service must not be running. 


ID: V-38640 


Discussion: 

Mishandling crash data could expose sensitive 

information about vulnerabilities in software executing 

on the local machine, as well as sensitive information 

from within a process's address space or registers. 



To check that the "abrtd" service is disabled in system 


# chkconfig "abrtd" --list 

Output should indicate the "abrtd" service has either not 



# chkconfig "abrtd" --list 

"abrtd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Run the following command to verify "abrtd" is disabled 


# service abrtd status 



UNCLASSIFIED

UNCLASSIFIED 

abrtd is stopped 


Fix Text: 

The Automatic Bug Reporting Tool ("abrtd") daemon 

collects and reports crash data when an application crash 

is detected. Using a variety of plugins, abrtd can email 

crash reports to system administrators, log crash reports 

to files, or forward crash reports to a centralized issue 

tracking system such as RHTSupport. The "abrtd" service 

can be disabled with the following command: 

# chkconfig abrtd off 

CCI: CCI-000382 

NIST SP 800-53A :: CM-7.1 (iii) 

NIST SP 800-53 :: CM-7 

Rule Title: The atd service must be disabled. 


ID: V-38641 


Discussion: 

The "atd" service could be used by an unsophisticated 

insider to carry out activities outside of a normal login 

session, which could complicate accountability. 

Furthermore, the need to schedule tasks with "at" or 

"batch" is not common. 



If the system uses the "atd" service, this is not 

applicable. 

UNCLASSIFIED

UNCLASSIFIED 

To check that the "atd" service is disabled in system boot 

configuration, run the following command: 

# chkconfig "atd" --list 

Output should indicate the "atd" service has either not 



# chkconfig "atd" --list 

"atd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Run the following command to verify "atd" is disabled 


# service atd status 



atd is stopped 


Fix Text: 

The "at" and "batch" commands can be used to schedule 

tasks that are meant to be executed only once. This allows 

delayed execution in a manner similar to cron, except that 

it is not recurring. The daemon "atd" keeps track of tasks 

scheduled via "at" and "batch", and executes them at the 

specified time. The "atd" service can be disabled with 


# chkconfig atd off 

CCI: CCI-000382 

NIST SP 800-53A :: CM-7.1 (iii) 

NIST SP 800-53 :: CM-7 

UNCLASSIFIED

UNCLASSIFIED 

Rule Title: The ntpdate service must not be running. 


ID: V-38644 


Discussion: 

The "ntpdate" service may only be suitable for systems 

which are rebooted frequently enough that clock drift 

does not cause problems between reboots. In any event, 

the functionality of the ntpdate service is now available 

in the ntpd program and should be considered deprecated. 



To check that the "ntpdate" service is disabled in system 


# chkconfig "ntpdate" --list 

Output should indicate the "ntpdate" service has either 



# chkconfig "ntpdate" --list 

"ntpdate" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Run the following command to verify "ntpdate" is disabled 


# service ntpdate status 



ntpdate is stopped 

UNCLASSIFIED

UNCLASSIFIED 


Fix Text: 

The ntpdate service sets the local hardware clock by 

polling NTP servers when the system boots. It 

synchronizes to the NTP servers listed in 

"/etc/ntp/step-tickers" or "/etc/ntp.conf" and then sets 

the local hardware clock to the newly synchronized system 

time. The "ntpdate" service can be disabled with the 


# chkconfig ntpdate off 

CCI: CCI-000382 

NIST SP 800-53A :: CM-7.1 (iii) 

NIST SP 800-53 :: CM-7 

Rule Title: The oddjobd service must not be running. 


ID: V-38646 


Discussion: 

The "oddjobd" service may provide necessary 

functionality in some environments but it can be disabled 

if it is not needed. Execution of tasks by privileged 

programs, on behalf of unprivileged ones, has 

traditionally been a source of privilege escalation 

security issues. 



To check that the "oddjobd" service is disabled in system 


# chkconfig "oddjobd" --list 

UNCLASSIFIED

UNCLASSIFIED 

Output should indicate the "oddjobd" service has either 



# chkconfig "oddjobd" --list 

"oddjobd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Run the following command to verify "oddjobd" is disabled 


# service oddjobd status 



oddjobd is stopped 


Fix Text: 

The "oddjobd" service exists to provide an interface and 

access control mechanism through which specified 

privileged tasks can run tasks for unprivileged client 

applications. Communication with "oddjobd" is through 

the system message bus. The "oddjobd" service can be 


# chkconfig oddjobd off 

CCI: CCI-000382 

NIST SP 800-53A :: CM-7.1 (iii) 

NIST SP 800-53 :: CM-7 

Rule Title: The qpidd service must not be running. 


ID: V-38648 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 

The qpidd service is automatically installed when the 

"base" package selection is selected during 

installation. The qpidd service listens for network 

connections which increases the attack surface of the 

system. If the system is not intended to receive AMQP 

traffic then the "qpidd" service is not needed and should 

be disabled or removed. 



To check that the "qpidd" service is disabled in system 


# chkconfig "qpidd" --list 

Output should indicate the "qpidd" service has either not 



# chkconfig "qpidd" --list 

"qpidd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Run the following command to verify "qpidd" is disabled 


# service qpidd status 



qpidd is stopped 


Fix Text: 

The "qpidd" service provides high speed, secure, 

UNCLASSIFIED

UNCLASSIFIED 

guaranteed delivery services. It is an implementation of 

the Advanced Message Queuing Protocol. By default the 

qpidd service will bind to port 5672 and listen for 

connection attempts. The "qpidd" service can be disabled 


# chkconfig qpidd off 

CCI: CCI-000382 

NIST SP 800-53A :: CM-7.1 (iii) 

NIST SP 800-53 :: CM-7 

Rule Title: The rdisc service must not be running. 


ID: V-38650 


Discussion: 

General-purpose systems typically have their network and 

routing information configured statically by a system 

administrator. Workstations or some special-purpose 

systems often use DHCP (instead of IRDP) to retrieve 

dynamic network configuration information. 



To check that the "rdisc" service is disabled in system 


# chkconfig "rdisc" --list 

Output should indicate the "rdisc" service has either not 



# chkconfig "rdisc" --list 

"rdisc" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

UNCLASSIFIED

UNCLASSIFIED 

Run the following command to verify "rdisc" is disabled 


# service rdisc status 



rdisc is stopped 


Fix Text: 

The "rdisc" service implements the client side of the ICMP 

Internet Router Discovery Protocol (IRDP), which allows 

discovery of routers on the local subnet. If a router is 

discovered then the local routing table is updated with 

a corresponding default route. By default this daemon is 

disabled. The "rdisc" service can be disabled with the 


# chkconfig rdisc off 

CCI: CCI-000382 

NIST SP 800-53A :: CM-7.1 (iii) 

NIST SP 800-53 :: CM-7 

Rule Title: Remote file systems must be mounted with the 

nodev option. 


ID: V-38652 


Discussion: 

Legitimate device files should only exist in the /dev 

directory. NFS mounts should not present device files to 

UNCLASSIFIED

UNCLASSIFIED 

users. 



To verify the "nodev" option is configured for all NFS 

mounts, run the following command: 

$ mount | grep nfs 

All NFS mounts should show the "nodev" setting in 

parentheses. 

If the setting does not show, this is a finding. 

Fix Text: 

Add the "nodev" option to the fourth column of 

"/etc/fstab" for the line which controls mounting of any 

NFS mounts. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: Remote file systems must be mounted with the 

nosuid option. 


ID: V-38654 


Discussion: 

NFS mounts should not present suid binaries to users. Only 

vendor-supplied suid executables should be installed to 

their default location on the local filesystem. 



To verify the "nosuid" option is configured for all NFS 

UNCLASSIFIED

UNCLASSIFIED 

mounts, run the following command: 

$ mount | grep nfs 

All NFS mounts should show the "nosuid" setting in 

parentheses. 

If the setting does not show, this is a finding. 

Fix Text: 

Add the "nosuid" option to the fourth column of 

"/etc/fstab" for the line which controls mounting of any 

NFS mounts. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The noexec option must be added to removable 

media partitions. 


ID: V-38655 


Discussion: 

Allowing users to execute binaries from removable media 

such as USB keys exposes the system to potential 

compromise. 



To verify that binaries cannot be directly executed from 

removable media, run the following command: 

# grep noexec /etc/fstab 

The output should show "noexec" in use. 


UNCLASSIFIED

UNCLASSIFIED 

Fix Text: 

The "noexec" mount option prevents the direct execution 

of binaries on the mounted filesystem. Users should not 

be allowed to execute binaries that exist on partitions 

mounted from removable media (such as a USB key). The 

"noexec" option prevents code from being executed 

directly from the media itself, and may therefore provide 

a line of defense against certain types of worms or 

malicious code. Add the "noexec" option to the fourth 

column of "/etc/fstab" for the line which controls 

mounting of any removable media partitions. 

CCI: CCI-000087 

NIST SP 800-53A :: AC-19.1 (v) 

NIST SP 800-53 :: AC-19 e 

Rule Title: The system must use SMB client signing for 

connecting to samba servers using smbclient. 


ID: V-38656 


Discussion: 

Packet signing can prevent man-in-the-middle attacks 

which modify SMB packets in transit. 



To verify that Samba clients running smbclient must use 

packet signing, run the following command: 

# grep signing /etc/samba/smb.conf 

The output should show: 

client signing = mandatory 

UNCLASSIFIED

UNCLASSIFIED 


Fix Text: 

To require samba clients running "smbclient" to use 

packet signing, add the following to the "[global]" 

section of the Samba configuration file in 

"/etc/samba/smb.conf": 

client signing = mandatory 

Requiring samba clients such as "smbclient" to use packet 

signing ensures they can only communicate with servers 

that support packet signing. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must use SMB client signing for 

connecting to samba servers using mount.cifs. 


ID: V-38657 


Discussion: 

Packet signing can prevent man-in-the-middle attacks 

which modify SMB packets in transit. 



To verify that Samba clients using mount.cifs must use 

packet signing, run the following command: 

# grep sec /etc/fstab 

UNCLASSIFIED

UNCLASSIFIED 

The output should show either "krb5i" or "ntlmv2i" in use. 


Fix Text: 

Require packet signing of clients who mount Samba shares 

using the "mount.cifs" program (e.g., those who specify 

shares in "/etc/fstab"). To do so, ensure signing options 

(either "sec=krb5i" or "sec=ntlmv2i") are used. 

