Introduction

Test Result

Result ID Profile Start time End time Benchmark Benchmark version
xccdf_org.open-scap_testresult_default-profile (Default profile) 2015-03-08 14:02 2015-03-08 14:02 embedded 1

Target info

Targets

  • 627f72d827bb

Addresses

  • 127.0.0.1
  • 172.17.0.84
  • 0:0:0:0:0:0:0:1
  • fe80:0:0:0:42:acff:fe11:54

Applicable platforms

  • cpe:/o:redhat:enterprise_linux:6

Score

system score max % bar
urn:xccdf:scoring:default 43.58 100.00 43.58%

Results overview

Rule Results Summary

pass fixed fail error not selected not checked not applicable informational unknown total
78 0 101 0 0 0 0 0 0 179
Title Result
Automated file system mounting tools must not be enabled unless needed. pass
Auditing must be enabled at boot by setting a kernel parameter. fail
The /etc/gshadow file must be owned by root. pass
The /etc/gshadow file must be group-owned by root. pass
The /etc/gshadow file must have mode 0000. pass
The /etc/passwd file must be owned by root. pass
The /etc/passwd file must be group-owned by root. pass
The system must use a separate file system for /tmp. fail
The system must use a separate file system for /var. fail
The /etc/passwd file must have mode 0644 or less permissive. pass
The /etc/group file must be owned by root. pass
The /etc/group file must be group-owned by root. pass
The /etc/group file must have mode 0644 or less permissive. pass
The system must use a separate file system for /var/log. fail
Library files must be owned by root. pass
The system must use a separate file system for the system audit data path. fail
All system command files must have mode 0755 or less permissive. pass
The audit system must alert designated staff members when the audit storage volume approaches capacity. fail
All system command files must be owned by root. pass
The system must use a separate file system for user home directories. fail
The system must require passwords to contain a minimum of 14 characters. fail
Users must not be able to change passwords more than once every 24 hours. fail
The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite. pass
User passwords must be changed at least every 60 days. fail
Users must be warned 7 days in advance of password expiration. pass
The system must require passwords to contain at least one numeric character. fail
The system package management tool must cryptographically verify the authenticity of system software packages during installation. pass
The system package management tool must cryptographically verify the authenticity of all software packages during installation. pass
A file integrity tool must be installed. fail
The operating system must enforce requirements for the connection of mobile devices to operating systems. fail
There must be no .rhosts or hosts.equiv files on the system. pass
The system must prevent the root account from logging in from virtual consoles. fail
The system must prevent the root account from logging in from serial consoles. pass
Audit log files must be owned by root. pass
The system must not have accounts configured with blank or null passwords. fail
Audit log files must have mode 0640 or less permissive. pass
The /etc/passwd file must not contain password hashes. pass
The root account must be the only account having a UID of 0. pass
The system must disable accounts after excessive login failures within a 15-minute interval. fail
The /etc/shadow file must be owned by root. pass
The /etc/shadow file must be group-owned by root. pass
The /etc/shadow file must have mode 0000. pass
IP forwarding for IPv4 must not be enabled, unless the system is a router. fail
The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. pass
The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets. fail
The Datagram Congestion Control Protocol (DCCP) must be disabled unless required. fail
The Stream Control Transmission Protocol (SCTP) must be disabled unless required. fail
The Reliable Datagram Sockets (RDS) protocol must be disabled unless required. fail
The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required. fail
All rsyslog-generated log files must be owned by root. pass
The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited. fail
The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components. fail
The audit system must be configured to audit all attempts to alter system time through settimeofday. fail
The system must not accept IPv4 source-routed packets on any interface. fail
The system must not accept ICMPv4 redirect packets on any interface. fail
The audit system must be configured to audit all attempts to alter system time through stime. pass
The system must not accept ICMPv4 secure redirect packets on any interface. fail
The audit system must be configured to audit all attempts to alter system time through clock_settime. fail
The system must log Martian packets. fail
The system must not accept IPv4 source-routed packets by default. fail
The audit system must be configured to audit all attempts to alter system time through /etc/localtime. fail
The operating system must automatically audit account creation. fail
The system must not accept ICMPv4 secure redirect packets by default. fail
The system must ignore ICMPv4 redirect messages by default. fail
The operating system must automatically audit account modification. fail
The system must not respond to ICMPv4 sent to a broadcast address. fail
The operating system must automatically audit account disabling actions. fail
The system must ignore ICMPv4 bogus error responses. fail
The operating system must automatically audit account termination. fail
The system must be configured to use TCP syncookies. fail
The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux). fail
The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces. fail
The audit system must be configured to audit all discretionary access control permission modifications using chmod. fail
The system must use a reverse-path filter for IPv4 network traffic when possible by default. fail
The audit system must be configured to audit all discretionary access control permission modifications using chown. fail
The IPv6 protocol handler must not be bound to the network stack unless needed. fail
The audit system must be configured to audit all discretionary access control permission modifications using fchmod. fail
The system must ignore ICMPv6 redirects by default. fail
The audit system must be configured to audit all discretionary access control permission modifications using fchmodat. fail
The audit system must be configured to audit all discretionary access control permission modifications using fchown. fail
The audit system must be configured to audit all discretionary access control permission modifications using fchownat. fail
The system must employ a local IPv4 firewall. pass
The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr. fail
The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr. fail
The audit system must be configured to audit all discretionary access control permission modifications using lchown. fail
The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr. fail
The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr. fail
The audit system must be configured to audit all discretionary access control permission modifications using removexattr. fail
The audit system must be configured to audit all discretionary access control permission modifications using setxattr. fail
The audit system must be configured to audit successful file system mounts. fail
The system must require passwords to contain at least one uppercase alphabetic character. fail
The system must require passwords to contain at least one special character. fail
The system must require passwords to contain at least one lowercase alphabetic character. fail
The system must require at least four characters be changed between the old and new passwords during a password change. fail
The system must disable accounts after three consecutive unsuccessful logon attempts. fail
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth). pass
The audit system must be configured to audit user deletions of files and programs. fail
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs). pass
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf). pass
The audit system must be configured to audit changes to the /etc/sudoers file. fail
The system boot loader configuration file(s) must be owned by root. fail
The audit system must be configured to audit the loading and unloading of dynamic kernel modules. fail
The system boot loader configuration file(s) must be group-owned by root. fail
The xinetd service must be disabled if no network services utilizing it are enabled. pass
The system boot loader configuration file(s) must have mode 0600 or less permissive. fail
The xinetd service must be uninstalled if no network services utilizing it are enabled. pass
The system boot loader must require authentication. fail
The system must require authentication upon booting into single-user and maintenance modes. fail
The telnet-server package must not be installed. pass
The system must not permit interactive boot. fail
The telnet daemon must not be running. pass
The system must allow locking of the console screen in text mode. fail
The rsh-server package must not be installed. pass
The system must require administrator action to unlock an account locked by excessive failed login attempts. fail
The rshd service must not be running. pass
The rexecd service must not be running. pass
The system must not send ICMPv4 redirects by default. fail
The system must not send ICMPv4 redirects from any interface. fail
The rlogind service must not be running. pass
The ypserv package must not be installed. pass
The ypbind service must not be running. pass
The cron service must be running. fail
The tftp-server package must not be installed. pass
The SSH daemon must be configured to use only the SSHv2 protocol. pass
The SSH daemon must set a timeout interval on idle sessions. pass
The SSH daemon must set a timeout count on idle sessions. pass
The SSH daemon must ignore .rhosts files. pass
The SSH daemon must not allow host-based authentication. pass
The system must not permit root logins using remote access programs such as ssh. pass
The SSH daemon must not allow authentication using an empty password. pass
The SSH daemon must be configured with the Department of Defense (DoD) login banner. pass
The SSH daemon must not permit user environment settings. pass
The avahi service must be disabled. pass
The system clock must be synchronized continuously, or at least daily. fail
The system clock must be synchronized to an authoritative DoD time source. fail
Mail relaying must be restricted. fail
The openldap-servers package must not be installed unless required. pass
The graphical desktop environment must set the idle timeout to no more than 15 minutes. pass
The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment. pass
The system must set a maximum audit log file size. fail
The system must rotate audit log files that reach the maximum file size. fail
The audit system must be configured to audit all attempts to alter system time through adjtimex. fail
The system must retain enough rotated audit logs to cover the required log retention period. fail
The graphical desktop environment must have automatic lock enabled. pass
The system must display a publicly-viewable pattern during a graphical desktop environment session lock. pass
The Automatic Bug Reporting Tool (abrtd) service must not be running. pass
The atd service must be disabled. pass
The system default umask for daemons must be 027 or 022. pass
The ntpdate service must not be running. pass
The system default umask in /etc/login.defs must be 077. pass
The oddjobd service must not be running. pass
The system default umask in /etc/profile must be 077. fail
The qpidd service must not be running. pass
The system default umask for the csh shell must be 077. fail
The rdisc service must not be running. pass
The system default umask for the bash shell must be 077. fail
The system must use SMB client signing for connecting to samba servers using smbclient. pass
The postfix service must be enabled for mail delivery. fail
The sendmail package must be removed. pass
The netconsole service must be disabled unless required. pass
X Windows must not be enabled unless required. pass
Process core dumps must be disabled unless needed. fail
The xorg-x11-server-common (X Windows) package must not be installed, unless required. pass
The DHCP client must be disabled if not needed. fail
The audit system must identify staff members to receive notifications of audit log storage volume capacity issues. fail
The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements. fail
The system must provide VPN connectivity for communications over untrusted networks. fail
A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. pass
The Bluetooth service must be disabled. pass
Accounts must be locked upon 35 days of inactivity. fail
The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity. fail
The sticky bit must be set on all public directories. pass
All public directories must be owned by a system account. pass
The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system. pass
The system must use a Linux Security Module at boot time. pass
The system must use a Linux Security Module configured to enforce limits on system services. fail
The system must use a Linux Security Module configured to limit the privileges of system services. fail
The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access. fail
The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low. fail

