Introduction
Test Result
Result ID | Profile | Start time | End time | Benchmark | Benchmark version |
xccdf_org.open-scap_testresult_default-profile | (Default profile) | 2015-03-08 14:02 | 2015-03-08 14:02 | embedded | 1 |
Target info
Targets
|
Addresses
|
Applicable platforms
|
Score
system | score | max | % | bar |
urn:xccdf:scoring:default | 43.58 | 100.00 | 43.58% |
Results overview
Rule Results Summary
pass | fixed | fail | error | not selected | not checked | not applicable | informational | unknown | total |
78 | 0 | 101 | 0 | 0 | 0 | 0 | 0 | 0 | 179 |
Rule results summary
Results details
Result for Automated file system mounting tools must not be enabled unless needed.
Result: pass
Rule ID: SV-50237r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>All filesystems that are required for the successful operation of the system should be explicitly listed in "/etc/fstab" by an administrator. New filesystems should not be arbitrarily introduced via the automounter. The "autofs" daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as "/misc/cd". However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing "/etc/fstab" rather than relying on the automounter. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26976-1
- CCI-000366
Remediation script
Result for Auditing must be enabled at boot by setting a kernel parameter.
Result: fail
Rule ID: SV-50238r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although "auditd" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26785-6
- CCI-000169
Remediation instructions
To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1" to the kernel line in "/etc/grub.conf", in the manner below: kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1 UEFI systems may prepend "/boot" to the "/vmlinuz-version" argument.
Remediation script
Result for The /etc/gshadow file must be owned by root.
Result: pass
Rule ID: SV-50243r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27026-4
- CCI-000366
Remediation script
Result for The /etc/gshadow file must be group-owned by root.
Result: pass
Rule ID: SV-50248r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26975-3
- CCI-000366
Remediation script
Result for The /etc/gshadow file must have mode 0000.
Result: pass
Rule ID: SV-50249r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26951-4
- CCI-000366
Remediation script
Result for The /etc/passwd file must be owned by root.
Result: pass
Rule ID: SV-50250r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26953-0
- CCI-000366
Remediation script
Result for The /etc/passwd file must be group-owned by root.
Result: pass
Rule ID: SV-50251r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26856-5
- CCI-000366
Remediation script
Result for The system must use a separate file system for /tmp.
Result: fail
Rule ID: SV-50255r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26435-8
- CCI-000366
Remediation instructions
The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
Remediation script
Result for The system must use a separate file system for /var.
Result: fail
Rule ID: SV-50256r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories, installed by other software packages.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26639-5
- CCI-000366
Remediation instructions
The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM.
Remediation script
Result for The /etc/passwd file must have mode 0644 or less permissive.
Result: pass
Rule ID: SV-50257r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26868-0
- CCI-000366
Remediation script
Result for The /etc/group file must be owned by root.
Result: pass
Rule ID: SV-50258r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26822-7
- CCI-000366
Remediation script
Result for The /etc/group file must be group-owned by root.
Result: pass
Rule ID: SV-50259r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26930-8
- CCI-000366
Remediation script
Result for The /etc/group file must have mode 0644 or less permissive.
Result: pass
Rule ID: SV-50261r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26954-8
- CCI-000366
Remediation script
Result for The system must use a separate file system for /var/log.
Result: fail
Rule ID: SV-50263r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26215-4
- CCI-000366
Remediation instructions
System logs are stored in the "/var/log" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.
Remediation script
Result for Library files must be owned by root.
Result: pass
Rule ID: SV-50266r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27424-1
- CCI-001499
Remediation script
Result for The system must use a separate file system for the system audit data path.
Result: fail
Rule ID: SV-50267r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26436-6
- CCI-000137
Remediation instructions
Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.
Remediation script
Result for All system command files must have mode 0755 or less permissive.
Result: pass
Rule ID: SV-50269r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27289-8
- CCI-001499
Remediation script
Result for The audit system must alert designated staff members when the audit storage volume approaches capacity.
Result: fail
Rule ID: SV-50270r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27238-5
- CCI-000138
Remediation instructions
The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: space_left_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "email" "exec" "suspend" "single" "halt" Set this to "email" (instead of the default, which is "suspend") as it is more likely to get prompt attention. The "syslog" option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner. RHEL-06-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator.
Remediation script
Result for All system command files must be owned by root.
Result: pass
Rule ID: SV-50272r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27623-8
- CCI-001499
Remediation script
Result for The system must use a separate file system for user home directories.
Result: fail
Rule ID: SV-50273r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26557-9
- CCI-000366
Remediation instructions
If user home directories will be stored locally, create a separate partition for "/home" at installation time (or migrate it later using LVM). If "/home" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.
Remediation script
Result for The system must require passwords to contain a minimum of 14 characters.
Result: fail
Rule ID: SV-50275r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. While it does not negate the password length requirement, it is preferable to migrate from a password-based authentication scheme to a stronger one based on PKI (public key infrastructure).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27002-5
- CCI-000205
Remediation instructions
To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines: PASS_MIN_LEN 14 The DoD requirement is "14". If a program consults "/etc/login.defs" and also another PAM module (such as "pam_cracklib") during a password change operation, then the most restrictive must be satisfied.
Remediation script
Result for Users must not be able to change passwords more than once every 24 hours.
Result: fail
Rule ID: SV-50277r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27013-2
- CCI-000198
Remediation instructions
To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MIN_DAYS [DAYS] A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.
Remediation script
Result for The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.