See the "mount.cifs(8)" man page for more information. 

A Samba client should only communicate with servers who 

can support SMB packet signing. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must prohibit the reuse of 

passwords within twenty-four iterations. 


ID: V-38658 


Discussion: 

Preventing reuse of previous passwords helps ensure that 

a compromised password is not reused by a user. 



To verify the password reuse setting is compliant, run 


$ grep remember /etc/pam.d/system-auth 

The output should show the following at the end of the 

line: 

UNCLASSIFIED

UNCLASSIFIED 

remember=24 


Fix Text: 

Do not allow users to reuse recent passwords. This can 

be accomplished by using the "remember" option for the 

"pam_unix" PAM module. In the file 

"/etc/pam.d/system-auth", append "remember=24" to the 

line which refers to the "pam_unix.so" module, as shown: 

password sufficient pam_unix.so [existing_options] 

remember=24 

The DoD requirement is 24 passwords. 

CCI: CCI-000200 

NIST SP 800-53A :: IA-5 (1).1 (v) 

NIST SP 800-53 :: IA-5 (1) (e) 

Rule Title: The operating system must employ 

cryptographic mechanisms to protect information in 

storage. 


ID: V-38659 


Discussion: 

The risk of a system's physical compromise, particularly 

mobile systems such as laptops, places its data at risk 

of compromise. Encrypting this data mitigates the risk 

of its loss if the system is lost. 



Determine if encryption must be used to protect data on 

UNCLASSIFIED

UNCLASSIFIED 

the system. 

If encryption must be used and is not employed, this is 

a finding. 

Fix Text: 

Red Hat Enterprise Linux 6 natively supports partition 

encryption through the Linux Unified Key 

Setup-on-disk-format (LUKS) technology. The easiest way 

to encrypt a partition is during installation time. 

For manual installations, select the "Encrypt" checkbox 

during partition creation to encrypt the partition. When 

this option is selected the system will prompt for a 

passphrase to use in decrypting the partition. The 

passphrase will subsequently need to be entered manually 

every time the system boots. 

For automated/unattended installations, it is possible 

to use Kickstart by adding the "--encrypted" and 

"--passphrase=" options to the definition of each 

partition to be encrypted. For example, the following 

line would encrypt the root partition: 

part / --fstype=ext3 --size=100 --onpart=hda1 

--encrypted --passphrase=[PASSPHRASE] 

Any [PASSPHRASE] is stored in the Kickstart in plaintext, 

and the Kickstart must then be protected accordingly. 

Omitting the "--passphrase=" option from the partition 

definition will cause the installer to pause and 

interactively ask for the passphrase during 

installation. 

Detailed information on encrypting partitions using LUKS 

can be found on the Red Had Documentation web site: 

https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise 

_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS 

_Disk_Encryption.html 

CCI: CCI-001019 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53A :: MP-4 (1).1 

NIST SP 800-53 :: MP-4 (1) 

Rule Title: The operating system must protect the 

confidentiality and integrity of data at rest. 


ID: V-38661 


Discussion: 








the system. 


a finding. 

Fix Text: 













UNCLASSIFIED

UNCLASSIFIED 











installation. 






CCI: CCI-001199 

NIST SP 800-53A :: SC-28.1 

NIST SP 800-53 :: SC-28 

Rule Title: The operating system must employ 

cryptographic mechanisms to prevent unauthorized 

disclosure of data at rest unless otherwise protected by 

alternative physical measures. 


ID: V-38662 


Discussion: 





UNCLASSIFIED

UNCLASSIFIED 




the system. 


a finding. 

Fix Text: 























installation. 




UNCLASSIFIED

UNCLASSIFIED 



CCI: CCI-001200 

NIST SP 800-53A :: SC-28 (1).1 (i) 

NIST SP 800-53 :: SC-28 (1) 


verify permissions on all files and directories 

associated with the audit package. 


ID: V-38663 


Discussion: 

Permissions on audit binaries and configuration files 

that are too generous could allow an unauthorized user 

to gain privileges that they should not have. The 

permissions set by the vendor should be maintained. Any 

deviations from this baseline should be investigated. 



The following command will list which audit files on the 

system have permissions different from what is expected 

by the RPM database: 

# rpm -V audit | grep '^.M' 

If there is any output, for each file or directory found, 

compare the RPM-expected permissions with the 

permissions on the file or directory: 

# rpm -q --queryformat "[%{FILENAMES} 

%{FILEMODES:perms}\n]" audit | grep [filename] 

# ls -lL [filename] 

UNCLASSIFIED

UNCLASSIFIED 

If the existing permissions are more permissive than 

those expected by RPM, this is a finding. 

Fix Text: 

The RPM package management system can restore file access 

permissions of the audit package files and directories. 

The following command will update audit files with 

permissions different from what is expected by the RPM 

database: 

# rpm --setperms audit 

CCI: CCI-001493 

NIST SP 800-53 :: AU-9 

NIST SP 800-53A :: AU-9.1 


verify ownership on all files and directories associated 

with the audit package. 


ID: V-38664 


Discussion: 

Ownership of audit binaries and configuration files that 

is incorrect could allow an unauthorized user to gain 

privileges that they should not have. The ownership set 

by the vendor should be maintained. Any deviations from 

this baseline should be investigated. 




system have ownership different from what is expected by 

the RPM database: 

# rpm -V audit | grep '^.....U' 

UNCLASSIFIED

UNCLASSIFIED 

If there is output, this is a finding. 

Fix Text: 

The RPM package management system can restore file 

ownership of the audit package files and directories. The 

following command will update audit files with ownership 

different from what is expected by the RPM database: 

# rpm --setugids audit 

CCI: CCI-001494 

NIST SP 800-53 :: AU-9 

NIST SP 800-53A :: AU-9.1 


verify group-ownership on all files and directories 

associated with the audit package. 


ID: V-38665 


Discussion: 

Group-ownership of audit binaries and configuration 

files that is incorrect could allow an unauthorized user 


group-ownership set by the vendor should be maintained. 

Any deviations from this baseline should be investigated. 




system have group-ownership different from what is 

expected by the RPM database: 

# rpm -V audit | grep '^......G' 

UNCLASSIFIED

UNCLASSIFIED 


Fix Text: 

The RPM package management system can restore file 

group-ownership of the audit package files and 

directories. The following command will update audit 

files with group-ownership different from what is 


# rpm --setugids audit 

CCI: CCI-001495 

NIST SP 800-53 :: AU-9 

NIST SP 800-53A :: AU-9.1 


verify contents of all files associated with the audit 

package. 


ID: V-38637 


Discussion: 

The hash on important files like audit system executables 

should match the information given by the RPM database. 

Audit executables with erroneous hashes could be a sign 

of nefarious activity on the system. 




system have file hashes different from what is expected 

by the RPM database. 

# rpm -V audit | grep '$1 ~ /..5/ && $2 != "c"' 

UNCLASSIFIED

UNCLASSIFIED 


Fix Text: 

The RPM package management system can check the hashes 

of audit system package files. Run the following command 

to list which audit files on the system have hashes that 

differ from what is expected by the RPM database: 

# rpm -V audit | grep '^..5' 

A "c" in the second column indicates that a file is a 

configuration file, which may appropriately be expected 

to change. If the file that has changed was not expected 

to then refresh from distribution media or online 

repositories. 

rpm -Uvh [affected_package] 

OR 

yum reinstall [affected_package] 

CCI: CCI-001496 

NIST SP 800-53 :: AU-9 (3) 

NIST SP 800-53A :: AU-9 (3).1 

Rule Title: There must be no world-writable files on the 

system. 


ID: V-38643 


Discussion: 

Data in world-writable files can be modified by any user 

on the system. In almost all circumstances, files can be 

configured using a combination of user and group 

UNCLASSIFIED

UNCLASSIFIED 

permissions to support whatever legitimate access is 

needed without the risk caused by world-writable files. 



To find world-writable files, run the following command: 

# find / -xdev -type f -perm -002 


Fix Text: 

It is generally a good idea to remove global (other) write 

access to a file when it is discovered. However, check 

with documentation for specific applications before 

making changes. Also, monitor for recurring 

world-writable files, as these may be symptoms of a 

misconfigured application or user account. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system must use and update a 

DoD-approved virus scan program. 


ID: V-38666 


Discussion: 

Virus scanning software can be used to detect if a system 

has been compromised by computer viruses, as well as to 

limit their spread to other systems. 


UNCLASSIFIED

UNCLASSIFIED 


Inspect the system for a cron job or system service which 

executes a virus scanning tool regularly. 

To verify the McAfee command line scan tool (uvscan) is 

scheduled for regular execution, run the following 

command to check for a cron job: 

# grep uvscan /etc/cron* /var/spool/cron/* 

This will reveal if and when the uvscan program will be 

run. 

To check on the age of uvscan virus definition files, run 


# cd /usr/local/uvscan 

# ls -la avvscan.dat avvnames.dat avvclean.dat 

The uvscan virus definitions should not be older than 

seven days. 

If virus scanning software does not run daily, or has 

signatures that are out of date, this is a finding. 

Fix Text: 

Install virus scanning software, which uses signatures 

to search for the presence of viruses on the filesystem. 

The McAfee uvscan virus scanning tool is provided for DoD 

systems. Ensure virus definition files are no older than 

7 days, or their last release. Configure the virus 

scanning software to perform scans dynamically on all 

accessed files. If this is not possible, configure the 

system to scan all altered files on the system on a daily 

basis. If the system processes inbound SMTP mail, 

configure the virus scanner to scan all received mail. 

CCI: CCI-001668 

NIST SP 800-53 :: SI-3 a 

NIST SP 800-53A :: SI-3.1 (ii) 

UNCLASSIFIED

UNCLASSIFIED 

Rule Title: The system must have a host-based intrusion 

detection tool installed. 


ID: V-38667 


Discussion: 

Adding host-based intrusion detection tools can provide 

the capability to automatically take actions in response 

to malicious behavior, which can provide additional 

agility in reacting to network threats. These tools also 

often include a reporting capability to provide network 

awareness of system, which may not otherwise exist in an 

organization's systems management regime. 



Inspect the system to determine if intrusion detection 

software has been installed. Verify the intrusion 

detection software is active. 

