Severity | CCE | Description | Setting | Rationale | Impact | Category | References |
---|---|---|---|---|---|---|---|
IntroductionThe purpose of this guidance is to provide security configuration recommendations and baselines for the Red Hat Enterprise Linux (RHEL) 6 operating system. The guidance provided here should be applicable to all variants (Desktop, Server, Advanced Platform) of the product. Recommended settings for the basic operating system are provided, as well as for many network services that the system can provide to other systems. The guide is intended for system administrators. Readers are assumed to possess basic system administration skills for Unix-like systems, as well as some familiarity with Red Hat's documentation and administration conventions. Some instructions within this guide are complex. All directions should be followed completely and with understanding of their effects in order to avoid serious adverse effects on the system and its security. | |||||||
General PrinciplesThe following general principles motivate much of the advice in this guide and should also influence any configuration decisions that are not explicitly covered. | |||||||
Encrypt Transmitted Data Whenever PossibleData transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such data exist, they should be applied. Even if data is expected to be transmitted only over a local network, it should still be encrypted. Encrypting authentication data, such as passwords, is particularly important. Networks of RHEL6 machines can and should be configured so that no unencrypted authentication data is ever transmitted between machines. | |||||||
Minimize Software to Minimize VulnerabilityThe simplest way to avoid vulnerabilities in software is to avoid installing that software. On RHEL, the RPM Package Manager (originally Red Hat Package Manager, abbreviated RPM) allows for careful management of the set of software packages installed on a system. Installed software contributes to system vulnerability in several ways. Packages that include setuid programs may provide local attackers a potential path to privilege escalation. Packages that include network services may give this opportunity to network-based attackers. Packages that include programs which are predictably executed by local users (e.g. after graphical login) may provide opportunities for trojan horses or other attack code to be run undetected. The number of software packages installed on a system can almost always be significantly pruned to include only the software for which there is an environmental or operational need. | |||||||
Run Different Network Services on Separate SystemsWhenever possible, a server should be dedicated to serving exactly one network service. This limits the number of other services that can be compromised in the event that an attacker is able to successfully exploit a software flaw in one network service. | |||||||
Configure Security Tools to Improve System RobustnessSeveral tools exist which can be effectively used to improve a system's resistance to and detection of unknown attacks. These tools can improve robustness against attack at the cost of relatively little configuration effort. In particular, this guide recommends and discusses the use of Iptables for host-based firewalling, SELinux for protection against vulnerable services, and a logging and auditing infrastructure for detection of problems. | |||||||
Least PrivilegeGrant the least privilege necessary for user accounts and software to perform tasks. For example, | |||||||
How to Use This GuideReaders should heed the following points when using the guide. | |||||||
Read Sections Completely and in OrderEach section may build on information and recommendations discussed in prior sections. Each section should be read and understood completely; instructions should never be blindly applied. Relevant discussion will occur after instructions for an action. The system-level configuration guidance in Chapter 2 must be applied to all machines. The guidance for individual services in Chapter 3 must be considered for all machines as well: apply the guidance if the machine is | |||||||
Test in Non-Production EnvironmentThis guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which the system will be deployed as closely as possible. | |||||||
Root Shell Environment AssumedMost of the actions listed in this document are written with the assumption that they will be executed by the root user running the | |||||||
Formatting ConventionsCommands intended for shell execution, as well as configuration file text, are featured in a | |||||||
Reboot RequiredA system reboot is implicitly required after some actions in order to complete the reconfiguration of the system. In many cases, the changes will not take effect until a reboot is performed. In order to ensure that changes are applied properly and to test functionality, always reboot the system after applying a set of recommendations from this guide. | |||||||
System Settings | |||||||
Installing and Maintaining SoftwareThe following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates. | |||||||
Disk PartitioningTo ensure separation and protection of data there are top-level system directories which should be placed on their own physical partition or logical volume. The installer's default partitioning scheme creates separate logical volumes for | |||||||
low | CCE-26435-8 | Ensure /tmp Located On Separate Partition |
The |
The | Stinging Nettle | Charity | DISA CCI 1208 |
low | CCE-26639-5 | Ensure /var Located On Separate Partition | The |
Ensuring that | Sore Throat | Kindness | DISA CCI 1208 |
low | CCE-26215-4 | Ensure /var/log Located On Separate Partition |
System logs are stored in the |
Placing | Gallstones | Temperance | NIST SP800-53 AU-9 DISA CCI 1208 |
low | CCE-26436-6 | Ensure /var/log/audit Located On Separate Partition |
Audit logs are stored in the |
Placing | Dehydration | Kindness | NIST SP800-53 AU-9 DISA CCI 137, 138, 1208 |
low | CCE-26557-9 | Ensure /home Located On Separate Partition |
If user home directories will be stored locally, create a separate partition
for |
Ensuring that | Cramps | Diligence | DISA CCI 1208 |
low | ns | Encrypt Partitions |
Red Hat Enterprise Linux 6 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
| The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. | Hiccups | Patience | DISA CCI 1019, 1199, 1200 |
Updating SoftwareThe | |||||||
high | CCE-26506-6 | Ensure Red Hat GPG Key Installed |
To ensure the system can cryptographically verify base software
packages come from Red Hat (and to connect to the Red Hat Network to
receive them if desired), the Red Hat GPG key must properly be installed.
To ensure the GPG key is installed, run:
| This key is necessary to cryptographically verify packages are from Red Hat. | Diarrhea | Diligence | NIST SP800-53 SI-7 DISA CCI 351 |
high | CCE-26709-6 | Ensure gpgcheck Enabled In Main Yum Configuration | The | Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering. | Tooth Ache | Humility | NIST SP800-53 SI-7 DISA CCI 352, 663 |
high | CCE-26647-8 | Ensure gpgcheck Enabled For All Yum Package Repositories | To ensure signature checking is not disabled for
any repos, remove any lines from files in | Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering. | Muscle Soreness | Kindness | NIST SP800-53 SI-7 DISA CCI 352, 663 |
high | ns | Ensure Software Patches Installed | If the system is joined to the Red Hat Network, a Red Hat Satellite Server,
or a yum server, run the following command to install updates:
| Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. | Blisters | Patience | NIST SP800-53 SI-2 DISA CCI 1227, 1233 |
Software Integrity CheckingBoth the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integrity of installed software. AIDE is the successor to the well-known Tripwire integrity checker. The RPM package management system can conduct integrity checks by comparing information in its metadata database with files installed on the system. | |||||||
Verify Integrity with AIDEAIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database should be created immediately after your system is built, and before the system is connected to any network. AIDE is highly configurable, with further configuration information located in | |||||||
medium | CCE-27024-9 | Install AIDE |
Install the AIDE package with the command:
| The AIDE package must be installed if it is to be available for integrity checking. | Acne | Temperance | DISA CCI 1069 |
low | CCE-TODO | Disable Prelinking |
The prelinking feature
changes binaries in an attempt to decrease their startup time.
In order to disable it, change or add the following line inside the file | The prelinking feature can interfere with the operation of AIDE, because it changes binaries. | Blisters | Kindness | |
low | ns | Build and Test AIDE Database | Run the following command to generate a new database:
| For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. | Bruising | Charity | |
medium | CCE-TODO | Configure Periodic Execution of AIDE |
AIDE should be executed on a periodic basis to check for changes.