Result: pass
Rule ID: SV-50278r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the "rhnsd" daemon can remain on.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26846-6
- CCI-000382
Remediation script
Result for User passwords must be changed at least every 60 days.
Result: fail
Rule ID: SV-50279r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26985-2
- CCI-000199
Remediation instructions
To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MAX_DAYS [DAYS] The DoD requirement is 60.
Remediation script
Result for Users must be warned 7 days in advance of password expiration.
Result: pass
Rule ID: SV-50280r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Setting the password warning age enables users to make the change at a practical time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26988-6
- CCI-000366
Remediation script
Result for The system must require passwords to contain at least one numeric character.
Result: fail
Rule ID: SV-50282r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26374-9
- CCI-000194
Remediation instructions
The pam_cracklib module's "dcredit" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add "dcredit=-1" after pam_cracklib.so to require use of a digit in passwords.
Remediation script
Result for The system package management tool must cryptographically verify the authenticity of system software packages during installation.
Result: pass
Rule ID: SV-50283r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26709-6
- CCI-000663
Remediation script
Result for The system package management tool must cryptographically verify the authenticity of all software packages during installation.
Result: pass
Rule ID: SV-50288r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26647-8
- CCI-000663
Remediation script
Result for A file integrity tool must be installed.
Result: fail
Rule ID: SV-50290r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The AIDE package must be installed if it is to be available for integrity checking.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27024-9
- CCI-001069
Remediation instructions
Install the AIDE package with the command: # yum install aide
Remediation script
Result for The operating system must enforce requirements for the connection of mobile devices to operating systems.
Result: fail
Rule ID: SV-50291r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27016-5
Remediation instructions
To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the "usb-storage" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install usb-storage /bin/false This will prevent the "modprobe" program from loading the "usb-storage" module, but will not prevent an administrator (or another program) from using the "insmod" program to load the module manually.
Remediation script
Result for There must be no .rhosts or hosts.equiv files on the system.
Result: pass
Rule ID: SV-50292r1_rule
Time: 2015-03-08 14:02
Severity: high
<VulnDiscussion>Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27270-8
- CCI-001436
Remediation script
Result for The system must prevent the root account from logging in from virtual consoles.
Result: fail
Rule ID: SV-50293r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26855-7
- CCI-000770
Remediation instructions
To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in "/etc/securetty": vc/1 vc/2 vc/3 vc/4 Note: Virtual console entries are not limited to those listed above. Any lines starting with "vc/" followed by numerals should be removed.
Remediation script
Result for The system must prevent the root account from logging in from serial consoles.
Result: pass
Rule ID: SV-50295r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27047-0
- CCI-000770
Remediation script
Result for Audit log files must be owned by root.
Result: pass
Rule ID: SV-50296r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>If non-privileged users can write to audit logs, audit trails can be modified or destroyed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27244-3
- CCI-000162
Remediation script
Result for The system must not have accounts configured with blank or null passwords.
Result: fail
Rule ID: SV-50298r2_rule
Time: 2015-03-08 14:02
Severity: high
<VulnDiscussion>If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27038-9
- CCI-000366
Remediation instructions
If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" to prevent logons with empty passwords.
Remediation script
Result for Audit log files must have mode 0640 or less permissive.
Result: pass
Rule ID: SV-50299r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>If users can write to audit logs, audit trails can be modified or destroyed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27243-5
- CCI-000163
Remediation script
Result for The /etc/passwd file must not contain password hashes.
Result: pass
Rule ID: SV-50300r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The hashes for all user account passwords should be stored in the file "/etc/shadow" and never in "/etc/passwd", which is readable by all users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26476-2
- CCI-000366
Remediation script
Result for The root account must be the only account having a UID of 0.
Result: pass
Rule ID: SV-50301r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26971-2
- CCI-000366
Remediation script
Result for The system must disable accounts after excessive login failures within a 15-minute interval.
Result: fail
Rule ID: SV-50302r3_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27215-3
- CCI-001452
Remediation instructions
Utilizing "pam_faillock.so", the "fail_interval" directive configures the system to lock out accounts after a number of incorrect logon attempts. Add the following "fail_interval" directives to "pam_faillock.so" immediately below the "pam_unix.so" statement in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth": auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
Remediation script
Result for The /etc/shadow file must be owned by root.
Result: pass
Rule ID: SV-50303r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26947-2
- CCI-000366
Remediation script
Result for The /etc/shadow file must be group-owned by root.
Result: pass
Rule ID: SV-50304r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26967-0
- CCI-000366
Remediation script
Result for The /etc/shadow file must have mode 0000.
Result: pass
Rule ID: SV-50305r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26992-8
- CCI-000366
Remediation script
Result for IP forwarding for IPv4 must not be enabled, unless the system is a router.
Result: fail
Rule ID: SV-50312r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26866-4
- CCI-000366
Remediation instructions
To set the runtime status of the "net.ipv4.ip_forward" kernel parameter, run the following command: # sysctl -w net.ipv4.ip_forward=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.ip_forward = 0
Remediation script
Result for The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
Result: pass
Rule ID: SV-50313r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27018-1
- CCI-001100
Remediation script
Result for The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
Result: fail
Rule ID: SV-50314r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26444-0
- CCI-000066
Remediation instructions
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/iptables": :INPUT DROP [0:0]
Remediation script
Result for The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
Result: fail
Rule ID: SV-50315r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Disabling DCCP protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26448-1
- CCI-000382
Remediation instructions
The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the "dccp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install dccp /bin/false
Remediation script
Result for The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
Result: fail
Rule ID: SV-50316r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Disabling SCTP protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26410-1
- CCI-000382
Remediation instructions
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the "sctp" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install sctp /bin/false
Remediation script
Result for The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.