If no host-based intrusion detection tools are installed, 


Fix Text: 

The base Red Hat platform already includes a 

sophisticated auditing system that can detect intruder 

activity, as well as SELinux, which provides host-based 

intrusion prevention capabilities by confining 

privileged programs and user sessions which may become 

compromised. 

Install an additional intrusion detection tool to provide 

complementary or duplicative monitoring, reporting, and 

reaction capabilities to those of the base platform. For 

DoD systems, the McAfee Host-based Security System is 

provided to fulfill this role. 

CCI: CCI-001263 

NIST SP 800-53 :: SI-4 (5) 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53A :: SI-4 (5).1 (ii) 

Rule Title: The x86 Ctrl-Alt-Delete key sequence must 

be disabled. 


ID: V-38668 


Discussion: 

A locally logged-in user who presses Ctrl-Alt-Delete, 

when at the console, can reboot the system. If 

accidentally pressed, as could happen in the case of mixed 

OS environment, this can create the risk of short-term 

loss of availability of systems due to unintentional 

reboot. In the GNOME graphical environment, risk of 

unintentional reboot from the Ctrl-Alt-Delete sequence 

is reduced because the user will be prompted before any 

action is taken. 



Determine what actions the system takes when the 

Ctrl-Alt-Delete key sequence is pressed, run the 


# cat `grep -l control-alt-delete /etc/init/*` 

Examine all lines following the "start on 

control-alt-delete" line in any files found. By 

default, the system uses 

"/etc/init/control-alt-delete.conf" to reboot the 

system with the following command when the 

Ctrl-Alt-Delete key sequence is pressed: 

exec /sbin/shutdown -r now "Control-Alt-Delete pressed" 

If the system is configured to run any shutdown command, 

UNCLASSIFIED

UNCLASSIFIED 


Fix Text: 

Configure the system to log a message instead of rebooting 

the system by altering the "shutdown" line in 

"/etc/init/control-alt-delete.conf" to read as follows: 

exec /usr/bin/logger -p security.info "Ctrl-Alt-Delete 

pressed" 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The postfix service must be enabled for mail 

delivery. 


ID: V-38669 


Discussion: 

Local mail delivery is essential to some system 

maintenance and notification tasks. 




of the "postfix" service: 

# service postfix status 


postfix is running... 

If the service is not enabled, this is a finding. 

UNCLASSIFIED

UNCLASSIFIED 

Fix Text: 

The Postfix mail transfer agent is used for local mail 

delivery within the system. The default configuration 

only listens for connections to the default SMTP port 

(port 25) on the loopback interface (127.0.0.1). It is 

recommended to leave this service enabled for local mail 

delivery. The "postfix" service can be enabled with the 


# chkconfig postfix on 

# service postfix start 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The sendmail package must be removed. 


ID: V-38671 


Discussion: 

The sendmail software was not developed with security in 

mind and its design prevents it from being effectively 

contained by SELinux. Postfix should be used instead. 



Run the following command to determine if the "sendmail" 


# rpm -q sendmail 


Fix Text: 

UNCLASSIFIED

UNCLASSIFIED 

Sendmail is not the default mail transfer agent and is 

not installed by default. The "sendmail" package can be 

removed with the following command: 

# yum erase sendmail 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The netconsole service must be disabled 

unless required. 


ID: V-38672 


Discussion: 

The "netconsole" service is not necessary unless there 

is a need to debug kernel panics, which is not common. 



To check that the "netconsole" service is disabled in 


# chkconfig "netconsole" --list 

Output should indicate the "netconsole" service has 

either not been installed, or has been disabled at all 

runlevels, as shown in the example below: 

# chkconfig "netconsole" --list 

"netconsole" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Run the following command to verify "netconsole" is 


UNCLASSIFIED

UNCLASSIFIED 

# service netconsole status 



netconsole is stopped 


Fix Text: 

The "netconsole" service is responsible for loading the 

netconsole kernel module, which logs kernel printk 

messages over UDP to a syslog server. This allows 

debugging of problems where disk logging fails and serial 

consoles are impractical. The "netconsole" service can 

be disabled with the following command: 

# chkconfig netconsole off 

CCI: CCI-000382 

NIST SP 800-53A :: CM-7.1 (iii) 

NIST SP 800-53 :: CM-7 

Rule Title: X Windows must not be enabled unless 

required. 


ID: V-38674 


Discussion: 

Unnecessary services should be disabled to decrease the 

attack surface of the system. 



To verify the default runlevel is 3, run the following 

UNCLASSIFIED

UNCLASSIFIED 

command: 

# grep initdefault /etc/inittab 

The output should show the following: 

id:3:initdefault: 


Fix Text: 

Setting the system's runlevel to 3 will prevent automatic 

startup of the X server. To do so, ensure the following 

line in "/etc/inittab" features a "3" as shown: 

id:3:initdefault: 

CCI: CCI-001436 

NIST SP 800-53A :: AC-17 (8).1 (ii) 

NIST SP 800-53 :: AC-17 (8) 

Rule Title: The xorg-x11-server-common (X Windows) 

package must not be installed, unless required. 


ID: V-38676 


Discussion: 

Unnecessary packages should not be installed to decrease 

the attack surface of the system. 



To ensure the X Windows package group is removed, run the 


UNCLASSIFIED

UNCLASSIFIED 

$ rpm -qi xorg-x11-server-common 

The output should be: 

package xorg-x11-server-common is not installed 


Fix Text: 

Removing all packages which constitute the X Window 

System ensures users or malicious software cannot start 

X. To do so, run the following command: 

# yum groupremove "X Window System" 

Rule Title: The DHCP client must be disabled if not 

needed. 


ID: V-38679 


Discussion: 

DHCP relies on trusting the local network. If the local 

network is not trusted, then it should not be used. 

However, the automatic configuration provided by DHCP is 

commonly used and the alternative, manual configuration, 

presents an unacceptable burden in many circumstances. 



To verify that DHCP is not being used, examine the 

following file for each interface. 

# /etc/sysconfig/network-scripts/ifcfg-[IFACE] 

If there is any network interface without a associated 

UNCLASSIFIED

UNCLASSIFIED 

"ifcfg" file, this is a finding. 

Look for the following: 

BOOTPROTO=static 

Also verify the following, substituting the appropriate 

values based on your site's addressing scheme: 

NETMASK=[local LAN netmask] 

IPADDR=[assigned IP address] 

GATEWAY=[local LAN default gateway] 


Fix Text: 

For each interface [IFACE] on the system (e.g. eth0), edit 

"/etc/sysconfig/network-scripts/ifcfg-[IFACE]" and 

make the following changes. 

Correct the BOOTPROTO line to read: 

BOOTPROTO=static 

Add or correct the following lines, substituting the 

appropriate values based on your site's addressing 

scheme: 

NETMASK=[local LAN netmask] 

IPADDR=[assigned IP address] 

GATEWAY=[local LAN default gateway] 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: All GIDs referenced in /etc/passwd must be 

UNCLASSIFIED

UNCLASSIFIED 

defined in /etc/group 


ID: V-38681 


Discussion: 

Inconsistency in GIDs between /etc/passwd and /etc/group 

could lead to a user having unintended rights. 



To ensure all GIDs referenced in /etc/passwd are defined 

in /etc/group, run the following command: 

# pwck -rq 

There should be no output. 


Fix Text: 

Add a group to the system for each GID referenced without 

a corresponding group. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: All accounts on the system must have unique 

user or account names 


ID: V-38683 


Discussion: 

Unique usernames allow for accountability on the system. 

UNCLASSIFIED

UNCLASSIFIED 



Run the following command to check for duplicate account 

names: 

# pwck -rq 

If there are no duplicate names, no line will be returned. 

If a line is returned, this is a finding. 

Fix Text: 

Change usernames, or delete accounts, so each has a unique 

name. 

CCI: CCI-000804 

NIST SP 800-53A :: IA-8.1 

NIST SP 800-53 :: IA-8 

Rule Title: Temporary accounts must be provisioned with 

an expiration date. 


ID: V-38685 


Discussion: 

When temporary accounts are created, there is a risk they 

may remain in place and active after the need for them 

no longer exists. Account expiration greatly reduces the 

risk of accounts being misused or hijacked. 



For every temporary account, run the following command 

to obtain its account aging and expiration information: 

# chage -l [USER] 

UNCLASSIFIED

UNCLASSIFIED 

Verify each of these accounts has an expiration date set 

as documented. 

If any temporary accounts have no expiration date set or 

do not expire within a documented time frame, this is a 

finding. 

Fix Text: 

In the event temporary accounts are required, configure 

the system to terminate them after a documented time 

period. For every temporary account, run the following 

command to set an expiration date on it, substituting 

"[USER]" and "[YYYY-MM-DD]" appropriately: 

# chage -E [YYYY-MM-DD] [USER] 

"[YYYY-MM-DD]" indicates the documented expiration date 

for the account. 

CCI: CCI-000016 

NIST SP 800-53 :: AC-2 (2) 

NIST SP 800-53A :: AC-2 (2).1 (ii) 

Rule Title: Emergency accounts must be provisioned with 

an expiration date. 


ID: V-38690 


Discussion: 

When emergency accounts are created, there is a risk they 

may remain in place and active after the need for them 

no longer exists. Account expiration greatly reduces the 

risk of accounts being misused or hijacked. 



UNCLASSIFIED

UNCLASSIFIED 

For every emergency account, run the following command 

to obtain its account aging and expiration information: 

# chage -l [USER] 

Verify each of these accounts has an expiration date set 

as documented. 

If any emergency accounts have no expiration date set or 

do not expire within a documented time frame, this is a 

finding. 

Fix Text: 

In the event emergency accounts are required, configure 

the system to terminate them after a documented time 

period. For every emergency account, run the following 

command to set an expiration date on it, substituting 

"[USER]" and "[YYYY-MM-DD]" appropriately: 

# chage -E [YYYY-MM-DD] [USER] 

"[YYYY-MM-DD]" indicates the documented expiration date 

for the account. 

CCI: CCI-001682 


no more than three consecutive repeating characters. 


ID: V-38693 


Discussion: 

Passwords with excessive repeating characters may be more 

vulnerable to password-guessing attacks. 



UNCLASSIFIED

UNCLASSIFIED 

To check the maximum value for consecutive repeating 

characters, run the following command: 


Look for the value of the "maxrepeat" parameter. The DoD 

requirement is 3. 