To implement a daily execution of AIDE at 4:05am using cron, add the following line to | By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files. | Black Eye | Chastity | DISA CCI 374, 416, 1069, 1263, 1297, 1589 |
Verify Integrity with RPMThe RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database. Although an attacker could corrupt the RPM database (analogous to attacking the AIDE database as described above), this check can still reveal modification of important files. To list which files on the system differ from what is expected by the RPM database: | |||||||
low | CCE-26731-0 | Verify File Permissions with RPM | The RPM package management system can check file access
permissions of installed software packages, including many that are
important to system security. The following command will list which
files on the system have permissions different from what
is expected by the RPM database:
| Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated. | Warts | Temperance | DISA CCI 1493, 1494, 1495 |
low | CCE-TODO | Verify File Hashes with RPM | The RPM package management system can check the hashes of
installed software packages, including many that are important to system
security. Run the following command to list which files on the system
have hashes that differ from what is expected by the RPM database:
| The hash on important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. | Influenza | Kindness | DISA CCI 1496 |
Additional Security SoftwareAdditional security software that is not provided or supported by Red Hat can be installed to provide complementary or duplicative security capabilities to those provided by the base platform. | |||||||
high | ns | Install Intrusion Detection Software |
The base Red Hat platform already includes a sophisticated auditing system that
can detect intruder activity, as well as SELinux, which provides host-based
intrusion prevention capabilities by confining privileged programs and user
sessions which may become compromised.
| Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of system, which may not otherwise exist in an organization's systems management regime. | Muscle Cramping | Charity | NIST SP800-53 SC-7 DISA CCI 1263 |
low | ns | Install Virus Scanning Software | Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. The McAfee uvscan virus scanning tool is provided for DoD systems. Ensure virus definition files are no older than 7 days, or their last release. Configure the virus scanning software to perform scans dynamically on all accessed files. If this is not possible, configure the system to scan all altered files on the system on a daily basis. If the system processes inbound SMTP mail, configure the virus scanner to scan all received mail. | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. | Overall Wellness | Diligence | DISA CCI 1239, 1668 |
File Permissions and MasksTraditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access. Adhere to the principle of least privilege - configure each file, directory, and filesystem to allow only the access needed in order for that file to serve its purpose. | |||||||
Restrict Partition Mount OptionsSystem partitions can be mounted with certain options that limit what files on those partitions can do. These options are set in the | |||||||
low | CCE-27045-4 | Add nodev Option to Non-Root Local Partitions | The | The | Hives | Humility | NIST SP800-53 CM-7 |
low | CCE-26860-7 | Add nodev Option to Removable Media Partitions | The | The only legitimate location for device files is the | Cuts | Kindness | |
low | CCE-27196-5 | Add noexec Option to Removable Media Partitions | The | Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. | Ingrown Toenails | Kindness | DISA CCI 87 |
low | CCE-27056-1 | Add nosuid Option to Removable Media Partitions | The | The presence of suid and sgid executables should be tightly controlled. Users should not be able to execute suid or sgid binaries from partitions mounted off of removable media. | Fever | Humility | |
low | CCE-26499-4 | Add nodev Option to /tmp |
The | The only legitimate location for device files is the | Cramps | Charity | |
low | CCE-26720-3 | Add noexec Option to /tmp | The | Allowing users to execute binaries from world-writable directories
such as | Spina Bifida | Humility | |
low | CCE-26762-5 | Add nosuid Option to /tmp | The | The presence of suid and sgid executables should be tightly controlled. Users should not be able to execute suid or sgid binaries from temporary storage partitions. | Bad Breath | Humility | |
low | CCE-26778-1 | Add nodev Option to /dev/shm | The | The only legitimate location for device files is the | Ingrown Toenails | Chastity | |
low | CCE-26622-1 | Add noexec Option to /dev/shm | The | Allowing users to execute binaries from world-writable directories
such as | Canker Sores | Patience | |
low | CCE-26486-1 | Add nosuid Option to /dev/shm | The | The presence of suid and sgid executables should be tightly controlled. Users should not be able to execute suid or sgid binaries from temporary storage partitions. | Diabetes | Charity | |
low | CCE-26582-7 | Bind Mount /var/tmp To /tmp | The | Having multiple locations for temporary storage is not required. Unless absolutely
necessary to meet requirements, the storage location | Arthritis | Chastity | NIST SP800-53 CM-7 |
Restrict Dynamic Mounting and Unmounting of FilesystemsLinux includes a number of facilities for the automated addition and removal of filesystems on a running system. These facilities may increase convenience, but they all bring some risk -- whether direct risk from allowing unprivileged users to introduce arbitrary filesystems to a machine, or risk that software flaws in the automated mount facility itself will allow an attacker to compromise the system. | |||||||
low | CCE-27192-4 | Restrict Console Device Access to Desktop Workstations | If the display manager has been altered to allow remote users to
log in and the host is configured to run at runlevel 5, change console as well
as the xconsole directive in the | When a user logs in, the module pam_console.so called via the
command login, or by some of the graphics program of logging, such as gdm, kdm,
and xdm. If this user is the first to log into the physical console
- called the console user - the user module assures the mastery of a wide
variety of devices normally belong to root. Administrative privileges should be
limited for non-root users. Review the man page for | Headache | Chastity | |
low | CCE-26892-0 | Restrict Console Device Access to Servers | If the display manager has been altered to allow remote users to
log in and the host is configured to run at runlevel 5, change console as well
as the xconsole directive in the | When a user logs in, the module pam_console.so called via the
command login, or by some of the graphics program of logging, such as gdm, kdm,
and xdm. If this user is the first to log into the physical console
- called the console user - the user module assures the mastery of a wide
variety of devices normally belong to root. Administrative privileges should be
limited for non-root users. Review the man page for | Cold Sore | Humility | |
low | CCE-27016-5 | Disable Modprobe Loading of USB Storage Driver |
To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the | USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly controlled. | Parkinson's Disease | Kindness | DISA CCI 1250, 85 |
low | CCE-27011-6 | Disable Kernel Support for USB via Bootloader Configuration |
Another means of disabling USB storage is to disable all USB support provided
by the operating system. This can be accomplished by adding the | Disabling the USB subsystem within the Linux kernel at system boot will also disable USB storage devices if they are plugged into the system. Support for these devices should be disabled and the devices themselves should be tightly controlled. | Constipation | Diligence | DISA CCI 1250, 85 |
low | CCE-26952-2 | Disable Booting from USB Devices | An attacker with physical access could try to boot the system from a USB flash drive and then access any data on the system's hard drive, circumventing the normal operating system's access controls. To prevent this, configure the BIOS to disallow booting from USB drives. Also configure the BIOS or firmware password as described in the section titled "Set BIOS Password" to prevent unauthorized configuration changes. | Booting a system from a USB device would allow an attacker to circumvent any security measures offered by the native OS. Attackers could mount partitions and modify the configuration of the native OS. The BIOS should be configured to disallow booting from USB media. | Diarrhea | Kindness | DISA CCI 1250, 85 |
low | CCE-26976-1 | Disable the Automounter | The | All filesystems that are required for the successful operation of the system
should be explicitly listed in | Influenza | Patience | DISA CCI 1250, 85 |
low | CCE-27035-5 | Disable GNOME Automounting | The system's default desktop environment, GNOME, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. Disable automount and autorun within GNOME by running the following:
| The system's capabilities for automatic mounting should be configured to match whatever is defined by security policy. Disabling USB storage as described in the USB section will prevent the use of USB storage devices, but this step should also be taken as an additional layer of protection to prevent automatic mounting of CDs and DVDs. | Ingrown Toenails | Chastity | DISA CCI 1250, 85 |
low | CCE-26340-0 | Disable Mounting of cramfs |
To configure the system to prevent the | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | Halitosis | Humility | NIST SP800-53 CM-7 |
low | CCE-26544-7 | Disable Mounting of freevxfs |
To configure the system to prevent the | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | Obesity | Kindness | NIST SP800-53 CM-7 |
low | CCE-26670-0 | Disable Mounting of jffs2 |
To configure the system to prevent the | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | Cramps | Kindness | NIST SP800-53 CM-7 |
low | CCE-26800-3 | Disable Mounting of hfs |
To configure the system to prevent the | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | Overall Wellness | Charity | NIST SP800-53 CM-7 |
low | CCE-26361-6 | Disable Mounting of hfsplus |
To configure the system to prevent the | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | Pink Eye | Temperance | NIST SP800-53 CM-7 |
low | CCE-26404-4 | Disable Mounting of squashfs |
To configure the system to prevent the | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | Halitosis | Humility | NIST SP800-53 CM-7 |
low | CCE-26677-5 | Disable Mounting of udf |
To configure the system to prevent the | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | Sprain | Charity | NIST SP800-53 CM-7 |
low | CCE-TODO | Disable All GNOME Thumbnailers | The system's default desktop environment, GNOME, uses
a number of different thumbnailer programs to generate thumbnails
for any new or modified content in an opened folder. The following
command can disable the execution of these thumbnail applications:
| An attacker with knowledge of a flaw in a GNOME thumbnailer application could craft a malicious file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem (via a web upload for example) and assuming a user browses the same location using Nautilus, the malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required. | Chickenpox | Humility | NIST SP800-53 CM-7 |