Result: fail
Rule ID: SV-50317r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Disabling RDS protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26239-4
- CCI-000382
Remediation instructions
The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the "rds" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install rds /bin/false
Remediation script
Result for The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.
Result: fail
Rule ID: SV-50318r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Disabling TIPC protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26696-5
- CCI-000382
Remediation instructions
The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the "tipc" kernel module from being loaded, add the following line to a file in the directory "/etc/modprobe.d": install tipc /bin/false
Remediation script
Result for All rsyslog-generated log files must be owned by root.
Result: pass
Rule ID: SV-50319r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26812-8
- CCI-001314
Remediation script
Result for The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.
Result: fail
Rule ID: SV-50321r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26801-1
- CCI-001348
Remediation instructions
To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @[loghost.example.com] To use TCP for log message delivery: *.* @@[loghost.example.com] To use RELP for log message delivery: *.* :omrelp:[loghost.example.com]
Remediation script
Result for The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.
Result: fail
Rule ID: SV-50322r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26801-1
- CCI-000169
Remediation instructions
To configure rsyslog to send logs to a remote log server, open "/etc/rsyslog.conf" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting "[loghost.example.com]" appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. To use UDP for log message delivery: *.* @[loghost.example.com] To use TCP for log message delivery: *.* @@[loghost.example.com] To use RELP for log message delivery: *.* :omrelp:[loghost.example.com]
Remediation script
Result for The audit system must be configured to audit all attempts to alter system time through settimeofday.
Result: fail
Rule ID: SV-50323r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27203-9
- CCI-000169
Remediation instructions
On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S settimeofday -k audit_time_rules On a 64-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
Remediation script
Result for The system must not accept IPv4 source-routed packets on any interface.
Result: fail
Rule ID: SV-50324r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27037-1
- CCI-000366
Remediation instructions
To set the runtime status of the "net.ipv4.conf.all.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_source_route=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.accept_source_route = 0
Remediation script
Result for The system must not accept ICMPv4 redirect packets on any interface.
Result: fail
Rule ID: SV-50325r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27027-2
- CCI-000366
Remediation instructions
To set the runtime status of the "net.ipv4.conf.all.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.accept_redirects = 0
Remediation script
Result for The audit system must be configured to audit all attempts to alter system time through stime.
Result: pass
Rule ID: SV-50326r3_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27169-2
- CCI-000169
Remediation script
Result for The system must not accept ICMPv4 secure redirect packets on any interface.
Result: fail
Rule ID: SV-50327r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26854-0
- CCI-000366
Remediation instructions
To set the runtime status of the "net.ipv4.conf.all.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.secure_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.secure_redirects = 0
Remediation script
Result for The audit system must be configured to audit all attempts to alter system time through clock_settime.
Result: fail
Rule ID: SV-50328r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27170-0
- CCI-000169
Remediation instructions
On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S clock_settime -k audit_time_rules On a 64-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
Remediation script
Result for The system must log Martian packets.
Result: fail
Rule ID: SV-50329r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27066-0
- CCI-000366
Remediation instructions
To set the runtime status of the "net.ipv4.conf.all.log_martians" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.log_martians=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.log_martians = 1
Remediation script
Result for The system must not accept IPv4 source-routed packets by default.
Result: fail
Rule ID: SV-50330r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26983-7
- CCI-000366
Remediation instructions
To set the runtime status of the "net.ipv4.conf.default.accept_source_route" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_source_route=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.accept_source_route = 0
Remediation script
Result for The audit system must be configured to audit all attempts to alter system time through /etc/localtime.
Result: fail
Rule ID: SV-50331r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27172-6
- CCI-000169
Remediation instructions
Add the following to "/etc/audit/audit.rules": -w /etc/localtime -p wa -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.
Remediation script
Result for The operating system must automatically audit account creation.
Result: fail
Rule ID: SV-50332r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26664-3
- CCI-000018
Remediation instructions
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
Remediation script
Result for The system must not accept ICMPv4 secure redirect packets by default.
Result: fail
Rule ID: SV-50333r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26831-8
- CCI-000366
Remediation instructions
To set the runtime status of the "net.ipv4.conf.default.secure_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.secure_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.secure_redirects = 0
Remediation script
Result for The system must ignore ICMPv4 redirect messages by default.
Result: fail
Rule ID: SV-50334r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27015-7
- CCI-000366
Remediation instructions
To set the runtime status of the "net.ipv4.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.accept_redirects = 0
Remediation script
Result for The operating system must automatically audit account modification.
Result: fail
Rule ID: SV-50335r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26664-3
- CCI-001403
Remediation instructions
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
Remediation script
Result for The system must not respond to ICMPv4 sent to a broadcast address.
Result: fail
Rule ID: SV-50336r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26883-9
- CCI-000366
Remediation instructions
To set the runtime status of the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.icmp_echo_ignore_broadcasts = 1
Remediation script
Result for The operating system must automatically audit account disabling actions.
Result: fail
Rule ID: SV-50337r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26664-3
- CCI-001404
Remediation instructions
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
Remediation script
Result for The system must ignore ICMPv4 bogus error responses.