If maxrepeat is not found or not set to the required value, 


Fix Text: 

The pam_cracklib module's "maxrepeat" parameter controls 

requirements for consecutive repeating characters. Edit 

the "/etc/pam.d/system-auth" file to include the 

following line prior to the "password include 

system-auth-ac" line: 

password required pam_cracklib.so maxrepeat=3 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: A file integrity tool must be used at least 

weekly to check for unauthorized file changes, 

particularly the addition of unauthorized system 

libraries or binaries, or for unauthorized modification 

to authorized system libraries or binaries. 


ID: V-38695 


Discussion: 

By default, AIDE does not install itself for periodic 

execution. Periodically running AIDE may reveal 

unexpected changes in installed files. 


UNCLASSIFIED

UNCLASSIFIED 


To determine that periodic AIDE execution has been 

scheduled, run the following command: 

# grep aide /etc/crontab 

If there is no output or if aide is not run at least weekly, 


Fix Text: 

AIDE should be executed on a periodic basis to check for 

changes. To implement a daily execution of AIDE at 4:05am 

using cron, add the following line to /etc/crontab: 

05 4 * * * root /usr/sbin/aide --check 

AIDE can be executed periodically through other means; 

this is merely one example. 

CCI: CCI-000374 

NIST SP 800-53A :: CM-6 (2).1 (ii) 

NIST SP 800-53 :: CM-6 (2) 


mechanisms, per organization defined frequency, to 

detect the addition of unauthorized components/devices 

into the operating system. 


ID: V-38696 


Discussion: 




UNCLASSIFIED

UNCLASSIFIED 







Fix Text: 







CCI: CCI-000416 

NIST SP 800-53A :: CM-8 (3).1 (ii) 

NIST SP 800-53 :: CM-8 (3) (a) 


mechanisms to detect the presence of unauthorized 

software on organizational information systems and 

notify designated organizational officials in accordance 

with the organization defined frequency. 


ID: V-38698 


Discussion: 




UNCLASSIFIED

UNCLASSIFIED 







Fix Text: 







CCI: CCI-001069 

NIST SP 800-53A :: RA-5 (7).1 (ii) 

NIST SP 800-53 :: RA-5 (7) 

Rule Title: The operating system must provide a near 

real-time alert when any of the organization defined list 

of compromise or potential compromise indicators occurs. 


ID: V-38700 


Discussion: 




UNCLASSIFIED

UNCLASSIFIED 







Fix Text: 







CCI: CCI-001263 

NIST SP 800-53 :: SI-4 (5) 

NIST SP 800-53A :: SI-4 (5).1 (ii) 

Rule Title: The operating system must detect 

unauthorized changes to software and information. 


ID: V-38670 


Discussion: 





UNCLASSIFIED

UNCLASSIFIED 






Fix Text: 







CCI: CCI-001297 

NIST SP 800-53 :: SI-7 

NIST SP 800-53A :: SI-7.1 

Rule Title: The operating system must ensure 

unauthorized, security-relevant configuration changes 

detected are tracked. 


ID: V-38673 


Discussion: 






UNCLASSIFIED

UNCLASSIFIED 





Fix Text: 







CCI: CCI-001589 

NIST SP 800-53 :: CM-6 (3) 

NIST SP 800-53A :: CM-6 (3).1 (ii) 

Rule Title: Process core dumps must be disabled unless 

needed. 


ID: V-38675 


Discussion: 

A core dump includes a memory image taken at the time the 

operating system terminates an application. The memory 

image could contain sensitive data and is generally 

useful only for developers trying to debug problems. 



To verify that core dumps are disabled for all users, run 

UNCLASSIFIED

UNCLASSIFIED 


$ grep core /etc/security/limits.conf 

The output should be: 

* hard core 0 


Fix Text: 

To disable core dumps for all users, add the following 

line to "/etc/security/limits.conf": 

* hard core 0 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The NFS server must not have the insecure 

file locking option enabled. 


ID: V-38677 


Discussion: 

Allowing insecure file locking could allow for sensitive 

data to be viewed or edited by an unauthorized user. 



To verify insecure file locking has been disabled, run 


# grep insecure_locks /etc/exports 

UNCLASSIFIED

UNCLASSIFIED 


Fix Text: 

By default the NFS server requires secure file-lock 

requests, which require credentials from the client in 

order to lock a file. Most NFS clients send credentials 

with file lock requests, however, there are a few clients 

that do not send credentials when requesting a file-lock, 

allowing the client to only be able to lock world-readable 

files. To get around this, the "insecure_locks" option 

can be used so these clients can access the desired 

export. This poses a security risk by potentially 

allowing the client access to data for which it does not 

have authorization. Remove any instances of the 

"insecure_locks" option from the file "/etc/exports". 

CCI: CCI-000764 

NIST SP 800-53A :: IA-2.1 

NIST SP 800-53 :: IA-2 

Rule Title: The audit system must provide a warning when 

allocated audit record storage volume reaches a 

documented percentage of maximum audit record storage 

capacity. 


ID: V-38678 


Discussion: 

Notifying administrators of an impending disk space 

problem may allow them to take corrective action prior 

to any disruption. 



UNCLASSIFIED

UNCLASSIFIED 


following line to determine whether the system is 

configured to email the administrator when disk space is 

starting to run low: 

# grep space_left /etc/audit/auditd.conf 

space_left = [num_megabytes] 

If the "num_megabytes" value does not correspond to a 

documented value for remaining audit partition capacity 

or if there is no locally documented value for remaining 

audit partition capacity, this is a finding. 

Fix Text: 





space_left = [num_megabytes] 

The "num_megabytes" value should be set to a fraction of 

the total audit storage capacity available that will 

allow a system administrator to be notified with enough 

time to respond to the situation causing the capacity 

issues. This value must also be documented locally. 

CCI: CCI-000143 

NIST SP 800-53A :: AU-5 (1).1 (ii) 

NIST SP 800-53 :: AU-5 (1) 

Rule Title: The audit system must identify staff members 

to receive notifications of audit log storage volume 

capacity issues. 


ID: V-38680 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 

Email sent to the root account is typically aliased to 

the administrators of the system, who can take 

appropriate action. 





to send email to an account when it needs to notify an 

administrator: 

action_mail_acct = root 

If auditd is not configured to send emails per identified 

actions, this is a finding. 

Fix Text: 

The "auditd" service can be configured to send email to 

a designated account in certain situations. Add or 

correct the following line in "/etc/audit/auditd.conf" 

to ensure that administrators are notified via email for 

those situations: 

action_mail_acct = root 

CCI: CCI-000139 

NIST SP 800-53A :: AU-5.1 (ii) 

NIST SP 800-53 :: AU-5 a 

Rule Title: The Bluetooth kernel module must be 

disabled. 


ID: V-38682 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 

If Bluetooth functionality must be disabled, preventing 

the kernel from loading the kernel module provides an 

additional safeguard against its activation. 




"bluetooth" kernel module, it will contain lines inside 

any file in "/etc/modprobe.d" or the 







$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d 


"net-pf-31" kernel module, it will contain lines inside 








$ grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d 


Fix Text: 

The kernel's module loading system can be configured to 

prevent loading of the Bluetooth module. Add the 

following to the appropriate "/etc/modprobe.d" 

UNCLASSIFIED

UNCLASSIFIED 

configuration file to prevent the loading of the 

Bluetooth module: 

install net-pf-31 /bin/true 

install bluetooth /bin/true 

CCI: CCI-000085 

NIST SP 800-53A :: AC-19.1 (iii) 

NIST SP 800-53 :: AC-19 c 

Rule Title: The system must limit users to 10 

simultaneous system logins, or a site-defined number, in 

accordance with operational requirements. 


ID: V-38684 


Discussion: 

Limiting simultaneous user logins can insulate the system 

from denial of service problems caused by excessive 

logins. Automated login processes operating improperly 

or maliciously may result in an exceptional number of 

simultaneous login sessions. 



Run the following command to ensure the "maxlogins" value 

is configured for all users on the system: 

# grep "maxlogins" /etc/security/limits.conf 

You should receive output similar to the following: 

* hard maxlogins 10 

If it is not set to 10 or a documented site-defined number, 


UNCLASSIFIED

UNCLASSIFIED 

Fix Text: 

Limiting the number of allowed users and sessions per user 

can limit risks related to denial of service attacks. This 

addresses concurrent sessions for a single account and 

does not address concurrent sessions by a single user via 

multiple accounts. To set the number of concurrent 

sessions per user add the following line in 

"/etc/security/limits.conf": 

* hard maxlogins 10 

A documented site-defined number may be substituted for 

10 in the above. 

CCI: CCI-000054 

NIST SP 800-53 :: AC-10 

NIST SP 800-53A :: AC-10.1 (ii) 

Rule Title: The systems local firewall must implement 

a deny-all, allow-by-exception policy for forwarded 

packets. 


ID: V-38686 


Discussion: 

In "iptables" the default policy is applied only after 







Run the following command to ensure the default "FORWARD" 

policy is "DROP": 

UNCLASSIFIED

UNCLASSIFIED 

grep ":FORWARD" /etc/sysconfig/iptables 

The output must be the following: 

# grep ":FORWARD" /etc/sysconfig/iptables 

:FORWARD DROP [0:0] 


Fix Text: 


the built-in FORWARD chain which processes packets that 

will be forwarded from one interface to another, add or 

correct the following line in "/etc/sysconfig/iptables": 

:FORWARD DROP [0:0] 

CCI: CCI-001109 

NIST SP 800-53A :: SC-7 (5).1 (i) (ii) 

NIST SP 800-53 :: SC-7 (5) 

Rule Title: The system must provide VPN connectivity for 

communications over untrusted networks. 


ID: V-38687 


Discussion: 

Providing the ability for remote users or systems to 

initiate a secure VPN connection protects information 

when it is transmitted over a wide area network. 



Run the following command to determine if the "openswan" 


UNCLASSIFIED

UNCLASSIFIED 

# rpm -q openswan 


Fix Text: 

The Openswan package provides an implementation of IPsec 

and IKE, which permits the creation of secure tunnels over 

untrusted networks. The "openswan" package can be 

installed with the following command: 

# yum install openswan 

CCI: CCI-001130 

NIST SP 800-53A :: SC-9.1 

NIST SP 800-53 :: SC-9 

Rule Title: A login banner must be displayed immediately 

prior to, or as part of, graphical desktop environment 

login prompts. 