Verify Permissions on Important Files and DirectoriesPermissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verified to ensure that no harmful discrepancies have arisen. | |||||||
Verify Permissions on Files with Local Account Information and CredentialsThe default restrictive permissions for files which act as important security databases such as | |||||||
medium | CCE-26947-2 | Verify User Who Owns shadow File |
To properly set the owner of | The | Diabetes | Patience | NIST SP800-53 AC-6 DISA CCI 225 |
medium | CCE-26967-0 | Verify Group Who Owns shadow File |
To properly set the group owner of | The | Tooth Ache | Patience | NIST SP800-53 AC-6 DISA CCI 225 |
medium | CCE-26992-8 | Verify Permissions on shadow File |
To properly set the permissions of | The | Pain | Humility | NIST SP800-53 AC-6 DISA CCI 225 |
medium | CCE-26822-7 | Verify User Who Owns group File |
To properly set the owner of | The | Halitosis | Humility | NIST SP800-53 AC-6 |
medium | CCE-26930-8 | Verify Group Who Owns group File |
To properly set the group owner of | The | Fever | Kindness | NIST SP800-53 AC-6 DISA CCI 225 |
medium | CCE-26954-8 | Verify Permissions on group File |
To properly set the permissions of | The | Pink Eye | Humility | NIST SP800-53 AC-6 DISA CCI 225 |
medium | CCE-27026-4 | Verify User Who Owns gshadow File |
To properly set the owner of | The | High Cholesterol | Temperance | NIST SP800-53 AC-6 DISA CCI 225 |
medium | CCE-26975-3 | Verify Group Who Owns gshadow File |
To properly set the group owner of | The | Tooth Ache | Humility | NIST SP800-53 AC-6 DISA CCI 225 |
medium | CCE-26951-4 | Verify Permissions on gshadow File |
To properly set the permissions of | The | Bloody Nose | Humility | NIST SP800-53 AC-6 DISA CCI 225 |
medium | CCE-26953-0 | Verify User Who Owns passwd File |
To properly set the owner of | The | Overall Wellness | Diligence | NIST SP800-53 AC-6 DISA CCI 225 |
medium | CCE-26856-5 | Verify Group Who Owns passwd File |
To properly set the group owner of | The | Muscle Cramping | Temperance | NIST SP800-53 AC-6 DISA CCI 225 |
medium | CCE-26868-0 | Verify Permissions on passwd File |
To properly set the permissions of | If the | Sore Throat | Charity | NIST SP800-53 AC-6 DISA CCI 225 |
Verify File Permissions Within Some Important DirectoriesSome directories contain files whose confidentiality or integrity is notably important and may also be susceptible to misconfiguration over time, particularly if unpackaged software is installed. As such, an argument exists to verify that files' permissions within these directories remain configured correctly and restrictively. | |||||||
medium | ns | Verify that Shared Library Files Have Restrictive Permissions | System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
| Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. | Hangover | Temperance | NIST SP800-53 AC-6 DISA CCI 1499 |
medium | ns | Verify that Shared Library Files Have Root Ownership | System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
| Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. | Canker Sores | Temperance | NIST SP800-53 AC-6 DISA CCI 1499 |
medium | ns | Verify that System Executables Have Restrictive Permissions |
System executables are stored in the following directories by default:
| System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. | Jaundice | Charity | NIST SP800-53 AC-6 DISA CCI 1499 |
medium | ns | Verify that System Executables Have Root Ownership |
System executables are stored in the following directories by default:
| System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. | Burns | Humility | NIST SP800-53 AC-6 DISA CCI 1499 |
low | CCE-26840-9 | Verify that All World-Writable Directories Have Sticky Bits Set | When the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
|
Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.
| Bedwetting | Chastity | NIST SP800-53 AC-6 |
medium | CCE-26910-0 | Ensure No World-Writable Files Exist | It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. | Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files. | Hives | Kindness | NIST SP800-53 AC-6 |
low | CCE-26769-0 | Ensure All Setgid Executables Are Authorized | The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files. | Executable files with the SGID permission run with the privileges of the owner of the file. SGID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system. | Upset Stomach | Humility | |
low | CCE-26497-8 | Ensure All SUID Executables Are Authorized | The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. | Executable files with the SUID permission run with the privileges of the owner of the file. SUID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system. | Pink Eye | Charity | |
low | CCE-27032-2 | Ensure All Files Are Owned by a User | If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. | Red Eyes | Charity | NIST SP800-53 AC-6 DISA CCI 224 |
low | CCE-26872-2 | Ensure All Files Are Owned by a Group | If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. | Cuts | Temperance | NIST SP800-53 AC-6 DISA CCI 224 |
low | CCE-26642-9 | Ensure All World-Writable Directories Are Owned by a System Account | All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. | Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. | Motion Sickness | Temperance | NIST SP800-53 AC-6 |
Restrict Programs from Dangerous Execution PatternsThe recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution are activated. These protections are applied at the system initialization or kernel level, and defend against certain types of badly-configured or compromised programs. | |||||||
Daemon UmaskThe umask is a per-process setting which limits the default permissions for creation of new files and directories. The system includes initialization scripts which set the default umask for system daemons. | |||||||
low | CCE-27031-4 | Set Daemon Umask | The file | The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions. | Bloody Nose | Kindness | NIST SP800-53 AC-6 |
Disable Core DumpsA core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases, only software developers legitimately need to access these files. The core dump files may also contain sensitive information, or unnecessarily occupy large amounts of disk space. | |||||||
low | CCE-27033-0 | Disable Core Dumps for All Users | To disable core dumps for all users, add the following line to
| A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. | Black Eye | Kindness | NIST SP800-53 SC-5 |
low | CCE-27044-7 | Disable Core Dumps for SUID programs |
To set the runtime status of the | The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. | Bruising | Kindness | NIST SP800-53 SI-11 |
Enable ExecShieldExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and other memory regions, prevention of execution in memory that should only hold data, and special handling of text buffers. These protections are enabled by default and controlled through | |||||||
medium | CCE-27007-4 | Enable ExecShield |
To set the runtime status of the | ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. | Bad Breath | Humility | |
medium | CCE-26999-3 | Enable Randomized Layout of Virtual Address Space |
To set the runtime status of the | Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. | Arthritis | Diligence | |
Enable Execute Disable (XD) or No Execute (NX) Support on x86 SystemsRecent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature. | |||||||
low | CCE-27010-8 | Install PAE Kernel on Supported 32-bit x86 Systems | Systems that are using the 64-bit x86 kernel package
do not need to install the kernel-PAE package because the 64-bit
x86 kernel already includes this support. However, if the system is
32-bit and also supports the PAE and NX features as
determined in the previous section, the kernel-PAE package should
be installed to enable XD or NX support:
| On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support. | Burns | Temperance | |
low | CCE-27012-4 | Enable NX or XD Support in the BIOS | Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems. | Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will. | Snake Bite | Kindness | |
SELinuxSELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take. | |||||||
Enable SELinuxEdit the file | |||||||
medium | CCE-26956-3 | Ensure SELinux Not Disabled in /etc/grub.conf | SELinux can be disabled at boot time by an argument in
| Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. | Pain | Humility | DISA CCI 22, 32 |
medium | CCE-26969-6 | Ensure SELinux State is Enforcing | The SELinux state should be set to | Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. | Overall Wellness | Kindness | DISA CCI 22, 32, 26 |
low | CCE-26875-5 | Configure SELinux Policy | The SELinux |
Setting the SELinux policy to | Bedwetting | Chastity | DISA CCI 22, 32 |
low | CCE-26991-0 | Enable the SELinux Context Restoration Service (restorecond) | The | The | Ingrown Toenails | Chastity | |
medium | ns | Ensure No Daemons are Unconfined by SELinux |
Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the |
Daemons which run with the | Bad Breath | Temperance | |
low | CCE-26774-0 | Ensure No Device Files are Unlabeled by SELinux | Device files, which are used for communication with important
system resources, should be labeled with proper SELinux types. If any device
files carry the SELinux type |
If a device file carries the SELinux type | Headache | Kindness | DISA CCI 22, 32 |
Account and Access ControlIn traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, making it more difficult for unauthorized people to gain shell access to accounts, particularly to privileged accounts, is a necessary part of securing a system. This section introduces mechanisms for restricting access to accounts under RHEL6. | |||||||
Protect Accounts by Restricting Password-Based LoginConventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the | |||||||
Restrict Root LoginsDirect root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivileged account, and then use | |||||||
medium | CCE-26855-7 | Restrict Virtual Console Root Logins |
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in | Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. | Migraine | Kindness | NIST SP800-53 AC-6(2) DISA CCI 770 |
low | CCE-27047-0 | Restrict Serial Port Root Logins | To restrict root logins on serial ports,
ensure lines of this form do not appear in | Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. | Asthma | Temperance | NIST SP800-53 AC-6(2) DISA CCI 770 |
low | ns | Restrict Web Browser Use for Administrative Accounts | Enforce policy requiring administrative accounts use web browsers only for local service administration. | If a browser vulnerability is exploited while running with administrative privileges, the entire system could be compromised. Specific exceptions for local service administration should be documented in site-defined policy. | Warts | Temperance | |
medium | CCE-26966-2 | Ensure that System Accounts Do Not Run a Shell Upon Login |
Some accounts are not associated with a human
user of the system, and exist to perform some administrative
function. Should an attacker be able to log into these accounts,
they should not be granted access to a shell.
| Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. | Diabetes | Chastity | DISA CCI 178 |
medium | CCE-26971-2 | Verify Only Root Has UID 0 | If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. | An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. | Warts | Chastity | DISA CCI 366 |
low | ns | Root Path Must Be Vendor Default |
Assuming root shell is bash, edit the following files:
| The root account's executable search path must be the vendor default, and must contain only absolute paths. | Sty | Chastity | |
Verify Proper Storage and Existence of Password HashesBy default, password hashes for local accounts are stored in the second field (colon-separated) in | |||||||
high | CCE-27038-9 | Prevent Log In to Accounts With Empty Password | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. | Anemia | Humility | NIST SP800-53 IA-5 |
medium | CCE-26476-2 | Verify All Account Password Hashes are Shadowed |
If any password hashes are stored in |
The hashes for all user account passwords should be stored in
the file | Motion Sickness | Temperance | NIST SP800-53 IA-5 DISA CCI 201 |
low | ns | All GIDs referenced in /etc/passwd must be defined in /etc/group | Add a group to the system for each GID referenced without a corresponding group. |
Inconsistency in GIDs between | Bruising | Charity | DISA CCI 366 |
medium | CCE-TODO | Verify No netrc Files Exist | The |
Unencrypted passwords for remote FTP servers may be stored in | Gallstones | Kindness | NIST SP800-53 IA-5 DISA CCI 196 |
Set Password Expiration ParametersThe file | |||||||
medium | CCE-27002-5 | Set Password Minimum Length in login.defs | To specify password length requirements for new accounts,
edit the file | Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. | Diaper Rash | Diligence | NIST SP800-53 IA-5 DISA CCI 205 |
medium | CCE-27013-2 | Set Password Minimum Age | To specify password minimum age for new accounts,
edit the file | Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. | Migraine | Diligence | NIST SP800-53 IA-5 DISA CCI 198 |
medium | CCE-26985-2 | Set Password Maximum Age | To specify password maximum age for new accounts,
edit the file | Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. | Pink Eye | Chastity | NIST SP800-53 IA-5 DISA CCI 180, 199 |
low | CCE-26988-6 | Set Password Warning Age | To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file | Setting the password warning age enables users to make the change at a practical time. | Ingrown Toenails | Kindness | NIST SP800-53 IA-5 |
Set Account Expiration ParametersAccounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to become usable again. Expiration of accounts after inactivity can be set for all accounts by default and also on a per-account basis, such as for accounts that are known to be temporary. To configure automatic expiration of an account following the expiration of its password (that is, after the password has expired and not been changed), run the following command, substituting | |||||||
low | ns | Set Account Expiration Following Inactivity | To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in | Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. | Dandruff | Humility | DISA CCI 16, 17, 795 |
low | ns | Ensure All Accounts on the System Have Unique Names | Change usernames, or delete accounts, so each has a unique name. | Unique usernames allow for accountability on the system. | Migraine | Humility | DISA CCI 770, 804 |
low | ns | Assign Expiration Date to Temporary Accounts |
In the event temporary or emergency accounts are required, configure the system
to terminate them after a documented time period. For every temporary and
emergency account, run the following command to set an expiration date on it,
substituting |
When temporary and emergency accounts are created, there is a risk they may
remain in place and active after the need for them no longer exists. Account
expiration greatly reduces the risk of accounts being misused or hijacked.
| Red Eyes | Patience | DISA CCI 16, 1682 |
Protect Accounts by Configuring PAMPAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and configurable architecture for authentication, and it should be configured to minimize exposure to unnecessary risk. This section contains guidance on how to accomplish that. | |||||||
Set Password Quality RequirementsThe default | |||||||
Set Password Quality Requirements, if using pam_cracklibThe | |||||||
low | CCE-26796-5 | Set Password Retry Prompts Permitted Per-Session | To configure the number of retry prompts that are permitted per-session:
| Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. | Alzheimer’s Disease | Kindness | NIST SP800-53 IA-5 DISA CCI 1092 |
low | CCE-TODO | Set Password to Maximum of Three Consecutive Repeating Characters | The pam_cracklib module's | Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. | Stinging Nettle | Humility | DISA CCI 366 |
low | CCE-26374-9 | Set Password Strength Minimum Digit Characters | The pam_cracklib module's | Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. | Sty | Kindness | DISA CCI 194 |
low | CCE-26601-5 | Set Password Strength Minimum Uppercase Characters | The pam_cracklib module's | Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space. | Upset Stomach | Kindness | NIST SP800-53 IA-5 DISA CCI 192 |
low | CCE-26409-3 | Set Password Strength Minimum Special Characters | The pam_cracklib module's | Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. | Parkinson's Disease | Humility | NIST SP800-53 IA-5 DISA CCI 1619 |
low | CCE-26631-2 | Set Password Strength Minimum Lowercase Characters | The pam_cracklib module's | Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. | Pneumonia | Diligence | NIST SP800-53 IA-5 DISA CCI 193 |
low | CCE-26615-5 | Set Password Strength Minimum Different Characters | The pam_cracklib module's | Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. | Bruising | Kindness | NIST SP800-53 IA-5 DISA CCI 195 |
Set Lockouts for Failed Password AttemptsThe | |||||||
medium | CCE-26844-1 | Set Deny For Failed Password Attempts |
To configure the system to lock out accounts after a number of incorrect login
attempts using | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. | Diabetes | Chastity | NIST SP800-53 AC-7(a) DISA CCI 44 |
medium | CCE-3410-8 | Set Lockout Time For Failed Password Attempts |
To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations. | Pain | Temperance | NIST SP800-53 AC-7(b) DISA CCI 47 |
medium | CCE-3410-8 | Set Interval For Counting Failed Password Attempts |
To configure the system to lock out accounts after a number of incorrect login
attempts within a 15 minute interval using | Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks. | Muscle Soreness | Temperance | NIST SP800-53 AC-7(a) DISA CCI 1452 |
medium | CCE-26741-9 | Limit Password Reuse | Do not allow users to reuse recent passwords. This can
be accomplished by using the | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. | Poison Ivy | Charity | NIST SP800-53 IA-5 DISA CCI 200 |
Set Password Hashing AlgorithmThe system's default algorithm for storing password hashes in | |||||||
medium | CCE-26303-8 | Set Password Hashing Algorithm in /etc/pam.d/system-auth |
In | Using a stronger hashing algorithm makes password cracking attacks more difficult. | Dehydration | Temperance | NIST SP800-53 IA-5 DISA CCI 803 |
medium | CCE-TODO | Set Password Hashing Algorithm in /etc/login.defs |
In | Using a stronger hashing algorithm makes password cracking attacks more difficult. | Bad Breath | Patience | NIST SP800-53 IA-5 DISA CCI 803 |
medium | CCE-TODO | Set Password Hashing Algorithm in /etc/libuser.conf |
In | Using a stronger hashing algorithm makes password cracking attacks more difficult. | Chickenpox | Patience | NIST SP800-53 IA-5 DISA CCI 803 |
Secure Session Configuration Files for Login AccountsWhen a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the user's home directory, and may have weak permissions as a result of user error or misconfiguration. If an attacker can modify or even read certain types of account configuration information, they can often gain full access to the affected user's account. Therefore, it is important to test and correct configuration file permissions for interactive accounts, particularly those of privileged users such as root or system administrators. | |||||||
low | ns | Limit the Number of Concurrent Login Sessions Allowed Per User |
Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in | Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. | Influenza | Humility | DISA CCI 54 |