Result: fail
Rule ID: SV-50338r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26993-6
- CCI-000366
Remediation instructions
To set the runtime status of the "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter, run the following command: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.icmp_ignore_bogus_error_responses = 1
Remediation script
Result for The operating system must automatically audit account termination.
Result: fail
Rule ID: SV-50339r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26664-3
- CCI-001405
Remediation instructions
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
Remediation script
Result for The system must be configured to use TCP syncookies.
Result: fail
Rule ID: SV-50340r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27053-8
- CCI-001095
Remediation instructions
To set the runtime status of the "net.ipv4.tcp_syncookies" kernel parameter, run the following command: # sysctl -w net.ipv4.tcp_syncookies=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.tcp_syncookies = 1
Remediation script
Result for The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
Result: fail
Rule ID: SV-50342r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26657-7
- CCI-000366
Remediation instructions
Add the following to "/etc/audit/audit.rules": -w /etc/selinux/ -p wa -k MAC-policy
Remediation script
Result for The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
Result: fail
Rule ID: SV-50343r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26979-5
- CCI-000366
Remediation instructions
To set the runtime status of the "net.ipv4.conf.all.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.rp_filter=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.rp_filter = 1
Remediation script
Result for The audit system must be configured to audit all discretionary access control permission modifications using chmod.
Result: fail
Rule ID: SV-50344r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26280-8
- CCI-000172
Remediation instructions
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod
Remediation script
Result for The system must use a reverse-path filter for IPv4 network traffic when possible by default.
Result: fail
Rule ID: SV-50345r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26915-9
- CCI-000366
Remediation instructions
To set the runtime status of the "net.ipv4.conf.default.rp_filter" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.rp_filter=1 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.rp_filter = 1
Remediation script
Result for The audit system must be configured to audit all discretionary access control permission modifications using chown.
Result: fail
Rule ID: SV-50346r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27173-4
- CCI-000172
Remediation instructions
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod
Remediation script
Result for The IPv6 protocol handler must not be bound to the network stack unless needed.
Result: fail
Rule ID: SV-50347r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27153-6
- CCI-000366
Remediation instructions
To prevent the IPv6 kernel module ("ipv6") from binding to the IPv6 networking stack, add the following line to "/etc/modprobe.d/disabled.conf" (or another file in "/etc/modprobe.d"): options ipv6 disable=1 This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol.
Remediation script
Result for The audit system must be configured to audit all discretionary access control permission modifications using fchmod.
Result: fail
Rule ID: SV-50348r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27174-2
- CCI-000172
Remediation instructions
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod
Remediation script
Result for The system must ignore ICMPv6 redirects by default.
Result: fail
Rule ID: SV-50349r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27166-8
- CCI-000366
Remediation instructions
To set the runtime status of the "net.ipv6.conf.default.accept_redirects" kernel parameter, run the following command: # sysctl -w net.ipv6.conf.default.accept_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv6.conf.default.accept_redirects = 0
Remediation script
Result for The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.
Result: fail
Rule ID: SV-50351r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27175-9
- CCI-000172
Remediation instructions
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod
Remediation script
Result for The audit system must be configured to audit all discretionary access control permission modifications using fchown.
Result: fail
Rule ID: SV-50353r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27177-5
- CCI-000172
Remediation instructions
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod
Remediation script
Result for The audit system must be configured to audit all discretionary access control permission modifications using fchownat.
Result: fail
Rule ID: SV-50355r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27178-3
- CCI-000172
Remediation instructions
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod
Remediation script
Result for The system must employ a local IPv4 firewall.
Result: pass
Rule ID: SV-50356r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The "iptables" service provides the system's host-based firewalling capability for IPv4 and ICMP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27018-1
- CCI-001118
Remediation script
Result for The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.
Result: fail
Rule ID: SV-50357r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27179-1
- CCI-000172
Remediation instructions
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
Remediation script
Result for The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.
Result: fail
Rule ID: SV-50358r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27180-9
- CCI-000172
Remediation instructions
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
Remediation script
Result for The audit system must be configured to audit all discretionary access control permission modifications using lchown.
Result: fail
Rule ID: SV-50359r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27181-7
- CCI-000172
Remediation instructions
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod
Remediation script
Result for The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.
Result: fail
Rule ID: SV-50360r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27182-5
- CCI-000172
Remediation instructions
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod
Remediation script
Result for The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.
Result: fail
Rule ID: SV-50362r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27183-3
- CCI-000172
Remediation instructions
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
Remediation script
Result for The audit system must be configured to audit all discretionary access control permission modifications using removexattr.
Result: fail
Rule ID: SV-50364r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27184-1
- CCI-000172
Remediation instructions
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod
Remediation script
Result for The audit system must be configured to audit all discretionary access control permission modifications using setxattr.
Result: fail
Rule ID: SV-50366r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27185-8
- CCI-000172
Remediation instructions
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \ -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod
Remediation script
Result for The audit system must be configured to audit successful file system mounts.
Result: fail
Rule ID: SV-50369r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26573-6
- CCI-000172
Remediation instructions
At a minimum, the audit system should collect media exportation events for all users and root. Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=ARCH -S mount -F auid=0 -k export
Remediation script
Result for The system must require passwords to contain at least one uppercase alphabetic character.
Result: fail
Rule ID: SV-50370r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26601-5
- CCI-000192
Remediation instructions
The pam_cracklib module's "ucredit=" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add "ucredit=-1" after pam_cracklib.so to require use of an uppercase character in passwords.
Remediation script
Result for The system must require passwords to contain at least one special character.