Results details

Result for Automated file system mounting tools must not be enabled unless needed.

Result: pass

Rule ID: SV-50237r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>All filesystems that are required for the successful operation of the system should be explicitly listed in "/etc/fstab" by an administrator. New filesystems should not be arbitrarily introduced via the automounter. The "autofs" daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as "/misc/cd". However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing "/etc/fstab" rather than relying on the automounter. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26976-1
  • CCI-000366

Remediation script

results overview

Result for Auditing must be enabled at boot by setting a kernel parameter.

Result: fail

Rule ID: SV-50238r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26785-6
  • CCI-000169

Remediation instructions

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1" to the kernel line in "/etc/grub.conf", in the manner below: kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1 UEFI systems may prepend "/boot" to the "/vmlinuz-version" argument.

Remediation script

results overview

Result for The /etc/gshadow file must be owned by root.

Result: pass

Rule ID: SV-50243r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27026-4
  • CCI-000366

Remediation script

results overview

Result for The /etc/gshadow file must be group-owned by root.

Result: pass

Rule ID: SV-50248r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26975-3
  • CCI-000366

Remediation script

results overview

Result for The /etc/gshadow file must have mode 0000.

Result: pass

Rule ID: SV-50249r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26951-4
  • CCI-000366

Remediation script

results overview

Result for The /etc/passwd file must be owned by root.

Result: pass

Rule ID: SV-50250r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26953-0
  • CCI-000366

Remediation script

results overview

Result for The /etc/passwd file must be group-owned by root.

Result: pass

Rule ID: SV-50251r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26856-5
  • CCI-000366

Remediation script

results overview

Result for The system must use a separate file system for /tmp.

Result: fail

Rule ID: SV-50255r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26435-8
  • CCI-000366

Remediation instructions

The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

Remediation script

results overview

Result for The system must use a separate file system for /var.

Result: fail

Rule ID: SV-50256r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories, installed by other software packages.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26639-5
  • CCI-000366

Remediation instructions

The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM.

Remediation script

results overview

Result for The /etc/passwd file must have mode 0644 or less permissive.

Result: pass

Rule ID: SV-50257r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26868-0
  • CCI-000366

Remediation script

results overview

Result for The /etc/group file must be owned by root.

Result: pass

Rule ID: SV-50258r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26822-7
  • CCI-000366

Remediation script

results overview

Result for The /etc/group file must be group-owned by root.

Result: pass

Rule ID: SV-50259r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26930-8
  • CCI-000366

Remediation script

results overview

Result for The /etc/group file must have mode 0644 or less permissive.

Result: pass

Rule ID: SV-50261r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26954-8
  • CCI-000366

Remediation script

results overview

Result for The system must use a separate file system for /var/log.

Result: fail

Rule ID: SV-50263r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26215-4
  • CCI-000366

Remediation instructions

System logs are stored in the "/var/log" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.

Remediation script

results overview

Result for Library files must be owned by root.

Result: pass

Rule ID: SV-50266r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27424-1
  • CCI-001499

Remediation script

results overview

Result for The system must use a separate file system for the system audit data path.

Result: fail

Rule ID: SV-50267r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26436-6
  • CCI-000137

Remediation instructions

Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

Remediation script

results overview

Result for All system command files must have mode 0755 or less permissive.

Result: pass

Rule ID: SV-50269r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27289-8
  • CCI-001499

Remediation script

results overview

Result for The audit system must alert designated staff members when the audit storage volume approaches capacity.