Ensure that No Dangerous Directories Exist in Root's PathThe active path of the root account can be obtained by starting a new root shell and running: | |||||||
low | CCE-26826-8 | Ensure that Root's Path Does Not Include Relative Paths or Null Directories |
Ensure that none of the directories in root's path is equal to a single
| Including these entries increases the risk that root could execute code from an untrusted location. | Cramps | Diligence | |
low | CCE-26768-2 | Ensure that Root's Path Does Not Include World or Group-Writable Directories |
For each element in root's path, run:
| Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code. | Poison Sumac | Chastity | |
low | CCE-26981-1 | Ensure that User Home Directories are not Group-Writable or World-Readable | For each human user USER of the system, view the
permissions of the user's home directory:
| User home directories contain many configuration files which affect the behavior of a user's account. No user should ever have write permission to another user's home directory. Group shared directories can be configured in sub-directories or elsewhere in the filesystem if they are needed. Typically, user home directories should not be world-readable, as it would disclose file names to other users. If a subset of users need read access to one another's home directories, this can be provided using groups or ACLs. | Hiccups | Patience | |
Ensure that Users Have Sensible Umask ValuesThe umask setting controls the default permissions for the creation of new files. With a default | |||||||
low | CCE-26917-5 | Ensure the Default Bash Umask is Set Correctly |
To ensure the default umask for users of the Bash shell is set properly,
add or correct the | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users. | Sunburn Skin | Diligence | DISA CCI 366 |
low | CCE-27034-8 | Ensure the Default C Shell Umask is Set Correctly |
To ensure the default umask for users of the C shell is set properly,
add or correct the | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users. | Dehydration | Kindness | DISA CCI 366 |
low | CCE-26669-2 | Ensure the Default Umask is Set Correctly in /etc/profile |
To ensure the default umask controlled by | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users. | Halitosis | Chastity | DISA CCI 366 |
low | CCE-26371-5 | Ensure the Default Umask is Set Correctly in login.defs |
To ensure the default umask controlled by | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users. | Diabetes | Patience | DISA CCI 366 |
Protect Physical Console AccessIt is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. However, there are some steps which, if taken, make it more difficult for an attacker to quickly or undetectably modify a system from its console. | |||||||
Set Boot Loader PasswordDuring the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly on different partitions or media. The default RHEL boot loader for x86 systems is called GRUB. Options it can pass to the kernel include | |||||||
medium | CCE-26995-1 | Verify /etc/grub.conf User Ownership | The file | Only root should be able to modify important boot parameters. | Stinging Nettle | Temperance | DISA CCI 225 |
medium | CCE-27022-3 | Verify /etc/grub.conf Group Ownership | The file |
The | Pink Eye | Diligence | DISA CCI 225 |
medium | CCE-26949-8 | Verify /etc/grub.conf Permissions | File permissions for | Proper permissions ensure that only the root user can modify important boot parameters. | High Cholesterol | Charity | DISA CCI 225 |
medium | CCE-26911-8 | Set Boot Loader Password | The grub boot loader should have password protection
enabled to protect boot-time settings.
To do so, select a password and then generate a hash from it by running the following command:
| Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. | Poison Oak | Temperance | NIST SP800-53 IA-5 DISA CCI 213 |
medium | CCE-27040-5 | Require Authentication for Single User Mode | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
| This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. | Muscle Cramping | Chastity | NIST SP800-53 IA-5 DISA CCI 213 |
high | ns | Disable Ctrl-Alt-Del Reboot Activation |
By default, the system includes the following line in
| A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Del sequence is reduced because the user will be prompted before any action is taken. | Fungal Infections | Patience | |
medium | CCE-27043-9 | Disable Interactive Boot |
To disable the ability for users to perform interactive startups,
edit the file | Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. | Pneumonia | Patience | DISA CCI 213 |
Configure Screen LockingWhen a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User education and training is particularly important for screen locking to be effective, and policies can be implemented to reinforce this. | |||||||
Configure GUI Screen LockingIn the default GNOME desktop, the screen can be locked by choosing | |||||||
medium | CCE-26828-4 | Set GNOME Login Inactivity Timeout |
Run the following command to set the idle time-out value for
inactivity in the GNOME desktop to 15 minutes:
| Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby. | Diabetes | Temperance | NIST SP800-53 AC-11(a) DISA CCI 57 |
medium | CCE-26600-7 | GNOME Desktop Screensaver Mandatory Use |
Run the following command to activate the screensaver
in the GNOME desktop after a period of inactivity:
| Enabling idle activation of the screen saver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area. | Muscle Aches | Patience | NIST SP800-53 AC-11(a) DISA CCI 57 |
medium | CCE-26235-2 | Enable Screen Lock Activation After Idle Period |
Run the following command to activate locking of the screensaver
in the GNOME desktop when it is activated:
| Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby. | Psoriasis | Charity | NIST SP800-53 AC-11(a) DISA CCI 57 |
low | CCE-26638-7 | Implement Blank Screen Saver |
Run the following command to set the screensaver mode
in the GNOME desktop to a blank screen:
| Setting the screensaver mode to blank-only conceals the contents of the display from passersby. | Red Eyes | Temperance | NIST SP800-53 AC-11(b) DISA CCI 60 |
Configure Console Screen LockingA console screen locking mechanism is provided in the | |||||||
low | CCE-26940-7 | Install the screen Package |
To enable console screen locking, install the |
Installing | Gallstones | Patience | DISA CCI 58 |
Hardware Tokens for AuthenticationThe use of hardware tokens such as smart cards for system login provides stronger, two-factor authentication than using a username/password. In Red Hat Enterprise Linux servers and workstations, hardware token login is not enabled by default and must be enabled in the system settings. | |||||||
medium | ns | Enable Smart Card Login |
To enable smart card authentication, consult the documentation at:
| Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and verify credentials. | Pain | Temperance | DISA CCI 765, 766, 767, 768, 771, 772, 884 |
Warning Banners for System AccessesEach system should expose as little information about itself as possible. | |||||||
medium | CCE-26974-6 | Modify the System Login Banner |
To configure the system login banner:
| An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. | Ingrown Toenails | Chastity | DISA CCI 48, 1384, 1385, 1386, 1387, 1388 |
Implement a GUI Warning BannerIn the default graphical environment, users logging directly into the system are greeted with a login screen provided by the GNOME Display Manager (GDM). The warning banner should be displayed in this graphical environment for these users. The following sections describe how to configure the GDM login banner. | |||||||
medium | CCE-27195-7 | Enable GUI Warning Banner |
To enable displaying a login warning banner in the GNOME
Display Manager's login screen, run the following command:
| An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. | Constipation | Humility | DISA CCI 48, 50 |
medium | CCE-27017-3 | Set GUI Warning Banner Text |
To set the text shown by the GNOME Display Manager
in the login screen, run the following command:
| An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. | Pink Eye | Chastity | DISA CCI 48, 1384, 1385, 1386, 1387, 1388 |
low | CCE-TODO | Disable the User List | In the default graphical environment, users logging
directly into the system are greeted with a login screen that displays
all known users. This functionality should be disabled.
| Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in. | Bee Stings | Charity | NIST SP800-53 AC-23 |
Network Configuration and FirewallsMost machines must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking which must be made when configuring a system. | |||||||
Disable Unused InterfacesNetwork interfaces expand the attack surface of the system. Unused interfaces are not monitored or controlled, and should be disabled. | |||||||
low | CCE-27151-0 | Disable Zeroconf Networking | Zeroconf networking allows the system to assign itself an IP
address and engage in IP communication without a statically-assigned address or
even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not
recommended. To disable Zeroconf automatic route assignment in the 169.245.0.0
subnet, add or correct the following line in | Zeroconf addresses are in the network 169.254.0.0. The networking scripts add entries to the system's routing table for these addresses. Zeroconf address assignment commonly occurs when the system is configured to use DHCP but fails to receive an address assignment from the DHCP server. | Migraine | Patience | NIST SP800-53 CM-7 |
low | CCE-27152-8 | Ensure System is Not Acting as a Network Sniffer | The system should not be acting as a network sniffer, which can
capture all traffic on the network to which it is connected. Run the following
to determine if any interface is running in promiscuous mode:
| If any results are returned, then a sniffing process (such as tcpdump or Wireshark) is likely to be using the interface and this should be investigated. | Pneumonia | Charity | |
Kernel Parameters Which Affect NetworkingThe | |||||||
Network Parameters for Hosts OnlyIf the system is not going to be used as a router, then setting certain kernel parameters ensure that the host will not perform routing of network traffic. | |||||||
medium | CCE-27001-7 | Disable Kernel Parameter for Sending ICMP Redirects by Default |
To set the runtime status of the | Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for routers. | Seasonal Affective Disorder | Charity | DISA CCI 1551 |
medium | CCE-27004-1 | Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces |
To set the runtime status of the | Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for routers. | Dehydration | Temperance | NIST SP800-53 CM-7 DISA CCI 1551 |
medium | CCE-26866-4 | Disable Kernel Parameter for IP Forwarding |
To set the runtime status of the | IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for routers. | Upset Stomach | Chastity | DISA CCI 366 |
Network Related Kernel Runtime Parameters for Hosts and RoutersCertain kernel parameters should be set for systems which are acting as either hosts or routers to improve the system's ability defend against certain types of IPv4 protocol attacks. | |||||||
medium | CCE-27037-1 | Disable Kernel Parameter for Accepting Source-Routed Packets for All Interfaces |
To set the runtime status of the | Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. | Sprain | Charity | NIST SP800-53 CM-7 DISA CCI 1551 |
medium | CCE-27027-2 | Disable Kernel Parameter for Accepting ICMP Redirects for All Interfaces |
To set the runtime status of the | Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required. | Canker Sores | Diligence | NIST SP800-53 CM-7 DISA CCI 1503, 1551 |
medium | CCE-26854-0 | Disable Kernel Parameter for Accepting Secure Redirects for All Interfaces |
To set the runtime status of the | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. | Tooth Ache | Humility | DISA CCI 1503, 1551 |
low | CCE-27066-0 | Enable Kernel Parameter to Log Martian Packets |
To set the runtime status of the | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. | Rheumatoid Arthritis | Patience | DISA CCI 126 |
medium | CCE-26983-7 | Disable Kernel Parameter for Accepting Source-Routed Packets By Default |
To set the runtime status of the | Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. | Black Eye | Patience | DISA CCI 1551 |
low | CCE-27015-7 | Disable Kernel Parameter for Accepting ICMP Redirects By Default |
To set the runtime status of the | This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. | Eczema | Kindness | DISA CCI 1551 |
medium | CCE-26831-8 | Disable Kernel Parameter for Accepting Secure Redirects By Default |
To set the runtime status of the | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. | Sunburn Skin | Humility | DISA CCI 1551 |
low | CCE-26883-9 | Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests |
To set the runtime status of the | Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. | Stress | Temperance | DISA CCI 1551 |
low | CCE-26993-6 | Enable Kernel Parameter to Ignore Bogus ICMP Error Responses |
To set the runtime status of the | Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. | Snake Bite | Diligence | |
medium | CCE-27053-8 | Enable Kernel Parameter to Use TCP Syncookies |
To set the runtime status of the | A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. | Cuts | Humility | NIST SP800-53 AC-4 DISA CCI 1092, 1095 |
medium | CCE-26979-5 | Enable Kernel Parameter to Use Reverse Path Filtering for All Interfaces |
To set the runtime status of the | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. | Gallstones | Humility | DISA CCI 1551 |
medium | CCE-26915-9 | Enable Kernel Parameter to Use Reverse Path Filtering by Default |
To set the runtime status of the | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. | Hives | Patience | |
Wireless NetworkingWireless networking, such as 802.11 (WiFi) and Bluetooth, can present a security risk to sensitive or classified systems and networks. Wireless networking hardware is much more likely to be included in laptop or portable systems than desktops or servers. | |||||||
Disable Wireless Through Software ConfigurationIf it is impossible to remove the wireless hardware from the device in question, disable as much of it as possible through software. The following methods can disable software support for wireless networking, but note that these methods do not prevent malicious software or careless users from re-activating the devices. | |||||||
low | CCE-26878-9 | Disable WiFi or Bluetooth BIOS | Some systems that include built-in wireless support offer the ability to disable the device through the BIOS. This is system-specific; consult your hardware manual or explore the BIOS setup during boot. | Disabling wireless support in the BIOS prevents easy activation of the wireless interface, generally requiring administrators to reboot the system first. | Bruising | Temperance | DISA CCI 85 |
low | CCE-27057-9 | Deactivate Wireless Network Interfaces | Deactivating wireless network interfaces should prevent
normal usage of the wireless capability.
| Wireless networking allows attackers within physical proximity to launch network-based attacks against systems, including those against local LAN protocols which were not designed with security in mind. | Stress | Diligence | DISA CCI 85 |
medium | CCE-27081-9 | Disable Bluetooth Service |
The | Disabling the | Headache | Kindness | DISA CCI 85, 1551 |
medium | CCE-26763-3 | Disable Bluetooth Kernel Modules | The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate | If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. | Hives | Charity | DISA CCI 85, 1551 |
IPv6The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the number of available addresses. Another important feature is its support for automatic configuration of many network settings. | |||||||
Disable Support for IPv6 unless NeededDespite configuration that suggests support for IPv6 has been disabled, link-local IPv6 address auto-configuration occurs even when only an IPv4 address is assigned. The only way to effectively prevent execution of the IPv6 networking stack is to instruct the system not to activate the IPv6 kernel module. | |||||||
medium | CCE-27153-6 | Disable IPv6 Networking Support Automatic Loading | To prevent the IPv6 kernel module ( | Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. | Burns | Patience | NIST SP800-53 CM-7 DISA CCI 1551 |
low | CCE-TODO | Disable Interface Usage of IPv6 | To prevent configuration of IPv6 for all interfaces, add or
correct the following lines in | Psoriasis | Chastity | NIST SP800-53 CM-7 | |
low | CCE-TODO | Disable Support for RPC IPv6 | RPC services for NFSv4 try to load transport modules for
| Muscle Aches | Diligence | NIST SP800-53 CM-7 | |
Configure IPv6 Settings if NecessaryA major feature of IPv6 is the extent to which systems implementing it can automatically configure their networking devices using information from the network. From a security perspective, manually configuring important configuration information is preferable to accepting it from the network in an unauthenticated fashion. | |||||||
Disable Automatic ConfigurationDisable the system's acceptance of router advertisements and redirects by adding or correcting the following line in | |||||||
low | CCE-27164-3 | Disable Accepting IPv6 Router Advertisements |
To set the runtime status of the | An illicit router advertisement message could result in a man-in-the-middle attack. | Stinging Nettle | Kindness | NIST SP800-53 CM-7 |
medium | CCE-27166-8 | Disable Accepting IPv6 Redirects |
To set the runtime status of the | An illicit ICMP redirect message could result in a man-in-the-middle attack. | Burns | Temperance | NIST SP800-53 CM-7 DISA CCI 1551 |
low | CCE-TODO | Manually Assign Global IPv6 Address | To manually assign an IP address for an interface, edit the
file | Hives | Chastity | ||
low | CCE-27154-4 | Use Privacy Extensions for Address | To introduce randomness into the automatic generation of IPv6
addresses, add or correct the following line in
| Blisters | Charity | ||
low | CCE-TODO | Manually Assign IPv6 Router Address | Edit the file
| Dehydration | Humility | ||
low | CCE-27163-5 | Limit Network-Transmitted Configuration | Add the following lines to | Parkinson's Disease | Patience | NIST SP800-53 CM-7 | |
IPTables and Ip6tablesA host-based firewall called Netfilter is included as part of the Linux kernel distributed with the system. It is activated by default. This firewall is controlled by the program iptables, and the entire capability is frequently referred to by this name. An analogous program called ip6tables handles filtering for IPv6. | |||||||
Inspect and Activate Default RulesView the currently-enforced iptables rules by running the command: | |||||||
medium | CCE-27006-6 | Verify ip6tables Enabled |
The | The | Stinging Nettle | Kindness | DISA CCI 32, 66, 1115, 1118, 1092, 1117, 1098, 1100, 1097, 1414 |
medium | CCE-27018-1 | Verify iptables Enabled |
The |
The | Hives | Charity | DISA CCI 32, 66, 1115, 1118, 1092, 1117, 1098, 1100, 1097, 1414 |
Strengthen the Default RulesetThe default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in the configuration files iptables and ip6tables in the directory | |||||||
medium | CCE-26444-0 | Set Default IPTables Policy for Incoming Packets | To set the default policy to DROP (instead of ACCEPT) for
the built-in INPUT chain which processes incoming packets,
add or correct the following line in
| In | Fever | Patience | NIST SP800-53 CM-7 DISA CCI 66, 1109, 1154, 1414 |
medium | CCE-27186-6 | Set Default IPTables Policy for Forwarded Packets | To set the default policy to DROP (instead of ACCEPT) for
the built-in FORWARD chain which processes packets that will be forwarded from
one interface to another,
add or correct the following line in
| In | Muscle Aches | Temperance | NIST SP800-53 CM-7 DISA CCI 1109 |
low | ns | Restrict ICMP Message Types | In | Restricting other ICMPv6 message types in | Bloody Nose | Chastity | NIST SP800-53 CM-7 |
low | ns | Log and Drop Packets with Suspicious Source Addresses | Packets with non-routable source addresses should be rejected, as they may indicate spoofing. Because the
modified policy will reject non-matching packets, you only need to add these rules if you are interested in also
logging these spoofing or suspicious attempts before they are dropped. If you do choose to log various suspicious
traffic, add identical rules with a target of DROP after each LOG.