ID: V-38688 


Discussion: 






To ensure a login warning banner is enabled, run the 

following: 


/apps/gdm/simple-greeter/banner_message_enable 

UNCLASSIFIED

UNCLASSIFIED 

Search for the "banner_message_enable" schema. If 

properly configured, the "default" value should be 

"true". 


Fix Text: 

To enable displaying a login warning banner in the GNOME 

Display Manager's login screen, run the following 

command: 

sudo -u gdm gconftool-2 \ 

--type bool \ 

--set /apps/gdm/simple-greeter/banner_message_enable 

true 

To display a banner, this setting must be enabled and then 

banner text must also be set. 

CCI: CCI-000050 

NIST SP 800-53 :: AC-8 b 

NIST SP 800-53A :: AC-8.1 (iii) 

Rule Title: The Department of Defense (DoD) login banner 

must be displayed immediately prior to, or as part of, 

graphical desktop environment login prompts. 


ID: V-38689 


Discussion: 






UNCLASSIFIED

UNCLASSIFIED 

To ensure login warning banner text is properly set, run 

the following: 


/apps/gdm/simple-greeter/banner_message_text 

If properly configured, the proper banner text will 

appear within this schema. 

The DoD required text is either: 












on this IS. 
















OR: 

UNCLASSIFIED

UNCLASSIFIED 


If the DoD required banner text is not appear in the 

schema, this is a finding. 

Fix Text: 

To set the text shown by the GNOME Display Manager in the 

login screen, run the following command: 

sudo -u gdm gconftool-2 \ 


--set /apps/gdm/simple-greeter/banner_message_text \ 

"[DoD required text]" 

Where the DoD required text is either: 












on this IS. 












UNCLASSIFIED

UNCLASSIFIED 





OR: 


When entering a warning banner that spans several lines, 

remember to begin and end the string with """. This 

command writes directly to the file 

"/var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.x 

ml", and this file can later be edited directly if 

necessary. 

CCI: CCI-001384 

NIST SP 800-53 :: AC-8 c 

NIST SP 800-53A :: AC-8.2 (i) 

CCI: CCI-001385 

NIST SP 800-53 :: AC-8 c 

NIST SP 800-53A :: AC-8.2 (ii) 

CCI: CCI-001386 

NIST SP 800-53 :: AC-8 c 

NIST SP 800-53A :: AC-8.2 (ii) 

CCI: CCI-001387 

NIST SP 800-53 :: AC-8 c 

NIST SP 800-53A :: AC-8.2 (ii) 

CCI: CCI-001388 

NIST SP 800-53 :: AC-8 c 

NIST SP 800-53A :: AC-8.2 (iii) 

Rule Title: The Bluetooth service must be disabled. 


ID: V-38691 

UNCLASSIFIED

UNCLASSIFIED 


Discussion: 

Disabling the "bluetooth" service prevents the system 

from attempting connections to Bluetooth devices, which 

entails some security risk. Nevertheless, variation in 

this risk decision may be expected due to the utility of 

Bluetooth connectivity and its limited range. 



To check that the "bluetooth" service is disabled in 


# chkconfig "bluetooth" --list 

Output should indicate the "bluetooth" service has either 



# chkconfig "bluetooth" --list 

"bluetooth" 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Run the following command to verify "bluetooth" is 


# service bluetooth status 



bluetooth is stopped 


Fix Text: 

The "bluetooth" service can be disabled with the 


UNCLASSIFIED

UNCLASSIFIED 

# chkconfig bluetooth off 

# service bluetooth stop 

CCI: CCI-000085 

NIST SP 800-53A :: AC-19.1 (iii) 

NIST SP 800-53 :: AC-19 c 

Rule Title: Accounts must be locked upon 35 days of 

inactivity. 


ID: V-38692 


Discussion: 

Disabling inactive accounts ensures that accounts which 

may not have been responsibly removed are not available 

to attackers who may have compromised their credentials. 



To verify the "INACTIVE" setting, run the following 

command: 

grep "INACTIVE" /etc/default/useradd 

The output should indicate the "INACTIVE" configuration 

option is set to an appropriate integer as shown in the 

example below: 

# grep "INACTIVE" /etc/default/useradd 

INACTIVE=35 


UNCLASSIFIED

UNCLASSIFIED 

Fix Text: 

To specify the number of days after a password expires 

(which signifies inactivity) until an account is 

permanently disabled, add or correct the following lines 

in "/etc/default/useradd", substituting "[NUM_DAYS]" 

appropriately: 

INACTIVE=[NUM_DAYS] 

A value of 35 is recommended. If a password is currently 

on the verge of expiration, then 35 days remain until the 

account is automatically disabled. However, if the 

password will not expire for another 60 days, then 95 days 

could elapse until the account would be automatically 

disabled. See the "useradd" man page for more 

information. Determining the inactivity timeout must be 

done with careful consideration of the length of a 

"normal" period of inactivity for users in the particular 

environment. Setting the timeout too low incurs support 

costs and also has the potential to impact availability 

of the system to legitimate users. 

CCI: CCI-000017 

NIST SP 800-53 :: AC-2 (3) 

NIST SP 800-53A :: AC-2 (3).1 (ii) 

Rule Title: The operating system must manage 

information system identifiers for users and devices by 

disabling the user identifier after an organization 

defined time period of inactivity. 


ID: V-38694 


Discussion: 

Disabling inactive accounts ensures that accounts which 

may not have been responsibly removed are not available 

UNCLASSIFIED

UNCLASSIFIED 

to attackers who may have compromised their credentials. 



To verify the "INACTIVE" setting, run the following 

command: 

grep "INACTIVE" /etc/default/useradd 

The output should indicate the "INACTIVE" configuration 

option is set to an appropriate integer as shown in the 

example below: 

# grep "INACTIVE" /etc/default/useradd 

INACTIVE=35 


Fix Text: 

To specify the number of days after a password expires 

(which signifies inactivity) until an account is 

permanently disabled, add or correct the following lines 

in "/etc/default/useradd", substituting "[NUM_DAYS]" 

appropriately: 

INACTIVE=[NUM_DAYS] 

A value of 35 is recommended. If a password is currently 

on the verge of expiration, then 35 days remain until the 

account is automatically disabled. However, if the 

password will not expire for another 60 days, then 95 days 

could elapse until the account would be automatically 

disabled. See the "useradd" man page for more 

information. Determining the inactivity timeout must be 

done with careful consideration of the length of a 

"normal" period of inactivity for users in the particular 

environment. Setting the timeout too low incurs support 

costs and also has the potential to impact availability 

of the system to legitimate users. 

UNCLASSIFIED

UNCLASSIFIED 

CCI: CCI-000795 

NIST SP 800-53A :: IA-4.1 (iii) 

NIST SP 800-53 :: IA-4 e 

Rule Title: The sticky bit must be set on all public 

directories. 


ID: V-38697 


Discussion: 

Failing to set the sticky bit on public directories allows 

unauthorized users to delete files in the directory 

structure. 

The only authorized public directories are those 

temporary directories supplied with the system, or those 

designed to be temporary file repositories. The setting 

is normally reserved for directories used by the system, 

and by users for temporary file storage - such as /tmp 

- and for directories requiring global read/write access. 



To find world-writable directories that lack the sticky 

bit, run the following command: 

# find / -xdev -type d -perm 002 ! -perm 1000 

If any world-writable directories are missing the sticky 

bit, this is a finding. 

Fix Text: 

When the so-called 'sticky bit' is set on a directory, 

only the owner of a given file may remove that file from 

UNCLASSIFIED

UNCLASSIFIED 

the directory. Without the sticky bit, any user with write 

access to a directory may remove any file in the 

directory. Setting the sticky bit prevents users from 

removing each other's files. In cases where there is no 

reason for a directory to be world-writable, a better 

solution is to remove that permission rather than to set 

the sticky bit. However, if a directory is used by a 

particular application, consult that application's 

documentation instead of blindly changing modes. 

To set the sticky bit on a world-writable directory [DIR], 


# chmod +t [DIR] 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: All public directories must be owned by a 

system account. 


ID: V-38699 


Discussion: 

Allowing a user account to own a world-writable directory 

is undesirable because it allows the owner of that 

directory to remove or replace any files that may be 

placed in the directory by other users. 



The following command will discover and print 

world-writable directories that are not owned by a system 

account, given the assumption that only system accounts 

have a uid lower than 500. Run it once for each local 

partition [PART]: 

UNCLASSIFIED

UNCLASSIFIED 

# find [PART] -xdev -type d -perm 0002 -uid +500 -print 


Fix Text: 

All directories in local partitions which are 

world-writable should be owned by root or another system 

account. If any world-writable directories are not owned 

by a system account, this should be investigated. 

Following this, the files should be deleted or assigned 

to an appropriate group. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The TFTP daemon must operate in secure mode 

which provides access only to a single directory on the 

host file system. 


ID: V-38701 


Discussion: 

Using the "-s" option causes the TFTP service to only 

serve files from the given directory. Serving files from 

an intentionally specified directory reduces the risk of 

sharing files which should remain private. 



Verify "tftp" is configured by with the "-s" option by 

running the following command: 

grep "server_args" /etc/xinetd.d/tftp 

UNCLASSIFIED

UNCLASSIFIED 

The output should indicate the "server_args" variable is 

configured with the "-s" flag, matching the example 

below: 

# grep "server_args" /etc/xinetd.d/tftp 

server_args = -s /var/lib/tftpboot 


Fix Text: 

If running the "tftp" service is necessary, it should be 

configured to change its root directory at startup. To 

do so, ensure "/etc/xinetd.d/tftp" includes "-s" as a 

command line argument, as shown in the following example 

(which is also the default): 

server_args = -s /var/lib/tftpboot 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The FTP daemon must be configured for 

logging or verbose mode. 


ID: V-38702 


Discussion: 

To trace malicious activity facilitated by the FTP 

service, it must be configured to ensure that all commands 

sent to the ftp server are logged using the verbose vsftpd 

log format. The default vsftpd log file is 

/var/log/vsftpd.log. 


UNCLASSIFIED

UNCLASSIFIED 


Find if logging is applied to the ftp daemon. 