Result: fail

Rule ID: SV-50270r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27238-5
  • CCI-000138

Remediation instructions

The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: space_left_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "email" "exec" "suspend" "single" "halt" Set this to "email" (instead of the default, which is "suspend") as it is more likely to get prompt attention. The "syslog" option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner. RHEL-06-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator.

Remediation script

results overview

Result for All system command files must be owned by root.

Result: pass

Rule ID: SV-50272r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27623-8
  • CCI-001499

Remediation script

results overview

Result for The system must use a separate file system for user home directories.

Result: fail

Rule ID: SV-50273r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26557-9
  • CCI-000366

Remediation instructions

If user home directories will be stored locally, create a separate partition for "/home" at installation time (or migrate it later using LVM). If "/home" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

Remediation script

results overview

Result for The system must require passwords to contain a minimum of 14 characters.

Result: fail

Rule ID: SV-50275r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. While it does not negate the password length requirement, it is preferable to migrate from a password-based authentication scheme to a stronger one based on PKI (public key infrastructure).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27002-5
  • CCI-000205

Remediation instructions

To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines: PASS_MIN_LEN 14 The DoD requirement is "14". If a program consults "/etc/login.defs" and also another PAM module (such as "pam_cracklib") during a password change operation, then the most restrictive must be satisfied.

Remediation script

results overview

Result for Users must not be able to change passwords more than once every 24 hours.

Result: fail

Rule ID: SV-50277r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27013-2
  • CCI-000198

Remediation instructions

To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MIN_DAYS [DAYS] A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.

Remediation script

results overview

Result for The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.

Result: pass

Rule ID: SV-50278r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the "rhnsd" daemon can remain on.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26846-6
  • CCI-000382

Remediation script

results overview

Result for User passwords must be changed at least every 60 days.

Result: fail

Rule ID: SV-50279r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26985-2
  • CCI-000199

Remediation instructions

To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MAX_DAYS [DAYS] The DoD requirement is 60.

Remediation script

results overview

Result for Users must be warned 7 days in advance of password expiration.

Result: pass

Rule ID: SV-50280r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Setting the password warning age enables users to make the change at a practical time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26988-6
  • CCI-000366

Remediation script

results overview

Result for The system must require passwords to contain at least one numeric character.

Result: fail

Rule ID: SV-50282r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26374-9
  • CCI-000194

Remediation instructions

The pam_cracklib module's "dcredit" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add "dcredit=-1" after pam_cracklib.so to require use of a digit in passwords.

Remediation script

results overview

Result for The system package management tool must cryptographically verify the authenticity of system software packages during installation.

Result: pass

Rule ID: SV-50283r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26709-6
  • CCI-000663

Remediation script

results overview

Result for The system package management tool must cryptographically verify the authenticity of all software packages during installation.

Result: pass

Rule ID: SV-50288r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26647-8
  • CCI-000663

Remediation script

results overview

Result for A file integrity tool must be installed.

Result: fail

Rule ID: SV-50290r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The AIDE package must be installed if it is to be available for integrity checking.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27024-9
  • CCI-001069

Remediation instructions

Install the AIDE package with the command: # yum install aide

Remediation script

results overview

Result for The operating system must enforce requirements for the connection of mobile devices to operating systems.

Result: fail

Rule ID: SV-50291r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27016-5

Remediation instructions

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the "usb-storage" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install usb-storage /bin/false This will prevent the "modprobe" program from loading the "usb-storage" module, but will not prevent an administrator (or another program) from using the "insmod" program to load the module manually.

Remediation script

results overview

Result for There must be no .rhosts or hosts.equiv files on the system.

Result: pass

Rule ID: SV-50292r1_rule

Time: 2015-03-08 14:02

Severity: high

<VulnDiscussion>Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27270-8
  • CCI-001436

Remediation script

results overview

Result for The system must prevent the root account from logging in from virtual consoles.

Result: fail

Rule ID: SV-50293r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26855-7
  • CCI-000770

Remediation instructions

To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in "/etc/securetty": vc/1 vc/2 vc/3 vc/4 Note: Virtual console entries are not limited to those listed above. Any lines starting with "vc/" followed by numerals should be removed.

Remediation script

results overview

Result for The system must prevent the root account from logging in from serial consoles.

Result: pass

Rule ID: SV-50295r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27047-0
  • CCI-000770

Remediation script

results overview

Result for Audit log files must be owned by root.

Result: pass

Rule ID: SV-50296r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>If non-privileged users can write to audit logs, audit trails can be modified or destroyed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27244-3
  • CCI-000162

Remediation script

results overview

Result for The system must not have accounts configured with blank or null passwords.

Result: fail

Rule ID: SV-50298r2_rule

Time: 2015-03-08 14:02

Severity: high

<VulnDiscussion>If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27038-9
  • CCI-000366

Remediation instructions

If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" to prevent logons with empty passwords.

Remediation script

results overview

Result for Audit log files must have mode 0640 or less permissive.

Result: pass

Rule ID: SV-50299r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>If users can write to audit logs, audit trails can be modified or destroyed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27243-5
  • CCI-000163

Remediation script

results overview

Result for The /etc/passwd file must not contain password hashes.

Result: pass

Rule ID: SV-50300r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The hashes for all user account passwords should be stored in the file "/etc/shadow" and never in "/etc/passwd", which is readable by all users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26476-2
  • CCI-000366

Remediation script

results overview

Result for The root account must be the only account having a UID of 0.

Result: pass

Rule ID: SV-50301r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26971-2
  • CCI-000366

Remediation script

results overview

Result for The system must disable accounts after excessive login failures within a 15-minute interval.

Result: fail

Rule ID: SV-50302r3_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27215-3
  • CCI-001452

Remediation instructions

Utilizing "pam_faillock.so", the "fail_interval" directive configures the system to lock out accounts after a number of incorrect logon attempts. Add the following "fail_interval" directives to "pam_faillock.so" immediately below the "pam_unix.so" statement in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth": auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

Remediation script

results overview

Result for The /etc/shadow file must be owned by root.

Result: pass

Rule ID: SV-50303r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26947-2
  • CCI-000366

Remediation script

results overview

Result for The /etc/shadow file must be group-owned by root.

Result: pass

Rule ID: SV-50304r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26967-0
  • CCI-000366

Remediation script

results overview

Result for The /etc/shadow file must have mode 0000.

Result: pass

Rule ID: SV-50305r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26992-8
  • CCI-000366

Remediation script

results overview

Result for IP forwarding for IPv4 must not be enabled, unless the system is a router.

Result: fail

Rule ID: SV-50312r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26866-4
  • CCI-000366

Remediation instructions

To set the runtime status of the "net.ipv4.ip_forward" kernel parameter, run the following command: # sysctl -w net.ipv4.ip_forward=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.ip_forward = 0

Remediation script

results overview

Result for The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.