To log and then drop these IPv4 packets, insert the following rules in | Bee Stings | Patience | ||
Secure Sockets Layer SupportThe Secure Sockets Layer (SSL) protocol provides encrypted and authenticated network communications, and many network services include support for it. Using SSL is recommended, especially to avoid any plaintext transmission of sensitive data, even over a local network. The SSL implementation included with the system is called OpenSSL. Recent implementations of SSL may also be referred to as Transport Layer Security (TLS). SSL uses public key cryptography to provide authentication and encryption. | |||||||
Create a CA to Sign CertificatesThe following instructions apply to OpenSSL since it is included with the system, but creating a CA is possible with any standards-compliant SSL toolkit. The security of certificates depends on the security of the CA that signed them, so performing these steps on a secure machine is critical. The system used as a CA should be physically secure and not connected to any network. It should receive any certificate signing requests (CSRs) via removable media and output certificates onto removable media. | |||||||
Create SSL Certificates for ServersCreating an SSL certificate for a server involves the following steps: | |||||||
Enable Client SupportThe system ships with certificates from well-known commercial CAs. If your server certificates were signed by one of these established CAs, then this step is not necessary since the clients should include the CA certificate already. If your servers use certificates signed by your own CA, some user applications will warn that the server's certificate cannot be verified because the CA is not recognized. Other applications may simply fail to accept the certificate and refuse to operate, or continue operating without ever having properly verified the server certificate. To avoid this warning, and properly authenticate the servers, your CA certificate must be exported to every application on every client system that will be connecting to an SSL-enabled server. | |||||||
Adding a Trusted CA for FirefoxTo import a new CA certificate into Firefox: | |||||||
Adding a Trusted CA for ThunderbirdTo import a new CA certificate into Thunderbird: | |||||||
Adding a Trusted CA for EvolutionTo import a new CA certificate into Evolution: | |||||||
Remove Certificate Authorities, if AppropriateSurvey the certificate authorities trusted by Firefox, Thunderbird, Evolution, or other network clients. The list of certificate authorities for each program can be found via GUI, as described in the previous sections. Remove the certificate authorities which are not appropriate for your network connectivity needs. This may only make sense for some environments, and may create operational problems for a general purpose Internet-connected system. | |||||||
Uncommon Network ProtocolsThe system includes support for several network protocols which are not commonly used. Although security vulnerabilities in kernel networking code are not frequently discovered, the consequences can be dramatic. Ensuring uncommon network protocols are disabled reduces the system's risk to attacks targeted at its implementation of those protocols. | |||||||
medium | CCE-26448-1 | Disable DCCP Support |
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the | Disabling DCCP protects the system against exploitation of any flaws in its implementation. | Diaper Rash | Charity | NIST SP800-53 CM-7 DISA CCI 382 |
medium | CCE-26410-1 | Disable SCTP Support |
The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the | Disabling SCTP protects the system against exploitation of any flaws in its implementation. | Dehydration | Chastity | NIST SP800-53 CM-7 DISA CCI 382 |
low | CCE-26239-4 | Disable RDS Support |
The Reliable Datagram Sockets (RDS) protocol is a transport
layer protocol designed to provide reliable high- bandwidth,
low-latency communications between nodes in a cluster.
To configure the system to prevent the | Disabling RDS protects the system against exploitation of any flaws in its implementation. | Glaucoma | Humility | NIST SP800-53 CM-7 DISA CCI 382 |
medium | CCE-26696-5 | Disable TIPC Support |
The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the | Disabling TIPC protects the system against exploitation of any flaws in its implementation. | Migraine | Temperance | NIST SP800-53 CM-7 DISA CCI 382 |
IPSec SupportSupport for Internet Protocol Security (IPsec) is provided in RHEL 6 with Openswan. | |||||||
low | ns | Install openswan Package | The Openswan package provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks.
The | Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. | Pain | Kindness | DISA CCI 1130, 1131 |
Configure SyslogThe syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lack of authentication, encryption, or reliable transport for messages sent over a network. However, due to its long history, syslog is a de facto standard which is supported by almost all Unix applications. | |||||||
medium | CCE-26809-4 | Ensure rsyslog is Installed |
Rsyslog is installed by default.
The | The rsyslog package provides the rsyslog daemon, which provides system logging services. | High Cholesterol | Temperance | NIST SP800-53 AU-9 DISA CCI 1311, 1312 |
medium | CCE-26807-8 | Enable rsyslog Service | The | The | Sty | Patience | NIST SP800-53 AU-12 DISA CCI 1557, 1312, 1311 |
Ensure Proper Configuration of Log FilesThe file | |||||||
low | CCE-26818-5 | Ensure Log Files Exist |
The log files written by | If a log file referenced by rsyslog does not exist, rsyslog will not create it and important log messages can be lost. | Influenza | Temperance | |
medium | CCE-26812-8 | Ensure Log Files Are Owned By Appropriate User | The owner of all log files written by
| The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. | Jaundice | Charity | NIST SP800-53 AC-6 DISA CCI 1314 |
medium | CCE-26821-9 | Ensure Log Files Are Owned By Appropriate Group | The group-owner of all log files written by
| The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. | Sprain | Charity | NIST SP800-53 AC-6 DISA CCI 1314 |
medium | CCE-27190-8 | Ensure System Log Files Have Correct Permissions | The file permissions for all log files written by
rsyslog should be set to 600, or more restrictive.