Result: fail
Rule ID: SV-50371r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26409-3
- CCI-001619
Remediation instructions
The pam_cracklib module's "ocredit=" parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Add "ocredit=-1" after pam_cracklib.so to require use of a special character in passwords.
Remediation script
Result for The system must require passwords to contain at least one lowercase alphabetic character.
Result: fail
Rule ID: SV-50372r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26631-2
- CCI-000193
Remediation instructions
The pam_cracklib module's "lcredit=" parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add "lcredit=-1" after pam_cracklib.so to require use of a lowercase character in passwords.
Remediation script
Result for The system must require at least four characters be changed between the old and new passwords during a password change.
Result: fail
Rule ID: SV-50373r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26615-5
- CCI-000195
Remediation instructions
The pam_cracklib module's "difok" parameter controls requirements for usage of different characters during a password change. Add "difok=[NUM]" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is 4.
Remediation script
Result for The system must disable accounts after three consecutive unsuccessful logon attempts.
Result: fail
Rule ID: SV-50374r3_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26844-1
- CCI-000044
Remediation instructions
To configure the system to lock out accounts after a number of incorrect logon attempts using "pam_faillock.so": Add the following lines immediately below the "pam_unix.so" statement in the AUTH section of "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth": auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
Remediation script
Result for The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).
Result: pass
Rule ID: SV-50375r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Using a stronger hashing algorithm makes password cracking attacks more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26303-8
- CCI-000803
Remediation script
Result for The audit system must be configured to audit user deletions of files and programs.
Result: fail
Rule ID: SV-50376r4_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26651-0
- CCI-000172
Remediation instructions
At a minimum, the audit system should collect file deletion events for all users and root. Add the following (or equivalent) to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete
Remediation script
Result for The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
Result: pass
Rule ID: SV-50377r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Using a stronger hashing algorithm makes password cracking attacks more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27228-6
- CCI-000803
Remediation script
Result for The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
Result: pass
Rule ID: SV-50378r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Using a stronger hashing algorithm makes password cracking attacks more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27229-4
- CCI-000803
Remediation script
Result for The audit system must be configured to audit changes to the /etc/sudoers file.
Result: fail
Rule ID: SV-50379r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26662-7
- CCI-000172
Remediation instructions
At a minimum, the audit system should collect administrator actions for all users and root. Add the following to "/etc/audit/audit.rules": -w /etc/sudoers -p wa -k actions
Remediation script
Result for The system boot loader configuration file(s) must be owned by root.
Result: fail
Rule ID: SV-50380r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Only root should be able to modify important boot parameters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26995-1
- CCI-000366
Remediation instructions
The file "/etc/grub.conf" should be owned by the "root" user to prevent destruction or modification of the file. To properly set the owner of "/etc/grub.conf", run the command: # chown root /etc/grub.conf
Remediation script
Result for The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
Result: fail
Rule ID: SV-50381r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26611-4
- CCI-000172
Remediation instructions
Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=[ARCH] -S init_module -S delete_module -k modules
Remediation script
Result for The system boot loader configuration file(s) must be group-owned by root.
Result: fail
Rule ID: SV-50382r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The "root" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27022-3
- CCI-000366
Remediation instructions
The file "/etc/grub.conf" should be group-owned by the "root" group to prevent destruction or modification of the file. To properly set the group owner of "/etc/grub.conf", run the command: # chgrp root /etc/grub.conf
Remediation script
Result for The xinetd service must be disabled if no network services utilizing it are enabled.
Result: pass
Rule ID: SV-50383r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27046-2
- CCI-000382
Remediation script
Result for The system boot loader configuration file(s) must have mode 0600 or less permissive.
Result: fail
Rule ID: SV-50384r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Proper permissions ensure that only the root user can modify important boot parameters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26949-8
- CCI-000366
Remediation instructions
File permissions for "/boot/grub/grub.conf" should be set to 600, which is the default. To properly set the permissions of "/boot/grub/grub.conf", run the command: # chmod 600 /boot/grub/grub.conf Boot partitions based on VFAT, NTFS, or other non-standard configurations may require alternative measures.
Remediation script
Result for The xinetd service must be uninstalled if no network services utilizing it are enabled.
Result: pass
Rule ID: SV-50385r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Removing the "xinetd" package decreases the risk of the xinetd service's accidental (or intentional) activation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27005-8
- CCI-000382
Remediation script
Result for The system boot loader must require authentication.
Result: fail
Rule ID: SV-50386r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26911-8
- CCI-000213
Remediation instructions
The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/etc/grub.conf" immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash]
Remediation script
Result for The system must require authentication upon booting into single-user and maintenance modes.
Result: fail
Rule ID: SV-50387r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27040-5
- CCI-000213
Remediation instructions
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file "/etc/sysconfig/init": SINGLE=/sbin/sulogin
Remediation script
Result for The telnet-server package must not be installed.
Result: pass
Rule ID: SV-50388r1_rule
Time: 2015-03-08 14:02
Severity: high
<VulnDiscussion>Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation. Mitigation: If the telnet-server package is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27073-6
- CCI-000381
Remediation script
Result for The system must not permit interactive boot.
Result: fail
Rule ID: SV-50389r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27043-9
- CCI-000213
Remediation instructions
To disable the ability for users to perform interactive startups, edit the file "/etc/sysconfig/init". Add or correct the line: PROMPT=no The "PROMPT" option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.
Remediation script
Result for The telnet daemon must not be running.