Result: pass

Rule ID: SV-50313r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27018-1
  • CCI-001100

Remediation script

results overview

Result for The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.

Result: fail

Rule ID: SV-50314r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26444-0
  • CCI-000066

Remediation instructions

To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/iptables": :INPUT DROP [0:0]

Remediation script

results overview

Result for The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.

Result: fail

Rule ID: SV-50315r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Disabling DCCP protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26448-1
  • CCI-000382

Remediation instructions

The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the "dccp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install dccp /bin/false

Remediation script

results overview

Result for The Stream Control Transmission Protocol (SCTP) must be disabled unless required.

Result: fail

Rule ID: SV-50316r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Disabling SCTP protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26410-1
  • CCI-000382

Remediation instructions

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the "sctp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install sctp /bin/false

Remediation script

results overview

Result for The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.

Result: fail

Rule ID: SV-50317r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Disabling RDS protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26239-4
  • CCI-000382

Remediation instructions

The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the "rds" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install rds /bin/false

Remediation script

results overview

Result for The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.

Result: fail

Rule ID: SV-50318r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Disabling TIPC protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26696-5
  • CCI-000382

Remediation instructions

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the "tipc" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install tipc /bin/false

Remediation script

results overview

Result for All rsyslog-generated log files must be owned by root.

Result: pass

Rule ID: SV-50319r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26812-8
  • CCI-001314

Remediation script

results overview

Result for The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.

Result: fail

Rule ID: SV-50321r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26801-1
  • CCI-001348

Remediation instructions

To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @[loghost.example.com] To use TCP for log message delivery: *.* @@[loghost.example.com] To use RELP for log message delivery: *.* :omrelp:[loghost.example.com]

Remediation script

results overview

Result for The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.

Result: fail

Rule ID: SV-50322r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26801-1
  • CCI-000169

Remediation instructions

To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @[loghost.example.com] To use TCP for log message delivery: *.* @@[loghost.example.com] To use RELP for log message delivery: *.* :omrelp:[loghost.example.com]

Remediation script

results overview

Result for The audit system must be configured to audit all attempts to alter system time through settimeofday.

Result: fail

Rule ID: SV-50323r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27203-9
  • CCI-000169

Remediation instructions

On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules On a 64-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules

Remediation script

results overview

Result for The system must not accept IPv4 source-routed packets on any interface.

Result: fail

Rule ID: SV-50324r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27037-1
  • CCI-000366

Remediation instructions

To set the runtime status of the "net.ipv4.conf.all.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_source_route=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.accept_source_route = 0

Remediation script

results overview

Result for The system must not accept ICMPv4 redirect packets on any interface.

Result: fail

Rule ID: SV-50325r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27027-2
  • CCI-000366

Remediation instructions

To set the runtime status of the "net.ipv4.conf.all.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.accept_redirects = 0

Remediation script

results overview

Result for The audit system must be configured to audit all attempts to alter system time through stime.

Result: pass

Rule ID: SV-50326r3_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27169-2
  • CCI-000169

Remediation script

results overview

Result for The system must not accept ICMPv4 secure redirect packets on any interface.

Result: fail

Rule ID: SV-50327r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26854-0
  • CCI-000366

Remediation instructions

To set the runtime status of the "net.ipv4.conf.all.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.secure_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.secure_redirects = 0

Remediation script

results overview

Result for The audit system must be configured to audit all attempts to alter system time through clock_settime.

Result: fail

Rule ID: SV-50328r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27170-0
  • CCI-000169

Remediation instructions

On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules On a 64-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules

Remediation script

results overview

Result for The system must log Martian packets.

Result: fail

Rule ID: SV-50329r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27066-0
  • CCI-000366

Remediation instructions

To set the runtime status of the "net.ipv4.conf.all.log_martians" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.log_martians=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.log_martians = 1

Remediation script

results overview

Result for The system must not accept IPv4 source-routed packets by default.

Result: fail

Rule ID: SV-50330r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26983-7
  • CCI-000366

Remediation instructions

To set the runtime status of the "net.ipv4.conf.default.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_source_route=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.accept_source_route = 0

Remediation script

results overview

Result for The audit system must be configured to audit all attempts to alter system time through /etc/localtime.

Result: fail

Rule ID: SV-50331r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27172-6
  • CCI-000169

Remediation instructions

Add the following to "/etc/audit/audit.rules": -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.

Remediation script

results overview

Result for The operating system must automatically audit account creation.

Result: fail

Rule ID: SV-50332r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26664-3
  • CCI-000018

Remediation instructions

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

Remediation script

results overview

Result for The system must not accept ICMPv4 secure redirect packets by default.

Result: fail

Rule ID: SV-50333r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26831-8
  • CCI-000366

Remediation instructions

To set the runtime status of the "net.ipv4.conf.default.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.secure_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.secure_redirects = 0

Remediation script

results overview

Result for The system must ignore ICMPv4 redirect messages by default.

Result: fail

Rule ID: SV-50334r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27015-7
  • CCI-000366

Remediation instructions

To set the runtime status of the "net.ipv4.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.accept_redirects = 0

Remediation script

results overview

Result for The operating system must automatically audit account modification.

Result: fail

Rule ID: SV-50335r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26664-3
  • CCI-001403

Remediation instructions

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

Remediation script

results overview

Result for The system must not respond to ICMPv4 sent to a broadcast address.

Result: fail

Rule ID: SV-50336r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26883-9
  • CCI-000366

Remediation instructions

To set the runtime status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.icmp_echo_ignore_broadcasts = 1

Remediation script

results overview

Result for The operating system must automatically audit account disabling actions.

Result: fail

Rule ID: SV-50337r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26664-3
  • CCI-001404

Remediation instructions

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

Remediation script

results overview

Result for The system must ignore ICMPv4 bogus error responses.

Result: fail

Rule ID: SV-50338r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26993-6
  • CCI-000366

Remediation instructions

To set the runtime status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.icmp_ignore_bogus_error_responses = 1

Remediation script

results overview

Result for The operating system must automatically audit account termination.

Result: fail

Rule ID: SV-50339r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26664-3
  • CCI-001405

Remediation instructions

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

Remediation script

results overview

Result for The system must be configured to use TCP syncookies.

Result: fail

Rule ID: SV-50340r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27053-8
  • CCI-001095

Remediation instructions

To set the runtime status of the "net.ipv4.tcp_syncookies" kernel parameter, run the following command: # sysctl -w net.ipv4.tcp_syncookies=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.tcp_syncookies = 1

Remediation script

results overview

Result for The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).

Result: fail

Rule ID: SV-50342r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26657-7
  • CCI-000366

Remediation instructions

Add the following to "/etc/audit/audit.rules": -w /etc/selinux/ -p wa -k MAC-policy

Remediation script

results overview

Result for The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.