Procedures: 

If vsftpd is started by xinetd the following command will 

indicate the xinetd.d startup file. 

# grep vsftpd /etc/xinetd.d/* 

# grep server_args [vsftpd xinetd.d startup file] 

This will indicate the vsftpd config file used when 

starting through xinetd. If the [server_args]line is 

missing or does not include the vsftpd configuration 

file, then the default config file 

(/etc/vsftpd/vsftpd.conf) is used. 

# grep xferlog_enable [vsftpd config file] 

If xferlog_enable is missing, or is not set to yes, this 

is a finding. 

Fix Text: 

Add or correct the following configuration options within 

the "vsftpd" configuration file, located at 

"/etc/vsftpd/vsftpd.conf". 

xferlog_enable=YES 

xferlog_std_format=NO 

log_ftp_protocol=YES 

CCI: CCI-000130 

NIST SP 800-53A :: AU-3.1 

NIST SP 800-53 :: AU-3 

UNCLASSIFIED

UNCLASSIFIED 

Rule Title: The snmpd service must use only SNMP 

protocol version 3 or newer. 


ID: V-38660 


Discussion: 

Earlier versions of SNMP are considered insecure, as they 

potentially allow unauthorized access to detailed system 

management information. 



To ensure only SNMPv3 or newer is used, run the following 

command: 

# grep 'v1\|v2c\|com2sec' /etc/snmp/snmpd.conf | grep -v 

'^#' 



Fix Text: 

Edit "/etc/snmp/snmpd.conf", removing any references to 

"v1", "v2c", or "com2sec". Upon doing that, restart the 

SNMP service: 

# service snmpd restart 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The snmpd service must not use a default 

password. 


UNCLASSIFIED

UNCLASSIFIED 

ID: V-38653 


Discussion: 

Presence of the default SNMP password enables querying 

of different system aspects and could result in 

unauthorized knowledge of the system. 



To ensure the default password is not set, run the 


# grep -v "^#" /etc/snmp/snmpd.conf| grep public 



Fix Text: 

Edit "/etc/snmp/snmpd.conf", remove default community 

string "public". Upon doing that, restart the SNMP 

service: 

# service snmpd restart 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system default umask for the bash shell 

must be 077. 


ID: V-38651 


Discussion: 

UNCLASSIFIED

UNCLASSIFIED 

The umask value influences the permissions assigned to 

files when they are created. A misconfigured umask value 

could result in files with excessive permissions that can 

be read and/or written to by unauthorized users. 



Verify the "umask" setting is configured correctly in the 

"/etc/bashrc" file by running the following command: 

# grep "umask" /etc/bashrc 

All output must show the value of "umask" set to 077, as 

shown below: 

# grep "umask" /etc/bashrc 

umask 077 

umask 077 

If the above command returns no output, or if the umask 

is configured incorrectly, this is a finding. 

Fix Text: 

To ensure the default umask for users of the Bash shell 

is set properly, add or correct the "umask" setting in 

"/etc/bashrc" to read as follows: 

umask 077 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system default umask for the csh shell 

must be 077. 


ID: V-38649 

UNCLASSIFIED

UNCLASSIFIED 


Discussion: 








"/etc/csh.cshrc" file by running the following command: 

# grep "umask" /etc/csh.cshrc 


shown in the below: 

# grep "umask" /etc/csh.cshrc 

umask 077 



Fix Text: 

To ensure the default umask for users of the C shell is 

set properly, add or correct the "umask" setting in 

"/etc/csh.cshrc" to read as follows: 

umask 077 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system default umask in /etc/profile 

UNCLASSIFIED

UNCLASSIFIED 

must be 077. 


ID: V-38647 


Discussion: 








"/etc/profile" file by running the following command: 

# grep "umask" /etc/profile 



# grep "umask" /etc/profile 

umask 077 



Fix Text: 

To ensure the default umask controlled by "/etc/profile" 

is set properly, add or correct the "umask" setting in 

"/etc/profile" to read as follows: 

umask 077 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

UNCLASSIFIED

UNCLASSIFIED 

Rule Title: The system default umask in /etc/login.defs 

must be 077. 


ID: V-38645 


Discussion: 








"/etc/login.defs" file by running the following command: 

# grep -i "umask" /etc/login.defs 



# grep -i "umask" /etc/login.defs 

UMASK 077 



Fix Text: 

To ensure the default umask controlled by 

"/etc/login.defs" is set properly, add or correct the 

"umask" setting in "/etc/login.defs" to read as follows: 

UMASK 077 

CCI: CCI-000366 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The system default umask for daemons must 

be 027 or 022. 


ID: V-38642 


Discussion: 

The umask influences the permissions assigned to files 

created by a process at run time. An unnecessarily 

permissive umask could result in files being created with 

insecure permissions. 



To check the value of the "umask", run the following 

command: 

$ grep umask /etc/init.d/functions 

The output should show either "022" or "027". 


Fix Text: 

The file "/etc/init.d/functions" includes 

initialization parameters for most or all daemons started 

at boot time. The default umask of 022 prevents creation 

of group- or world-writable files. To set the default 

umask for daemons, edit the following line, inserting 022 

or 027 for [UMASK] appropriately: 

umask [UMASK] 

Setting the umask to too restrictive a setting can cause 

serious errors at runtime. Many daemons on the system 

UNCLASSIFIED

UNCLASSIFIED 

already individually restrict themselves to a umask of 

077 in their own init scripts. 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: There must be no .netrc files on the system. 


ID: V-38619 


Discussion: 

Unencrypted passwords for remote FTP servers may be 

stored in ".netrc" files. DoD policy requires passwords 

be encrypted in storage and not used in access scripts. 



To check the system for the existence of any ".netrc" 

files, run the following command: 

# find /home -xdev -name .netrc 

If any .netrc files exist, this is a finding. 

Fix Text: 

The ".netrc" files contain login information used to 

auto-login into FTP servers and reside in the user's home 

directory. These files may contain unencrypted passwords 

to remote FTP servers making them susceptible to access 

by unauthorized users and should not be used. Any ".netrc" 

files should be removed. 

CCI: CCI-000196 

NIST SP 800-53A :: IA-5 (1).1 (v) 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53 :: IA-5 (1) (c) 

Rule Title: The FTPS/FTP service on the system must be 

configured with the Department of Defense (DoD) login 

banner. 


ID: V-38599 


Discussion: 

This setting will cause the system greeting banner to be 

used for FTP connections as well. 



To verify this configuration, run the following command: 

grep "banner_file" /etc/vsftpd/vsftpd.conf 

The output should show the value of "banner_file" is set 

to "/etc/issue", an example of which is shown below. 

# grep "banner_file" /etc/vsftpd/vsftpd.conf 

banner_file=/etc/issue 


Fix Text: 

Edit the vsftpd configuration file, which resides at 

"/etc/vsftpd/vsftpd.conf" by default. Add or correct the 

following configuration options. 

banner_file=/etc/issue 

CCI: CCI-000048 

NIST SP 800-53 :: AC-8 a 

UNCLASSIFIED

UNCLASSIFIED 

NIST SP 800-53A :: AC-8.1 (ii) 

Rule Title: The system must be configured to require the 

use of a CAC, PIV compliant hardware token, or Alternate 

Logon Token (ALT) for authentication. 


ID: V-38595 


Discussion: 

Smart card login provides two-factor authentication 

stronger than that provided by a username/password 

combination. Smart cards leverage a PKI (public key 

infrastructure) in order to provide and verify 

credentials. 



Interview the SA to determine if all accounts not exempted 

by policy are using CAC authentication. For DoD systems, 

the following systems and accounts are exempt from using 

smart card (CAC) authentication: 

SIPRNET systems 

Standalone systems 

Application accounts 

Temporary employee accounts, such as students or interns, 

who cannot easily receive a CAC or PIV 

Operational tactical locations that are not collocated 

with RAPIDS workstations to issue CAC or ALT 

Test systems, such as those with an Interim Approval to 

Test (IATT) and use a separate VPN, firewall, or security 

measure preventing access to network and system 

components from outside the protection boundary 

documented in the IATT. 

UNCLASSIFIED

UNCLASSIFIED 

If non-exempt accounts are not using CAC authentication, 


Fix Text: 

To enable smart card authentication, consult the 

documentation at: 


_Linux/6/html/Managing_Smart_Cards/enabling-smart-car 

d-login.html 

CCI: CCI-000765 

NIST SP 800-53A :: IA-2 (1).1 

NIST SP 800-53 :: IA-2 (1) 

Rule Title: The system must require administrator 

action to unlock an account locked by excessive failed 

login attempts. 


ID: V-38592 


Discussion: 


attempts prevents direct password guessing attacks. 

Ensuring that an administrator is involved in unlocking 

locked accounts draws appropriate attention to such 

situations. 






UNCLASSIFIED

UNCLASSIFIED 

The output should show 

"unlock_time="; the largest 

acceptable value is 604800 seconds (one week). 


Fix Text: 


number of incorrect login attempts and require an 

administrator to unlock the account using 

"pam_faillock.so": 


"pam_unix.so" statement in the AUTH section of 









not be used. 

CCI: CCI-000047 

NIST SP 800-53 :: AC-7 b 

NIST SP 800-53A :: AC-7.1 (iv) 

Rule Title: The system must disable accounts after 

excessive login failures within a 15-minute interval. 


ID: V-38501 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 


attempts within a specific period of time prevents direct 

password guessing attacks. 






The output should show 

"fail_interval=" where 

"interval-in-seconds" is 900 (15 minutes) or greater. If 

the "fail_interval" parameter is not set, the default 

setting of 900 seconds is acceptable. 


Fix Text: 


number of incorrect login attempts within a 15-minute 

interval using "pam_faillock.so": 


"pam_env.so" statement in the AUTH section of 









UNCLASSIFIED

UNCLASSIFIED 

not be used. 

CCI: CCI-001452 

NIST SP 800-53A :: AC-7.1 (ii) 

NIST SP 800-53 :: AC-7 a 

Rule Title: Audit log files must have mode 0640 or less 

permissive. 


ID: V-38498 


Discussion: 

If users can write to audit logs, audit trails can be 

modified or destroyed. 



Run the following command to check the mode of the system 

audit logs: 

grep "^log_file" /etc/audit/auditd.conf|sed 

s/^[^\/]*//|xargs stat -c %a:%n 

Audit logs must be mode 0640 or less permissive. 