Result: pass
Rule ID: SV-50390r2_rule
Time: 2015-03-08 14:02
Severity: high
<VulnDiscussion>The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. Mitigation: If an enabled telnet daemon is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26836-7
- CCI-000888
Remediation script
Result for The system must allow locking of the console screen in text mode.
Result: fail
Rule ID: SV-50391r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Installing "screen" ensures a console locking capability is available for users who may need to suspend console logins.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26940-7
- CCI-000058
Remediation instructions
To enable console screen locking when in text mode, install the "screen" package: # yum install screen Instruct users to begin new terminal sessions with the following command: $ screen The console can now be locked with the following key combination: ctrl+a x
Remediation script
Result for The rsh-server package must not be installed.
Result: pass
Rule ID: SV-50392r1_rule
Time: 2015-03-08 14:02
Severity: high
<VulnDiscussion>The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27062-9
- CCI-000381
Remediation script
Result for The system must require administrator action to unlock an account locked by excessive failed login attempts.
Result: fail
Rule ID: SV-50393r3_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27110-6
- CCI-000047
Remediation instructions
To configure the system to lock out accounts after a number of incorrect logon attempts and require an administrator to unlock the account using "pam_faillock.so": Add the following lines immediately below the "pam_unix.so" statement in the AUTH section of "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth": auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 Note that any updates made to "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
Remediation script
Result for The rshd service must not be running.
Result: pass
Rule ID: SV-50395r2_rule
Time: 2015-03-08 14:02
Severity: high
<VulnDiscussion>The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26994-4
- CCI-000068
Remediation script
Result for The rexecd service must not be running.
Result: pass
Rule ID: SV-50399r2_rule
Time: 2015-03-08 14:02
Severity: high
<VulnDiscussion>The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27208-8
- CCI-000068
Remediation script
Result for The system must not send ICMPv4 redirects by default.
Result: fail
Rule ID: SV-50401r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27001-7
- CCI-000366
Remediation instructions
To set the runtime status of the "net.ipv4.conf.default.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.default.send_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.default.send_redirects = 0
Remediation script
Result for The system must not send ICMPv4 redirects from any interface.
Result: fail
Rule ID: SV-50402r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27004-1
- CCI-000366
Remediation instructions
To set the runtime status of the "net.ipv4.conf.all.send_redirects" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.send_redirects=0 If this is not the system's default value, add the following line to "/etc/sysctl.conf": net.ipv4.conf.all.send_redirects = 0
Remediation script
Result for The rlogind service must not be running.
Result: pass
Rule ID: SV-50403r2_rule
Time: 2015-03-08 14:02
Severity: high
<VulnDiscussion>The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26865-6
- CCI-001436
Remediation script
Result for The ypserv package must not be installed.
Result: pass
Rule ID: SV-50404r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27079-3
- CCI-000381
Remediation script
Result for The ypbind service must not be running.
Result: pass
Rule ID: SV-50405r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Disabling the "ypbind" service ensures the system is not acting as a client in a NIS or NIS+ domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26894-6
- CCI-000382
Remediation script
Result for The cron service must be running.
Result: fail
Rule ID: SV-50406r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27070-2
- CCI-000366
Remediation instructions
The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands: # chkconfig crond on # service crond start
Remediation script
Result for The tftp-server package must not be installed.
Result: pass
Rule ID: SV-50407r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26946-4
- CCI-000381
Remediation script
Result for The SSH daemon must be configured to use only the SSHv2 protocol.
Result: pass
Rule ID: SV-50408r1_rule
Time: 2015-03-08 14:02
Severity: high
<VulnDiscussion>SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27072-8
- CCI-000774
Remediation script
Result for The SSH daemon must set a timeout interval on idle sessions.
Result: pass
Rule ID: SV-50409r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26919-1
- CCI-001133
Remediation script
Result for The SSH daemon must set a timeout count on idle sessions.
Result: pass
Rule ID: SV-50411r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26282-4
- CCI-000879
Remediation script
Result for The SSH daemon must ignore .rhosts files.
Result: pass
Rule ID: SV-50412r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27124-7
- CCI-000766
Remediation script
Result for The SSH daemon must not allow host-based authentication.
Result: pass
Rule ID: SV-50413r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27091-8
- CCI-000766
Remediation script
Result for The system must not permit root logins using remote access programs such as ssh.
Result: pass
Rule ID: SV-50414r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27100-7
- CCI-000770
Remediation script
Result for The SSH daemon must not allow authentication using an empty password.
Result: pass
Rule ID: SV-50415r1_rule
Time: 2015-03-08 14:02
Severity: high
<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26887-0
- CCI-000766
Remediation script
Result for The SSH daemon must be configured with the Department of Defense (DoD) login banner.
Result: pass
Rule ID: SV-50416r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27112-2
- CCI-000048
Remediation script
Result for The SSH daemon must not permit user environment settings.
Result: pass
Rule ID: SV-50417r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>SSH environment options potentially allow users to bypass access restriction in some configurations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27201-3
- CCI-001414
Remediation script
Result for The avahi service must be disabled.
Result: pass
Rule ID: SV-50419r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27087-6
- CCI-000366
Remediation script
Result for The system clock must be synchronized continuously, or at least daily.
Result: fail
Rule ID: SV-50421r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Enabling the "ntpd" service ensures that the "ntpd" service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27093-4
- CCI-000160
Remediation instructions
The "ntpd" service can be enabled with the following command: # chkconfig ntpd on # service ntpd start
Remediation script
Result for The system clock must be synchronized to an authoritative DoD time source.