Result: fail

Rule ID: SV-50343r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26979-5
  • CCI-000366

Remediation instructions

To set the runtime status of the "net.ipv4.conf.all.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.rp_filter=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.rp_filter = 1

Remediation script

results overview

Result for The audit system must be configured to audit all discretionary access control permission modifications using chmod.

Result: fail

Rule ID: SV-50344r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26280-8
  • CCI-000172

Remediation instructions

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod

Remediation script

results overview

Result for The system must use a reverse-path filter for IPv4 network traffic when possible by default.

Result: fail

Rule ID: SV-50345r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26915-9
  • CCI-000366

Remediation instructions

To set the runtime status of the "net.ipv4.conf.default.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.rp_filter=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.rp_filter = 1

Remediation script

results overview

Result for The audit system must be configured to audit all discretionary access control permission modifications using chown.

Result: fail

Rule ID: SV-50346r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27173-4
  • CCI-000172

Remediation instructions

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod

Remediation script

results overview

Result for The IPv6 protocol handler must not be bound to the network stack unless needed.

Result: fail

Rule ID: SV-50347r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27153-6
  • CCI-000366

Remediation instructions

To prevent the IPv6 kernel module ("ipv6") from binding to the IPv6 networking stack, add the following line to "/etc/modprobe.d/disabled.conf" (or another file in "/etc/modprobe.d"): options ipv6 disable=1 This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol.

Remediation script

results overview

Result for The audit system must be configured to audit all discretionary access control permission modifications using fchmod.

Result: fail

Rule ID: SV-50348r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27174-2
  • CCI-000172

Remediation instructions

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod

Remediation script

results overview

Result for The system must ignore ICMPv6 redirects by default.

Result: fail

Rule ID: SV-50349r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27166-8
  • CCI-000366

Remediation instructions

To set the runtime status of the "net.ipv6.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv6.conf.default.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv6.conf.default.accept_redirects = 0

Remediation script

results overview

Result for The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.

Result: fail

Rule ID: SV-50351r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27175-9
  • CCI-000172

Remediation instructions

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod

Remediation script

results overview

Result for The audit system must be configured to audit all discretionary access control permission modifications using fchown.

Result: fail

Rule ID: SV-50353r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27177-5
  • CCI-000172

Remediation instructions

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod

Remediation script

results overview

Result for The audit system must be configured to audit all discretionary access control permission modifications using fchownat.

Result: fail

Rule ID: SV-50355r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27178-3
  • CCI-000172

Remediation instructions

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod

Remediation script

results overview

Result for The system must employ a local IPv4 firewall.

Result: pass

Rule ID: SV-50356r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27018-1
  • CCI-001118

Remediation script

results overview

Result for The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.

Result: fail

Rule ID: SV-50357r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27179-1
  • CCI-000172

Remediation instructions

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod

Remediation script

results overview

Result for The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.

Result: fail

Rule ID: SV-50358r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27180-9
  • CCI-000172

Remediation instructions

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod

Remediation script

results overview

Result for The audit system must be configured to audit all discretionary access control permission modifications using lchown.

Result: fail

Rule ID: SV-50359r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27181-7
  • CCI-000172

Remediation instructions

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod

Remediation script

results overview

Result for The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.

Result: fail

Rule ID: SV-50360r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27182-5
  • CCI-000172

Remediation instructions

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod

Remediation script

results overview

Result for The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.

Result: fail

Rule ID: SV-50362r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27183-3
  • CCI-000172

Remediation instructions

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod

Remediation script

results overview

Result for The audit system must be configured to audit all discretionary access control permission modifications using removexattr.

Result: fail

Rule ID: SV-50364r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27184-1
  • CCI-000172

Remediation instructions

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod

Remediation script

results overview

Result for The audit system must be configured to audit all discretionary access control permission modifications using setxattr.

Result: fail

Rule ID: SV-50366r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27185-8
  • CCI-000172

Remediation instructions

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod

Remediation script

results overview

Result for The audit system must be configured to audit successful file system mounts.

Result: fail

Rule ID: SV-50369r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26573-6
  • CCI-000172

Remediation instructions

At a minimum, the audit system should collect media exportation events for all users and root. Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=ARCH -S mount -F auid=0 -k export

Remediation script

results overview

Result for The system must require passwords to contain at least one uppercase alphabetic character.

Result: fail

Rule ID: SV-50370r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26601-5
  • CCI-000192

Remediation instructions

The pam_cracklib module's "ucredit=" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add "ucredit=-1" after pam_cracklib.so to require use of an uppercase character in passwords.

Remediation script

results overview

Result for The system must require passwords to contain at least one special character.

Result: fail

Rule ID: SV-50371r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26409-3
  • CCI-001619

Remediation instructions

The pam_cracklib module's "ocredit=" parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Add "ocredit=-1" after pam_cracklib.so to require use of a special character in passwords.

Remediation script

results overview

Result for The system must require passwords to contain at least one lowercase alphabetic character.

Result: fail

Rule ID: SV-50372r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26631-2
  • CCI-000193

Remediation instructions

The pam_cracklib module's "lcredit=" parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add "lcredit=-1" after pam_cracklib.so to require use of a lowercase character in passwords.

Remediation script

results overview

Result for The system must require at least four characters be changed between the old and new passwords during a password change.

Result: fail

Rule ID: SV-50373r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26615-5
  • CCI-000195

Remediation instructions

The pam_cracklib module's "difok" parameter controls requirements for usage of different characters during a password change. Add "difok=[NUM]" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is 4.

Remediation script

results overview

Result for The system must disable accounts after three consecutive unsuccessful logon attempts.

Result: fail

Rule ID: SV-50374r3_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26844-1
  • CCI-000044

Remediation instructions

To configure the system to lock out accounts after a number of incorrect logon attempts using "pam_faillock.so": Add the following lines immediately below the "pam_unix.so" statement in the AUTH section of "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth": auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.

Remediation script

results overview

Result for The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).

Result: pass

Rule ID: SV-50375r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Using a stronger hashing algorithm makes password cracking attacks more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26303-8
  • CCI-000803

Remediation script

results overview

Result for The audit system must be configured to audit user deletions of files and programs.

Result: fail

Rule ID: SV-50376r4_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26651-0
  • CCI-000172

Remediation instructions

At a minimum, the audit system should collect file deletion events for all users and root. Add the following (or equivalent) to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete

Remediation script

results overview

Result for The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).

Result: pass

Rule ID: SV-50377r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Using a stronger hashing algorithm makes password cracking attacks more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27228-6
  • CCI-000803

Remediation script

results overview

Result for The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).

Result: pass

Rule ID: SV-50378r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Using a stronger hashing algorithm makes password cracking attacks more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27229-4
  • CCI-000803

Remediation script

results overview

Result for The audit system must be configured to audit changes to the /etc/sudoers file.