If any are more permissive, this is a finding. 

Fix Text: 

Change the mode of the audit log files with the following 

command: 

# chmod 0640 [audit_file] 

CCI: CCI-000163 

NIST SP 800-53A :: AU-9.1 

NIST SP 800-53 :: AU-9 

UNCLASSIFIED

UNCLASSIFIED 

Rule Title: Audit log files must be owned by root. 


ID: V-38495 


Discussion: 

If non-privileged users can write to audit logs, audit 

trails can be modified or destroyed. 



Run the following command to check the owner of the system 

audit logs: 


s/^[^\/]*//|xargs stat -c %U:%n 

Audit logs must be owned by root. 

If they are not, this is a finding. 

Fix Text: 

Change the owner of the audit log files with the following 

command: 

# chown root [audit_file] 

CCI: CCI-000162 

NIST SP 800-53A :: AU-9.1 

NIST SP 800-53 :: AU-9 

Rule Title: Audit log directories must have mode 0755 

or less permissive. 


ID: V-38493 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 

If users can delete audit logs, audit trails can be 

modified or destroyed. 



Run the following command to check the mode of the system 

audit directories: 


's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n 

Audit directories must be mode 0755 or less permissive. 

If any are more permissive, this is a finding. 

Fix Text: 

Change the mode of the audit log directories with the 


# chmod go-w [audit_directory] 

CCI: CCI-000164 

NIST SP 800-53A :: AU-9.1 

NIST SP 800-53 :: AU-9 

Rule Title: The operating system must enforce 

requirements for the connection of mobile devices to 

operating systems. 


ID: V-38490 


Discussion: 

USB storage devices such as thumb drives can be used to 

introduce unauthorized software and other 

UNCLASSIFIED

UNCLASSIFIED 

vulnerabilities. Support for these devices should be 

disabled and the devices themselves should be tightly 

controlled. 




"usb-storage" kernel module, it will contain lines inside 








$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d 


Fix Text: 

To prevent USB storage devices from being used, configure 

the kernel module loading system to prevent automatic 

loading of the USB storage driver. To configure the system 

to prevent the "usb-storage" kernel module from being 



install usb-storage /bin/true 

This will prevent the "modprobe" program from loading the 

"usb-storage" module, but will not prevent an 

administrator (or another program) from using the 

"insmod" program to load the module manually. 

Rule Title: The operating system must conduct backups 

of user-level information contained in the operating 

UNCLASSIFIED

UNCLASSIFIED 

system per organization defined frequency to conduct 

backups consistent with recovery time and recovery point 

objectives. 


ID: V-38488 


Discussion: 

Operating system backup is a critical step in maintaining 

data assurance and availability. User-level information 

is data generated by information system and/or 

application users. Backups shall be consistent with 

organizational recovery time and recovery point 

objectives. 



Ask an administrator if a process exists to back up user 

data from the system. 

If such a process does not exist, this is a finding. 

Fix Text: 

Procedures to back up user data from the system must be 

established and executed. The Red Hat operating system 

provides utilities for automating such a process. 

Commercial and open-source products are also available. 

Implement a process whereby user data is backed up from 

the system in accordance with local policies. 

CCI: CCI-000535 

NIST SP 800-53 :: CP-9 (a) 

NIST SP 800-53A :: CP-9.1 (iv) 

Rule Title: The operating system must conduct backups 

of system-level information contained in the information 

UNCLASSIFIED

UNCLASSIFIED 

system per organization defined frequency to conduct 

backups that are consistent with recovery time and 

recovery point objectives. 


ID: V-38486 


Discussion: 

Operating system backup is a critical step in maintaining 

data assurance and availability. System-level 

information includes system-state information, 

operating system and application software, and licenses. 

Backups must be consistent with organizational recovery 

time and recovery point objectives. 



Ask an administrator if a process exists to back up OS 

data from the system, including configuration data. 

If such a process does not exist, this is a finding. 

Fix Text: 

Procedures to back up OS data from the system must be 

established and executed. The Red Hat operating system 

provides utilities for automating such a process. 

Commercial and open-source products are also available. 

Implement a process whereby OS data is backed up from the 

system in accordance with local policies. 

CCI: CCI-000537 

NIST SP 800-53 :: CP-9 (b) 

NIST SP 800-53A :: CP-9.1 (v) 

Rule Title: The operating system, upon successful 

logon, must display to the user the date and time of the 

UNCLASSIFIED

UNCLASSIFIED 

last logon or access via a local console or tty. 


ID: V-38485 


Discussion: 

Users need to be aware of activity that occurs regarding 

their accounts. Providing users with information 

regarding the date and time of their last successful login 

allows the user to determine if any unauthorized activity 

has occurred and gives them an opportunity to notify 

administrators. 

At console or tty logon, a user must be presented with 

the last successful login date and time. The "hushlogin" 

file determines whether this occurs. 



Verify there are no "hushlogin" files active on the 

system: 

# ls -l /etc/hushlogins 

For each home directory stored in "/etc/passwd": 

# ls ~/.hushlogin 

If there are any "hushlogin" files on the system, this 

is a finding. 

Fix Text: 

Remove any "hushlogin" files from the system: 

# rm /etc/hushlogins 

# rm ~/.hushlogin 

UNCLASSIFIED

UNCLASSIFIED 

Rule Title: The operating system, upon successful 

logon, must display to the user the date and time of the 

last logon or access via ssh. 


ID: V-38484 


Discussion: 

Users need to be aware of activity that occurs regarding 

their account. Providing users with information 

regarding the date and time of their last successful login 

allows the user to determine if any unauthorized activity 

has occurred and gives them an opportunity to notify 

administrators. 

At ssh login, a user must be presented with the last 

successful login date and time. 



Verify the value associated with the "PrintLastLog" 

keyword in /etc/ssh/sshd_config: 

# grep -i PrintLastLog /etc/ssh/sshd_config 

If the value is not set to "yes", this is a finding. If 

the "PrintLastLog" keyword is not present, this is not 

a finding. 

Fix Text: 

Update the "PrintLastLog" keyword to "yes" in 

/etc/ssh/sshd_config: 

PrintLastLog yes 

While it is acceptable to remove the keyword entirely 

since the default action for the SSH daemon is to print 

the last login date and time, it is preferred to have the 

value explicitly documented. 

UNCLASSIFIED

UNCLASSIFIED 

CCI: CCI-000052 

NIST SP 800-53 :: AC-9 

NIST SP 800-53A :: AC-9.1 

Rule Title: The system must allow locking of graphical 

desktop sessions. 


ID: V-38474 


Discussion: 

The ability to lock graphical desktop sessions manually 

allows users to easily secure their accounts should they 

need to depart from their workstations temporarily. 



Verify the keybindings for the Gnome screensaver: 

# gconftool-2 --direct --config-source 

xml:readwrite:/etc/gconf/gconf.xml.mandatory --get 

/apps/gnome_settings_daemon/keybindings/screensaver 

If no output is visible, this is a finding. 

Fix Text: 

Run the following command to set the Gnome desktop 

keybinding for locking the screen: 

# gconftool-2 

--direct \ 




--set 

/apps/gnome_settings_daemon/keybindings/screensaver 

UNCLASSIFIED

UNCLASSIFIED 

"l" 

Another keyboard sequence may be substituted for 

"l", which is the default for the Gnome 

desktop. 

CCI: CCI-000058 

NIST SP 800-53 :: AC-11 a 

NIST SP 800-53A :: AC-11 

Rule Title: The system must forward audit records to the 

syslog service. 


ID: V-38471 


Discussion: 

The auditd service does not include the ability to send 

audit records to a centralized server for management 

directly. It does, however, include an audit event 

multiplexor plugin (audispd) to pass audit records to the 

local syslog server. 



Verify the audispd plugin is active: 

# grep active /etc/audisp/plugins.d/syslog.conf 

If the "active" setting is missing or set to "no", this 

is a finding. 

Fix Text: 

Set the "active" line in 

"/etc/audisp/plugins.d/syslog.conf" to "yes". Restart 

the auditd process. 

UNCLASSIFIED

UNCLASSIFIED 

# service auditd restart 

CCI: CCI-000136 

NIST SP 800-53A :: AU-3 (2).1 (ii) 

NIST SP 800-53 :: AU-3 (2) 

Rule Title: The audit system must take appropriate 

action when the audit storage volume is full. 


ID: V-38468 


Discussion: 

Taking appropriate action in case of a filled audit 

storage volume will minimize the possibility of losing 

audit records. 





to take appropriate action when the audit storage volume 

is full: 

# grep disk_full_action /etc/audit/auditd.conf 

disk_full_action = [ACTION] 

If the system is configured to "suspend" when the volume 

is full or "ignore" that it is full, this is a finding. 

Fix Text: 





UNCLASSIFIED

UNCLASSIFIED 

disk_full_action = [ACTION] 



"ignore" 

"syslog" 

"exec" 

"suspend" 

"single" 

"halt" 

Set this to "syslog", "exec", "single", or "halt". 

CCI: CCI-000140 

NIST SP 800-53A :: AU-5.1 (iv) 

NIST SP 800-53 :: AU-5 b 

Rule Title: The audit system must take appropriate 

action when there are disk errors on the audit storage 

volume. 


ID: V-38464 


Discussion: 

Taking appropriate action in case of disk errors will 

minimize the possibility of losing audit records. 





to take appropriate action when disk errors occur: 

# grep disk_error_action /etc/audit/auditd.conf 

UNCLASSIFIED

UNCLASSIFIED 

disk_error_action = [ACTION] 

If the system is configured to "suspend" when disk errors 

occur or "ignore" them, this is a finding. 

Fix Text: 

Edit the file "/etc/audit/auditd.conf". Modify the 

following line, substituting [ACTION] appropriately: 

disk_error_action = [ACTION] 



"ignore" 

"syslog" 

"exec" 

"suspend" 

"single" 

"halt" 

Set this to "syslog", "exec", "single", or "halt". 

CCI: CCI-000140 

NIST SP 800-53A :: AU-5.1 (iv) 

NIST SP 800-53 :: AU-5 b 

Rule Title: The RPM package management tool must 

cryptographically verify the authenticity of all 



ID: V-38462 


Discussion: 

Ensuring all packages' cryptographic signatures are 

UNCLASSIFIED

UNCLASSIFIED 

valid prior to installation ensures the provenance of the 

software and protects against malicious tampering. 