Result: fail
Rule ID: SV-50422r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27098-3
- CCI-000160
Remediation instructions
To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver. server [ntpserver] This instructs the NTP software to contact that remote server to obtain time data.
Remediation script
Result for Mail relaying must be restricted.
Result: fail
Rule ID: SV-50423r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>This ensures "postfix" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26780-7
- CCI-000382
Remediation instructions
Edit the file "/etc/postfix/main.cf" to ensure that only the following "inet_interfaces" line appears: inet_interfaces = localhost
Remediation script
Result for The openldap-servers package must not be installed unless required.
Result: pass
Rule ID: SV-50428r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Unnecessary packages should not be installed to decrease the attack surface of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26858-1
- CCI-000366
Remediation script
Result for The graphical desktop environment must set the idle timeout to no more than 15 minutes.
Result: pass
Rule ID: SV-50430r3_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26828-4
- CCI-000057
Remediation script
Result for The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
Result: pass
Rule ID: SV-50431r3_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Enabling idle activation of the screen saver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26600-7
- CCI-000057
Remediation script
Result for The system must set a maximum audit log file size.
Result: fail
Rule ID: SV-50434r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27550-3
- CCI-000366
Remediation instructions
Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting the correct value for [STOREMB]: max_log_file = [STOREMB] Set the value to "6" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.
Remediation script
Result for The system must rotate audit log files that reach the maximum file size.
Result: fail
Rule ID: SV-50435r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Automatically rotating logs (by setting this to "rotate") minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, "keep_logs" can be employed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27237-7
- CCI-000366
Remediation instructions
The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by "auditd", add or correct the line in "/etc/audit/auditd.conf": max_log_file_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "suspend" "rotate" "keep_logs" Set the "[ACTION]" to "rotate" to ensure log rotation occurs. This is the default. The setting is case-insensitive.
Remediation script
Result for The audit system must be configured to audit all attempts to alter system time through adjtimex.
Result: fail
Rule ID: SV-50436r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26242-8
- CCI-000169
Remediation instructions
On a 32-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b32 -S adjtimex -k audit_time_rules On a 64-bit system, add the following to "/etc/audit/audit.rules": # audit_time_rules -a always,exit -F arch=b64 -S adjtimex -k audit_time_rules The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
Remediation script
Result for The system must retain enough rotated audit logs to cover the required log retention period.
Result: fail
Rule ID: SV-50437r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27522-2
- CCI-000366
Remediation instructions
Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value: num_logs = [NUMLOGS] Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.
Remediation script
Result for The graphical desktop environment must have automatic lock enabled.
Result: pass
Rule ID: SV-50439r3_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26235-2
- CCI-000057
Remediation script
Result for The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
Result: pass
Rule ID: SV-50440r3_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Setting the screensaver mode to blank-only conceals the contents of the display from passersby.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26638-7
- CCI-000060
Remediation script
Result for The Automatic Bug Reporting Tool (abrtd) service must not be running.
Result: pass
Rule ID: SV-50441r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27247-6
- CCI-000382
Remediation script
Result for The atd service must be disabled.
Result: pass
Rule ID: SV-50442r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The "atd" service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with "at" or "batch" is not common.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27249-2
- CCI-000382
Remediation script
Result for The system default umask for daemons must be 027 or 022.
Result: pass
Rule ID: SV-50443r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27031-4
- CCI-000366
Remediation script
Result for The ntpdate service must not be running.
Result: pass
Rule ID: SV-50445r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The "ntpdate" service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27256-7
- CCI-000382
Remediation script
Result for The system default umask in /etc/login.defs must be 077.
Result: pass
Rule ID: SV-50446r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26371-5
- CCI-000366
Remediation script
Result for The oddjobd service must not be running.
Result: pass
Rule ID: SV-50447r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The "oddjobd" service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27257-5
- CCI-000382
Remediation script
Result for The system default umask in /etc/profile must be 077.
Result: fail
Rule ID: SV-50448r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26669-2
- CCI-000366
Remediation instructions
To ensure the default umask controlled by "/etc/profile" is set properly, add or correct the "umask" setting in "/etc/profile" to read as follows: umask 077
Remediation script
Result for The qpidd service must not be running.
Result: pass
Rule ID: SV-50449r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The qpidd service is automatically installed when the "base" package selection is selected during installation. The qpidd service listens for network connections which increases the attack surface of the system. If the system is not intended to receive AMQP traffic then the "qpidd" service is not needed and should be disabled or removed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26928-2
- CCI-000382
Remediation script
Result for The system default umask for the csh shell must be 077.
Result: fail
Rule ID: SV-50450r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27034-8
- CCI-000366
Remediation instructions
To ensure the default umask for users of the C shell is set properly, add or correct the "umask" setting in "/etc/csh.cshrc" to read as follows: umask 077
Remediation script
Result for The rdisc service must not be running.
Result: pass
Rule ID: SV-50451r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27261-7
- CCI-000382
Remediation script
Result for The system default umask for the bash shell must be 077.
Result: fail
Rule ID: SV-50452r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26917-5
- CCI-000366
Remediation instructions
To ensure the default umask for users of the Bash shell is set properly, add or correct the "umask" setting in "/etc/bashrc" to read as follows: umask 077
Remediation script
Result for The system must use SMB client signing for connecting to samba servers using smbclient.
Result: pass
Rule ID: SV-50457r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26328-5
- CCI-000366
Remediation script
Result for The postfix service must be enabled for mail delivery.