Result: fail

Rule ID: SV-50379r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26662-7
  • CCI-000172

Remediation instructions

At a minimum, the audit system should collect administrator actions for all users and root. Add the following to "/etc/audit/audit.rules": -w /etc/sudoers -p wa -k actions

Remediation script

results overview

Result for The system boot loader configuration file(s) must be owned by root.

Result: fail

Rule ID: SV-50380r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Only root should be able to modify important boot parameters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26995-1
  • CCI-000366

Remediation instructions

The file "/etc/grub.conf" should be owned by the "root" user to prevent destruction or modification of the file. To properly set the owner of "/etc/grub.conf", run the command: # chown root /etc/grub.conf

Remediation script

results overview

Result for The audit system must be configured to audit the loading and unloading of dynamic kernel modules.

Result: fail

Rule ID: SV-50381r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26611-4
  • CCI-000172

Remediation instructions

Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=[ARCH] -S init_module -S delete_module -k modules

Remediation script

results overview

Result for The system boot loader configuration file(s) must be group-owned by root.

Result: fail

Rule ID: SV-50382r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The "root" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27022-3
  • CCI-000366

Remediation instructions

The file "/etc/grub.conf" should be group-owned by the "root" group to prevent destruction or modification of the file. To properly set the group owner of "/etc/grub.conf", run the command: # chgrp root /etc/grub.conf

Remediation script

results overview

Result for The xinetd service must be disabled if no network services utilizing it are enabled.

Result: pass

Rule ID: SV-50383r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27046-2
  • CCI-000382

Remediation script

results overview

Result for The system boot loader configuration file(s) must have mode 0600 or less permissive.

Result: fail

Rule ID: SV-50384r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Proper permissions ensure that only the root user can modify important boot parameters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26949-8
  • CCI-000366

Remediation instructions

File permissions for "/boot/grub/grub.conf" should be set to 600, which is the default. To properly set the permissions of "/boot/grub/grub.conf", run the command: # chmod 600 /boot/grub/grub.conf Boot partitions based on VFAT, NTFS, or other non-standard configurations may require alternative measures.

Remediation script

results overview

Result for The xinetd service must be uninstalled if no network services utilizing it are enabled.

Result: pass

Rule ID: SV-50385r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Removing the "xinetd" package decreases the risk of the xinetd service's accidental (or intentional) activation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27005-8
  • CCI-000382

Remediation script

results overview

Result for The system boot loader must require authentication.

Result: fail

Rule ID: SV-50386r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26911-8
  • CCI-000213

Remediation instructions

The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/etc/grub.conf" immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash]

Remediation script

results overview

Result for The system must require authentication upon booting into single-user and maintenance modes.

Result: fail

Rule ID: SV-50387r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27040-5
  • CCI-000213

Remediation instructions

Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file "/etc/sysconfig/init": SINGLE=/sbin/sulogin

Remediation script

results overview

Result for The telnet-server package must not be installed.

Result: pass

Rule ID: SV-50388r1_rule

Time: 2015-03-08 14:02

Severity: high

<VulnDiscussion>Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation. Mitigation: If the telnet-server package is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27073-6
  • CCI-000381

Remediation script

results overview

Result for The system must not permit interactive boot.

Result: fail

Rule ID: SV-50389r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27043-9
  • CCI-000213

Remediation instructions

To disable the ability for users to perform interactive startups, edit the file "/etc/sysconfig/init". Add or correct the line: PROMPT=no The "PROMPT" option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.

Remediation script

results overview

Result for The telnet daemon must not be running.

Result: pass

Rule ID: SV-50390r2_rule

Time: 2015-03-08 14:02

Severity: high

<VulnDiscussion>The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. Mitigation: If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26836-7
  • CCI-000888

Remediation script

results overview

Result for The system must allow locking of the console screen in text mode.

Result: fail

Rule ID: SV-50391r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Installing "screen" ensures a console locking capability is available for users who may need to suspend console logins.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26940-7
  • CCI-000058

Remediation instructions

To enable console screen locking when in text mode, install the "screen" package: # yum install screen Instruct users to begin new terminal sessions with the following command: $ screen The console can now be locked with the following key combination: ctrl+a x

Remediation script

results overview

Result for The rsh-server package must not be installed.

Result: pass

Rule ID: SV-50392r1_rule

Time: 2015-03-08 14:02

Severity: high

<VulnDiscussion>The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27062-9
  • CCI-000381

Remediation script

results overview

Result for The system must require administrator action to unlock an account locked by excessive failed login attempts.

Result: fail

Rule ID: SV-50393r3_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27110-6
  • CCI-000047

Remediation instructions

To configure the system to lock out accounts after a number of incorrect logon attempts and require an administrator to unlock the account using "pam_faillock.so": Add the following lines immediately below the "pam_unix.so" statement in the AUTH section of "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth": auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.

Remediation script

results overview

Result for The rshd service must not be running.

Result: pass

Rule ID: SV-50395r2_rule

Time: 2015-03-08 14:02

Severity: high

<VulnDiscussion>The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26994-4
  • CCI-000068

Remediation script

results overview

Result for The rexecd service must not be running.

Result: pass

Rule ID: SV-50399r2_rule

Time: 2015-03-08 14:02

Severity: high

<VulnDiscussion>The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27208-8
  • CCI-000068

Remediation script

results overview

Result for The system must not send ICMPv4 redirects by default.

Result: fail

Rule ID: SV-50401r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27001-7
  • CCI-000366

Remediation instructions

To set the runtime status of the "net.ipv4.conf.default.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.send_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.send_redirects = 0

Remediation script

results overview

Result for The system must not send ICMPv4 redirects from any interface.

Result: fail

Rule ID: SV-50402r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27004-1
  • CCI-000366

Remediation instructions

To set the runtime status of the "net.ipv4.conf.all.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.send_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.send_redirects = 0

Remediation script

results overview

Result for The rlogind service must not be running.

Result: pass

Rule ID: SV-50403r2_rule

Time: 2015-03-08 14:02

Severity: high

<VulnDiscussion>The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26865-6
  • CCI-001436

Remediation script

results overview

Result for The ypserv package must not be installed.

Result: pass

Rule ID: SV-50404r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27079-3
  • CCI-000381

Remediation script

results overview

Result for The ypbind service must not be running.

Result: pass

Rule ID: SV-50405r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Disabling the "ypbind" service ensures the system is not acting as a client in a NIS or NIS+ domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26894-6
  • CCI-000382

Remediation script

results overview

Result for The cron service must be running.

Result: fail

Rule ID: SV-50406r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27070-2
  • CCI-000366

Remediation instructions

The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands: # chkconfig crond on # service crond start

Remediation script

results overview

Result for The tftp-server package must not be installed.