Verify RPM signature validation is not disabled: 

# grep nosignature /etc/rpmrc /usr/lib/rpm/rpmrc 

/usr/lib/rpm/redhat/rpmrc ~root/.rpmrc 

If any configuration is found, this is a finding. 

Fix Text: 

Edit the RPM configuration files containing the 

"nosignature" option and remove the option. 

CCI: CCI-000352 

NIST SP 800-53A :: CM-5 (3).1 (ii) 

NIST SP 800-53 :: CM-5 (3) 

Rule Title: The NFS server must not have the all_squash 

option enabled. 


ID: V-38460 


Discussion: 

The "all_squash" option maps all client requests to a 

single anonymous uid/gid on the NFS server, negating the 

ability to track file access by user ID. 



If the NFS server is read-only, in support of unrestricted 

access to organizational content, this is not applicable. 

The related "root_squash" option provides protection 

against remote administrator-level access to NFS server 

UNCLASSIFIED

UNCLASSIFIED 

content. Its use is not a finding. 

To verify the "all_squash" option has been disabled, run 


# grep all_squash /etc/exports 


Fix Text: 

Remove any instances of the "all_squash" option from the 

file "/etc/exports". Restart the NFS daemon for the 

changes to take effect. 

# service nfs restart 

CCI: CCI-000764 

NIST SP 800-53A :: IA-2.1 

NIST SP 800-53 :: IA-2 


verify ownership on all files and directories associated 

with packages. 


ID: V-38454 


Discussion: 

Ownership of system binaries and configuration files that 

is incorrect could allow an unauthorized user to gain 

privileges that they should not have. The ownership set 

by the vendor should be maintained. Any deviations from 

this baseline should be investigated. 



UNCLASSIFIED

UNCLASSIFIED 

The following command will list which files on the system 

have ownership different from what is expected by the RPM 

database: 

# rpm -Va | grep '^.....U' 


Fix Text: 

The RPM package management system can restore ownership 

of package files and directories. The following command 

will update files and directories with ownership 

different from what is expected by the RPM database: 

# rpm -qf [file or directory name] 

# rpm --setugids [package] 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 


verify group-ownership on all files and directories 

associated with packages. 


ID: V-38453 


Discussion: 

Group-ownership of system binaries and configuration 

files that is incorrect could allow an unauthorized user 


group-ownership set by the vendor should be maintained. 

Any deviations from this baseline should be investigated. 


UNCLASSIFIED

UNCLASSIFIED 



have group-ownership different from what is expected by 

the RPM database: 

# rpm -Va | grep '^......G' 


Fix Text: 

The RPM package management system can restore 

group-ownership of the package files and directories. The 

following command will update files and directories with 

group-ownership different from what is expected by the 

RPM database: 


# rpm --setugids [package] 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 


verify permissions on all files and directories 

associated with packages. 


ID: V-38452 


Discussion: 

Permissions on system binaries and configuration files 

that are too generous could allow an unauthorized user 


permissions set by the vendor should be maintained. Any 

deviations from this baseline should be investigated. 

UNCLASSIFIED

UNCLASSIFIED 



The following command will list which files and 

directories on the system have permissions different from 

what is expected by the RPM database: 

# rpm -Va | grep '^.M' 

If there is any output, for each file or directory found, 

find the associated RPM package and compare the 

RPM-expected permissions with the actual permissions on 

the file or directory: 


# rpm -q --queryformat "[%{FILENAMES} 

%{FILEMODES:perms}\n]" [package] | grep [filename] 

# ls -lL [filename] 

If the existing permissions are more permissive than 

those expected by RPM, this is a finding. 

Fix Text: 

The RPM package management system can restore file access 

permissions of package files and directories. The 

following command will update permissions on files and 

directories with permissions different from what is 


# rpm --setperms [package] 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 


verify contents of all files associated with packages. 


ID: V-38447 

UNCLASSIFIED

UNCLASSIFIED 


Discussion: 

The hash on important files like system executables 

should match the information given by the RPM database. 

Executables with erroneous hashes could be a sign of 

nefarious activity on the system. 




have file hashes different from what is expected by the 

RPM database. 

# rpm -Va | grep '$1 ~ /..5/ && $2 != "c"' 


Fix Text: 

The RPM package management system can check the hashes 

of installed software packages, including many that are 

important to system security. Run the following command 

to list which files on the system have hashes that differ 

from what is expected by the RPM database: 

# rpm -Va | grep '^..5' 

A "c" in the second column indicates that a file is a 

configuration file, which may appropriately be expected 

to change. If the file that has changed was not expected 

to then refresh from distribution media or online 

repositories. 

rpm -Uvh [affected_package] 

OR 

yum reinstall [affected_package] 

UNCLASSIFIED

UNCLASSIFIED 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: The mail system must forward all mail for 

root to one or more system administrators. 


ID: V-38446 


Discussion: 

A number of system services utilize email messages sent 

to the root user to notify system administrators of active 

or impending issues. These messages must be forwarded 

to at least one monitored email address. 



Find the list of alias maps used by the Postfix mail 

server: 

# postconf alias_maps 

Query the Postfix alias maps for an alias for "root": 

# postmap -q root 

If there are no aliases configured for root that forward 

to a monitored email address, this is a finding. 

Fix Text: 

Set up an alias for root that forwards to a monitored email 

address: 

# echo "root: @mail.mil" >> 

/etc/aliases 

UNCLASSIFIED

UNCLASSIFIED 

# newaliases 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

Rule Title: Audit log files must be group-owned by root. 


ID: V-38445 


Discussion: 

If non-privileged users can write to audit logs, audit 

trails can be modified or destroyed. 



Run the following command to check the group owner of the 

system audit logs: 


s/^[^\/]*//|xargs stat -c %G:%n 

Audit logs must be group-owned by root. 

If they are not, this is a finding. 

Fix Text: 

Change the group owner of the audit log files with the 


# chgrp root [audit_file] 

Rule Title: The systems local IPv6 firewall must 

implement a deny-all, allow-by-exception policy for 

inbound packets. 

UNCLASSIFIED

UNCLASSIFIED 


ID: V-38444 


Discussion: 

In "ip6tables" the default policy is applied only after 







Inspect the file "/etc/sysconfig/ip6tables" to determine 

the default policy for the INPUT chain. It should be set 

to DROP. 

# grep ":INPUT" /etc/sysconfig/ip6tables 

If the default policy for the INPUT chain is not set to 

DROP, this is a finding. 

Fix Text: 


the built-in INPUT chain which processes incoming 

packets, add or correct the following line in 

"/etc/sysconfig/ip6tables": 

:INPUT DROP [0:0] 

CCI: CCI-000066 

NIST SP 800-53A :: AC-17.1 (v) 

NIST SP 800-53 :: AC-17 e 

Rule Title: The system must provide automated support 

for account management functions. 


UNCLASSIFIED

UNCLASSIFIED 

ID: V-38439 


Discussion: 

A comprehensive account management process that includes 

automation helps to ensure the accounts designated as 

requiring attention are consistently and promptly 

addressed. Enterprise environments make user account 

management challenging and complex. A user management 

process requiring administrators to manually address 

account management functions adds risk of potential 

oversight. 



Interview the SA to determine if there is an automated 

system for managing user accounts, preferably integrated 

with an existing enterprise user management system. 

If there is not, this is a finding. 

Fix Text: 

Implement an automated system for managing user accounts 

that minimizes the risk of errors, either intentional or 

deliberate. If possible, this system should integrate 

with an existing enterprise user management system, such 

as, one based Active Directory or Kerberos. 

CCI: CCI-000015 

NIST SP 800-53 :: AC-2 (1) 

NIST SP 800-53A :: AC-2 (1).1 

Rule Title: Auditing must be enabled at boot by setting 

a kernel parameter. 


ID: V-38438 


UNCLASSIFIED

UNCLASSIFIED 

Discussion: 

Each process on the system carries an "auditable" flag 

which indicates whether its activities can be audited. 

Although "auditd" takes care of enabling this for all 

processes which launch after it does, adding the kernel 

argument ensures it is set for every process during boot. 



Inspect the kernel boot arguments (which follow the word 

"kernel") in "/etc/grub.conf". If they include 

"audit=1", then auditing is enabled at boot time. 

If auditing is not enabled at boot time, this is a finding. 

Fix Text: 

To ensure all processes can be audited, even those which 

start prior to the audit daemon, add the argument 

"audit=1" to the kernel line in "/etc/grub.conf", in the 

manner below: 

kernel /vmlinuz-version ro vga=ext 

root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1 

CCI: CCI-000169 

NIST SP 800-53A :: AU-12.1 (ii) 

NIST SP 800-53 :: AU-12 a 

Rule Title: Automated file system mounting tools must 

not be enabled unless needed. 


ID: V-38437 


Discussion: 

All filesystems that are required for the successful 

UNCLASSIFIED

UNCLASSIFIED 

operation of the system should be explicitly listed in 

"/etc/fstab" by an administrator. New filesystems should 

not be arbitrarily introduced via the automounter. 

The "autofs" daemon mounts and unmounts filesystems, such 

as user home directories shared via NFS, on demand. In 

addition, autofs can be used to handle removable media, 

and the default configuration provides the cdrom device 

as "/misc/cd". However, this method of providing access 

to removable media is not common, so autofs can almost 

always be disabled if NFS is not in use. Even if NFS is 

required, it is almost always possible to configure 

filesystem mounts statically by editing "/etc/fstab" 

rather than relying on the automounter. 



To verify the "autofs" service is disabled, run the 


chkconfig --list autofs 

If properly configured, the output should be the 

following: 

autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off 

Verify the "autofs" service is not running: 

# service autofs status 

If the autofs service is enabled or running, this is a 

finding. 

Fix Text: 

If the "autofs" service is not needed to dynamically mount 

NFS filesystems or removable media, disable the service 

for all runlevels: 

UNCLASSIFIED

UNCLASSIFIED 

# chkconfig --level 0123456 autofs off 

Stop the service if it is already running: 

# service autofs stop 

CCI: CCI-000366 

NIST SP 800-53A :: CM-6.1 (iv) 

NIST SP 800-53 :: CM-6 b 

UNCLASSIFIED

RedHat 6 STIG PDF - NoPasara

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?