Result: fail
Rule ID: SV-50470r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Local mail delivery is essential to some system maintenance and notification tasks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26325-1
- CCI-000366
Remediation instructions
The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The "postfix" service can be enabled with the following command: # chkconfig postfix on # service postfix start
Remediation script
Result for The sendmail package must be removed.
Result: pass
Rule ID: SV-50472r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27515-6
- CCI-000366
Remediation script
Result for The netconsole service must be disabled unless required.
Result: pass
Rule ID: SV-50473r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>The "netconsole" service is not necessary unless there is a need to debug kernel panics, which is not common.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27254-2
- CCI-000382
Remediation script
Result for X Windows must not be enabled unless required.
Result: pass
Rule ID: SV-50475r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Unnecessary services should be disabled to decrease the attack surface of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27119-7
- CCI-001436
Remediation script
Result for Process core dumps must be disabled unless needed.
Result: fail
Rule ID: SV-50476r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27033-0
- CCI-000366
Remediation instructions
To disable core dumps for all users, add the following line to "/etc/security/limits.conf": * hard core 0
Remediation script
Result for The xorg-x11-server-common (X Windows) package must not be installed, unless required.
Result: pass
Rule ID: SV-50477r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Unnecessary packages should not be installed to decrease the attack surface of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27198-1
Remediation script
Result for The DHCP client must be disabled if not needed.
Result: fail
Rule ID: SV-50480r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27021-5
- CCI-000366
Remediation instructions
For each interface [IFACE] on the system (e.g. eth0), edit "/etc/sysconfig/network-scripts/ifcfg-[IFACE]" and make the following changes. Correct the BOOTPROTO line to read: BOOTPROTO=none Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: NETMASK=[local LAN netmask] IPADDR=[assigned IP address] GATEWAY=[local LAN default gateway]
Remediation script
Result for The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.
Result: fail
Rule ID: SV-50481r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27241-9
- CCI-000139
Remediation instructions
The "auditd" service can be configured to send email to a designated account in certain situations. Add or correct the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: action_mail_acct = root
Remediation script
Result for The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
Result: fail
Rule ID: SV-50485r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27457-1
- CCI-000054
Remediation instructions
Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in "/etc/security/limits.conf": * hard maxlogins 10 A documented site-defined number may be substituted for 10 in the above.
Remediation script
Result for The system must provide VPN connectivity for communications over untrusted networks.
Result: fail
Rule ID: SV-50488r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27626-1
- CCI-001130
Remediation instructions
The Openswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The "openswan" package can be installed with the following command: # yum install openswan
Remediation script
Result for A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
Result: pass
Rule ID: SV-50489r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27195-7
- CCI-000050
Remediation script
Result for The Bluetooth service must be disabled.
Result: pass
Rule ID: SV-50492r2_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Disabling the "bluetooth" service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27081-9
- CCI-000085
Remediation script
Result for Accounts must be locked upon 35 days of inactivity.
Result: fail
Rule ID: SV-50493r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27283-1
- CCI-000017
Remediation instructions
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.
Remediation script
Result for The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.
Result: fail
Rule ID: SV-50495r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27283-1
- CCI-000795
Remediation instructions
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately: INACTIVE=[NUM_DAYS] A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the "useradd" man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.
Remediation script
Result for The sticky bit must be set on all public directories.
Result: pass
Rule ID: SV-50498r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, and by users for temporary file storage - such as /tmp - and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26840-9
- CCI-000366
Remediation script
Result for All public directories must be owned by a system account.
Result: pass
Rule ID: SV-50500r2_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26642-9
- CCI-000366
Remediation script
Result for The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.
Result: pass
Rule ID: SV-50502r1_rule
Time: 2015-03-08 14:02
Severity: high
<VulnDiscussion>Using the "-s" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27272-4
- CCI-000366
Remediation script
Result for The system must use a Linux Security Module at boot time.
Result: pass
Rule ID: SV-65547r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26956-3
- CCI-000366
Remediation script
Result for The system must use a Linux Security Module configured to enforce limits on system services.
Result: fail
Rule ID: SV-65573r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26969-6
- CCI-000366
Remediation instructions
The SELinux state should be set to "enforcing" at system boot time. In the file "/etc/selinux/config", add or correct the following line to configure the system to boot into enforcing mode: SELINUX=enforcing
Remediation script
Result for The system must use a Linux Security Module configured to limit the privileges of system services.
Result: fail
Rule ID: SV-65579r1_rule
Time: 2015-03-08 14:02
Severity: low
<VulnDiscussion>Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-26875-5
- CCI-000366
Remediation instructions
The SELinux "targeted" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in "/etc/selinux/config": SELINUXTYPE=targeted Other policies, such as "mls", provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
Remediation script
Result for The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
Result: fail
Rule ID: SV-66089r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27291-4
- CCI-000366
Remediation instructions
To configure the system to notify users of last logon/access using "pam_lastlog", add the following line immediately after "session required pam_limits.so": session required pam_lastlog.so showfailed
Remediation script
Result for The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.
Result: fail
Rule ID: SV-68627r1_rule
Time: 2015-03-08 14:02
Severity: medium
<VulnDiscussion>Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Security identifiers
- CCE-27239-3
- CCI-000366
Remediation instructions
The "auditd" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [ACTION] appropriately: admin_space_left_action = [ACTION] Set this value to "single" to cause the system to switch to single-user mode for corrective action. Acceptable values also include "suspend" and "halt". For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the "auditd.conf" man page.
Remediation script