Result: pass

Rule ID: SV-50407r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26946-4
  • CCI-000381

Remediation script

results overview

Result for The SSH daemon must be configured to use only the SSHv2 protocol.

Result: pass

Rule ID: SV-50408r1_rule

Time: 2015-03-08 14:02

Severity: high

<VulnDiscussion>SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27072-8
  • CCI-000774

Remediation script

results overview

Result for The SSH daemon must set a timeout interval on idle sessions.

Result: pass

Rule ID: SV-50409r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26919-1
  • CCI-001133

Remediation script

results overview

Result for The SSH daemon must set a timeout count on idle sessions.

Result: pass

Rule ID: SV-50411r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26282-4
  • CCI-000879

Remediation script

results overview

Result for The SSH daemon must ignore .rhosts files.

Result: pass

Rule ID: SV-50412r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27124-7
  • CCI-000766

Remediation script

results overview

Result for The SSH daemon must not allow host-based authentication.

Result: pass

Rule ID: SV-50413r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27091-8
  • CCI-000766

Remediation script

results overview

Result for The system must not permit root logins using remote access programs such as ssh.

Result: pass

Rule ID: SV-50414r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27100-7
  • CCI-000770

Remediation script

results overview

Result for The SSH daemon must not allow authentication using an empty password.

Result: pass

Rule ID: SV-50415r1_rule

Time: 2015-03-08 14:02

Severity: high

<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26887-0
  • CCI-000766

Remediation script

results overview

Result for The SSH daemon must be configured with the Department of Defense (DoD) login banner.

Result: pass

Rule ID: SV-50416r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27112-2
  • CCI-000048

Remediation script

results overview

Result for The SSH daemon must not permit user environment settings.

Result: pass

Rule ID: SV-50417r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>SSH environment options potentially allow users to bypass access restriction in some configurations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27201-3
  • CCI-001414

Remediation script

results overview

Result for The avahi service must be disabled.

Result: pass

Rule ID: SV-50419r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27087-6
  • CCI-000366

Remediation script

results overview

Result for The system clock must be synchronized continuously, or at least daily.

Result: fail

Rule ID: SV-50421r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Enabling the "ntpd" service ensures that the "ntpd" service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27093-4
  • CCI-000160

Remediation instructions

The "ntpd" service can be enabled with the following command: # chkconfig ntpd on # service ntpd start

Remediation script

results overview

Result for The system clock must be synchronized to an authoritative DoD time source.

Result: fail

Rule ID: SV-50422r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27098-3
  • CCI-000160

Remediation instructions

To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver. server [ntpserver] This instructs the NTP software to contact that remote server to obtain time data.

Remediation script

results overview

Result for Mail relaying must be restricted.

Result: fail

Rule ID: SV-50423r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>This ensures "postfix" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26780-7
  • CCI-000382

Remediation instructions

Edit the file "/etc/postfix/main.cf" to ensure that only the following "inet_interfaces" line appears: inet_interfaces = localhost

Remediation script

results overview

Result for The openldap-servers package must not be installed unless required.

Result: pass

Rule ID: SV-50428r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Unnecessary packages should not be installed to decrease the attack surface of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26858-1
  • CCI-000366

Remediation script

results overview

Result for The graphical desktop environment must set the idle timeout to no more than 15 minutes.

Result: pass

Rule ID: SV-50430r3_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26828-4
  • CCI-000057

Remediation script

results overview

Result for The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.

Result: pass

Rule ID: SV-50431r3_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Enabling idle activation of the screen saver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26600-7
  • CCI-000057

Remediation script

results overview

Result for The system must set a maximum audit log file size.

Result: fail

Rule ID: SV-50434r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27550-3
  • CCI-000366

Remediation instructions

Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting the correct value for [STOREMB]: max_log_file = [STOREMB] Set the value to "6" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.

Remediation script

results overview

Result for The system must rotate audit log files that reach the maximum file size.

Result: fail

Rule ID: SV-50435r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Automatically rotating logs (by setting this to "rotate") minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, "keep_logs" can be employed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27237-7
  • CCI-000366

Remediation instructions

The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by "auditd", add or correct the line in "/etc/audit/auditd.conf": max_log_file_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "suspend" "rotate" "keep_logs" Set the "[ACTION]" to "rotate" to ensure log rotation occurs. This is the default. The setting is case-insensitive.

Remediation script

results overview

Result for The audit system must be configured to audit all attempts to alter system time through adjtimex.

Result: fail

Rule ID: SV-50436r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26242-8
  • CCI-000169

Remediation instructions

On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules On a 64-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b64 -S adjtimex -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules

Remediation script

results overview

Result for The system must retain enough rotated audit logs to cover the required log retention period.

Result: fail

Rule ID: SV-50437r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27522-2
  • CCI-000366

Remediation instructions

Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value: num_logs = [NUMLOGS] Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.

Remediation script

results overview

Result for The graphical desktop environment must have automatic lock enabled.

Result: pass

Rule ID: SV-50439r3_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26235-2
  • CCI-000057

Remediation script

results overview

Result for The system must display a publicly-viewable pattern during a graphical desktop environment session lock.

Result: pass

Rule ID: SV-50440r3_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Setting the screensaver mode to blank-only conceals the contents of the display from passersby.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26638-7
  • CCI-000060

Remediation script

results overview

Result for The Automatic Bug Reporting Tool (abrtd) service must not be running.

Result: pass

Rule ID: SV-50441r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27247-6
  • CCI-000382

Remediation script

results overview

Result for The atd service must be disabled.

Result: pass

Rule ID: SV-50442r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The "atd" service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with "at" or "batch" is not common.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27249-2
  • CCI-000382

Remediation script

results overview

Result for The system default umask for daemons must be 027 or 022.

Result: pass

Rule ID: SV-50443r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27031-4
  • CCI-000366

Remediation script

results overview

Result for The ntpdate service must not be running.

Result: pass

Rule ID: SV-50445r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The "ntpdate" service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27256-7
  • CCI-000382

Remediation script

results overview

Result for The system default umask in /etc/login.defs must be 077.

Result: pass

Rule ID: SV-50446r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26371-5
  • CCI-000366

Remediation script

results overview

Result for The oddjobd service must not be running.

Result: pass

Rule ID: SV-50447r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The "oddjobd" service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27257-5
  • CCI-000382

Remediation script

results overview

Result for The system default umask in /etc/profile must be 077.

Result: fail

Rule ID: SV-50448r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26669-2
  • CCI-000366

Remediation instructions

To ensure the default umask controlled by "/etc/profile" is set properly, add or correct the "umask" setting in "/etc/profile" to read as follows: umask 077

Remediation script

results overview

Result for The qpidd service must not be running.

Result: pass

Rule ID: SV-50449r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections which increases the attack surface of the system. If the system is not intended to receive AMQP traffic then the "qpidd" service is not needed and should be disabled or removed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26928-2
  • CCI-000382

Remediation script

results overview

Result for The system default umask for the csh shell must be 077.

Result: fail

Rule ID: SV-50450r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27034-8
  • CCI-000366

Remediation instructions

To ensure the default umask for users of the C shell is set properly, add or correct the "umask" setting in "/etc/csh.cshrc" to read as follows: umask 077

Remediation script

results overview

Result for The rdisc service must not be running.

Result: pass

Rule ID: SV-50451r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27261-7
  • CCI-000382

Remediation script

results overview

Result for The system default umask for the bash shell must be 077.

Result: fail

Rule ID: SV-50452r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26917-5
  • CCI-000366

Remediation instructions

To ensure the default umask for users of the Bash shell is set properly, add or correct the "umask" setting in "/etc/bashrc" to read as follows: umask 077

Remediation script

results overview

Result for The system must use SMB client signing for connecting to samba servers using smbclient.

Result: pass

Rule ID: SV-50457r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26328-5
  • CCI-000366

Remediation script

results overview

Result for The postfix service must be enabled for mail delivery.

Result: fail

Rule ID: SV-50470r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Local mail delivery is essential to some system maintenance and notification tasks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26325-1
  • CCI-000366

Remediation instructions

The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The "postfix" service can be enabled with the following command: # chkconfig postfix on # service postfix start

Remediation script

results overview

Result for The sendmail package must be removed.

Result: pass

Rule ID: SV-50472r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27515-6
  • CCI-000366

Remediation script

results overview

Result for The netconsole service must be disabled unless required.

Result: pass

Rule ID: SV-50473r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>The "netconsole" service is not necessary unless there is a need to debug kernel panics, which is not common.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27254-2
  • CCI-000382

Remediation script

results overview

Result for X Windows must not be enabled unless required.

Result: pass

Rule ID: SV-50475r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Unnecessary services should be disabled to decrease the attack surface of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27119-7
  • CCI-001436

Remediation script

results overview

Result for Process core dumps must be disabled unless needed.

Result: fail

Rule ID: SV-50476r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27033-0
  • CCI-000366

Remediation instructions

To disable core dumps for all users, add the following line to "/etc/security/limits.conf": * hard core 0

Remediation script

results overview

Result for The xorg-x11-server-common (X Windows) package must not be installed, unless required.

Result: pass

Rule ID: SV-50477r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Unnecessary packages should not be installed to decrease the attack surface of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27198-1

Remediation script

results overview

Result for The DHCP client must be disabled if not needed.

Result: fail

Rule ID: SV-50480r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27021-5
  • CCI-000366

Remediation instructions

For each interface [IFACE] on the system (e.g. eth0), edit "/etc/sysconfig/network-scripts/ifcfg-[IFACE]" and make the following changes. Correct the BOOTPROTO line to read: BOOTPROTO=none Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: NETMASK=[local LAN netmask] IPADDR=[assigned IP address] GATEWAY=[local LAN default gateway]

Remediation script

results overview

Result for The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.

Result: fail

Rule ID: SV-50481r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27241-9
  • CCI-000139

Remediation instructions

The "auditd" service can be configured to send email to a designated account in certain situations. Add or correct the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: action_mail_acct = root

Remediation script

results overview

Result for The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.

Result: fail

Rule ID: SV-50485r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27457-1
  • CCI-000054

Remediation instructions

Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in "/etc/security/limits.conf": * hard maxlogins 10 A documented site-defined number may be substituted for 10 in the above.

Remediation script

results overview

Result for The system must provide VPN connectivity for communications over untrusted networks.

Result: fail

Rule ID: SV-50488r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27626-1
  • CCI-001130

Remediation instructions

The Openswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The "openswan" package can be installed with the following command: # yum install openswan

Remediation script

results overview

Result for A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.

Result: pass

Rule ID: SV-50489r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27195-7
  • CCI-000050

Remediation script

results overview

Result for The Bluetooth service must be disabled.

Result: pass

Rule ID: SV-50492r2_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Disabling the "bluetooth" service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27081-9
  • CCI-000085

Remediation script

results overview

Result for Accounts must be locked upon 35 days of inactivity.

Result: fail

Rule ID: SV-50493r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27283-1
  • CCI-000017

Remediation instructions

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.

Remediation script

results overview

Result for The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.

Result: fail

Rule ID: SV-50495r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27283-1
  • CCI-000795

Remediation instructions

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.

Remediation script

results overview

Result for The sticky bit must be set on all public directories.

Result: pass

Rule ID: SV-50498r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, and by users for temporary file storage - such as /tmp - and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26840-9
  • CCI-000366

Remediation script

results overview

Result for All public directories must be owned by a system account.

Result: pass

Rule ID: SV-50500r2_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26642-9
  • CCI-000366

Remediation script

results overview

Result for The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.

Result: pass

Rule ID: SV-50502r1_rule

Time: 2015-03-08 14:02

Severity: high

<VulnDiscussion>Using the "-s" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27272-4
  • CCI-000366

Remediation script

results overview

Result for The system must use a Linux Security Module at boot time.

Result: pass

Rule ID: SV-65547r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26956-3
  • CCI-000366

Remediation script

results overview

Result for The system must use a Linux Security Module configured to enforce limits on system services.

Result: fail

Rule ID: SV-65573r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26969-6
  • CCI-000366

Remediation instructions

The SELinux state should be set to "enforcing" at system boot time. In the file "/etc/selinux/config", add or correct the following line to configure the system to boot into enforcing mode: SELINUX=enforcing

Remediation script

results overview

Result for The system must use a Linux Security Module configured to limit the privileges of system services.

Result: fail

Rule ID: SV-65579r1_rule

Time: 2015-03-08 14:02

Severity: low

<VulnDiscussion>Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-26875-5
  • CCI-000366

Remediation instructions

The SELinux "targeted" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in "/etc/selinux/config": SELINUXTYPE=targeted Other policies, such as "mls", provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.

Remediation script

results overview

Result for The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.

Result: fail

Rule ID: SV-66089r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27291-4
  • CCI-000366

Remediation instructions

To configure the system to notify users of last logon/access using "pam_lastlog", add the following line immediately after "session required pam_limits.so": session required pam_lastlog.so showfailed

Remediation script

results overview

Result for The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.

Result: fail

Rule ID: SV-68627r1_rule

Time: 2015-03-08 14:02

Severity: medium

<VulnDiscussion>Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Security identifiers

  • CCE-27239-3
  • CCI-000366

Remediation instructions

The "auditd" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [ACTION] appropriately: admin_space_left_action = [ACTION] Set this value to "single" to cause the system to switch to single-user mode for corrective action. Acceptable values also include "suspend" and "halt". For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the "auditd.conf" man page.

Remediation script

results overview