These log files are determined by the second part of each Rule line in
| Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value. | Cold Sore | Charity | DISA CCI 1314 |
Rsyslog Logs Sent To Remote HostIf system logs are to be useful in detecting malicious activities, it is necessary to send logs to a remote server. An intruder who has compromised the root account on a machine may delete the log entries which indicate that the system was attacked before they are seen by an administrator. | |||||||
low | CCE-26801-1 | Ensure Logs Sent To Remote Host |
To configure rsyslog to send logs to a remote log server,
open | A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. | Psoriasis | Patience | DISA CCI 1348, 136 |
Configure rsyslogd to Accept Remote Messages If Acting as a Log ServerBy default, RHEL6's | |||||||
low | CCE-26803-7 | Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server | The | Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network. | Upset Stomach | Charity | NIST SP800-53 AU-9 |
low | CCE-TODO | Enable rsyslog to Accept Messages via TCP, if Acting As Log Server | The | If the system needs to act as a log server, this ensures that it can receive messages over a reliable TCP connection. | Parkinson's Disease | Chastity | NIST SP800-53 AU-9 |
low | CCE-TODO | Enable rsyslog to Accept Messages via UDP, if Acting As Log Server | The | Many devices, such as switches, routers, and other Unix-like systems, may only support the traditional syslog transmission over UDP. If the system must act as a log server, this enables it to receive their messages as well. | Fungal Infections | Chastity | NIST SP800-53 AU-9 |
Ensure All Logs are Rotated by logrotateEdit the file | |||||||
low | CCE-27014-0 | Ensure Logrotate Runs Periodically | The | Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full. | Sore Throat | Kindness | NIST SP800-53 AU-9 DISA CCI 366 |
Configure Logwatch on the Central Log ServerIs this machine the central log server? If so, edit the file | |||||||
low | CCE-27197-3 | Configure Logwatch HostLimit Line | On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate
on the logserver itself. The | Cuts | Chastity | ||
low | CCE-27069-4 | Configure Logwatch SplitHosts Line |
If | Stress | Kindness | ||
low | ns | Disable Logwatch on Clients if a Logserver Exists |
Does your site have a central logserver which has been configured to report on logs received from all systems?
If so:
| Asthma | Diligence | ||
System Accounting with auditdThe audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as system logins, account modifications, and authentication events performed by programs such as sudo. Under its default configuration, | |||||||
medium | CCE-27058-7 | Enable auditd Service | The | Ensuring the | Upset Stomach | Patience | DISA CCI 347, 157, 172, 880, 1353, 1462, 1487, 1115, 1454, 067, 158, 831, 1190, 1312, 1263, 130, 120, 1589 |
medium | CCE-26785-6 | Enable Auditing for Processes Which Start Prior to the Audit Daemon | To ensure all processes can be audited, even
those which start prior to the audit daemon, add the argument
|
Each process on the system carries an "auditable" flag which
indicates whether its activities can be audited. Although | Chapped Lips | Diligence | DISA CCI 1464, 130 |
Configure auditd Data RetentionThe audit system writes data to | NIST SP800-53 AU-11 DISA CCI 138 | ||||||
medium | ns | Configure auditd Number of Logs Retained | Determine how many log files
| The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. | Stress | Chastity | |
medium | ns | Configure auditd Max Log File Size | Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
| The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. | Bedwetting | Charity | |
medium | CCE-TODO | Configure auditd max_log_file_action Upon Reaching Maximum Log Size | The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by | Automatically rotating logs (by setting this to | Dandruff | Patience | |
medium | CCE-TODO | Configure auditd space_left Action on Low Disk Space | The | Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. | Spina Bifida | Chastity | DISA CCI 140, 143, 1339 |
medium | CCE-TODO | Configure auditd admin_space_left Action on Low Disk Space | The | Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. | Asthma | Chastity | DISA CCI 140, 1343 |
medium | CCE-TODO | Configure auditd mail_acct Action on Low Disk Space | The | Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. | Headache | Kindness | DISA CCI 139, 144 |
medium | ns | Configure auditd to use audispd plugin | To configure the | The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include an audit event multiplexor plugin (audispd) to pass audit records to the local syslog server | Poison Ivy | Diligence | DISA CCI 136 |
Configure auditd Rules for Comprehensive AuditingThe | |||||||
Records Events that Modify Date and Time InformationArbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time. All changes to the system time should be audited. | |||||||
low | CCE-26242-8 | Record attempts to alter time through adjtimex | On a 32-bit system, add the following to | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | Black Eye | Patience | DISA CCI 1487, 169 |
low | CCE-27203-9 | Record attempts to alter time through settimeofday | On a 32-bit system, add the following to | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | Migraine | Diligence | DISA CCI 1487, 169 |
low | CCE-27169-2 | Record Attempts to Alter Time Through stime | On a 32-bit system, add the following to | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | Motion Sickness | Charity | DISA CCI 1487, 169 |
low | CCE-27170-0 | Record Attempts to Alter Time Through clock_settime | On a 32-bit system, add the following to | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | Dandruff | Humility | DISA CCI 1487, 169 |
low | CCE-27172-6 | Record Attempts to Alter the localtime File | Add the following to | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | Hiccups | Temperance | DISA CCI 1487, 169 |
low | CCE-26664-3 | Record Events that Modify User/Group Information | Add the following to | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | Muscle Aches | Diligence | DISA CCI 18, 1403, 1404, 1405, 1684, 1683, 1685, 1686 |
low | CCE-26648-6 | Record Events that Modify the System's Network Environment | Add the following to | The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. | Muscle Cramping | Patience | |
low | CCE-TODO | System Audit Logs Must Have Mode 0640 or Less Permissive |
Change the mode of the audit log files with the following command:
| If users can write to audit logs, audit trails can be modified or destroyed. | Chickenpox | Kindness | DISA CCI 166 |
low | CCE-TODO | System Audit Logs Must Be Owned By Root |
To properly set the owner of | Failure to give ownership of the audit log file(s) to root allows the designated owner, and unauthorized users, potential access to sensitive information. | Bad Breath | Chastity | DISA CCI 166 |
low | CCE-26657-7 | Record Events that Modify the System's Mandatory Access Controls | Add the following to | The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. | Obesity | Temperance | |
Record Events that Modify the System's Discretionary Access ControlsAt a minimum the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify system calls for auditing. Even if the system is 64 bit it can still execute 32 bit system calls. Additionally, these rules can be configured in a number of ways while still achieving the desired effect. An example of this is that the "-S" calls could be split up and placed on separate lines, however, this is less efficient. Add the following to | |||||||
low | CCE-26280-8 | Record Events that Modify the System's Discretionary Access Controls - chmod | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
| The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | High Cholesterol | Temperance | DISA CCI 126 |
low | CCE-27173-4 | Record Events that Modify the System's Discretionary Access Controls - chown | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
| The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | Sprain | Charity | DISA CCI 126 |
low | CCE-27174-2 | Record Events that Modify the System's Discretionary Access Controls - fchmod | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
| The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | Diaper Rash | Humility | DISA CCI 126 |
low | CCE-27175-9 | Record Events that Modify the System's Discretionary Access Controls - fchmodat | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
| The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | Diabetes | Kindness | DISA CCI 126 |
low | CCE-27177-5 | Record Events that Modify the System's Discretionary Access Controls - fchown | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
| The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | Pain | Chastity | DISA CCI 126 |
low | CCE-27178-3 | Record Events that Modify the System's Discretionary Access Controls - fchownat | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
| The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | The Common Cold | Kindness | DISA CCI 126 |
low | CCE-27179-1 | Record Events that Modify the System's Discretionary Access Controls - fremovexattr | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
| The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | Muscle Soreness | Kindness | DISA CCI 126 |
low | CCE-27180-9 | Record Events that Modify the System's Discretionary Access Controls - fsetxattr | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
| The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | Dandruff | Temperance | DISA CCI 126 |
low | CCE-27181-7 | Record Events that Modify the System's Discretionary Access Controls - lchown | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
| The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | Carpal Tunnel Syndrome | Patience | DISA CCI 126 |
low | CCE-27182-5 | Record Events that Modify the System's Discretionary Access Controls - lremovexattr | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
| The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | Bee Stings | Patience | DISA CCI 126 |
low | CCE-27183-3 | Record Events that Modify the System's Discretionary Access Controls - lsetxattr | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
| The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | Sore Throat | Kindness | DISA CCI 126 |
low | CCE-27184-1 | Record Events that Modify the System's Discretionary Access Controls - removexattr | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
| The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | Carpal Tunnel Syndrome | Charity | DISA CCI 126 |
low | CCE-27185-8 | Record Events that Modify the System's Discretionary Access Controls - setxattr | At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
| The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | Decongestion | Diligence | DISA CCI 126 |
low | CCE-26691-6 | Record Attempts to Alter Logon and Logout Events |
The audit system already collects login info for all users and root. To watch for attempted manual edits of
files involved in storing logon events, add the following to | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | Chickenpox | Charity | |
low | CCE-26610-6 | Record Attempts to Alter Process and Session Initiation Information | The audit system already collects process information for all
users and root. To watch for attempted manual edits of files involved in
storing such process information, add the following to
| Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | Insomnia | Temperance | |
low | CCE-26712-0 | Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) | At a minimum the audit system should collect
unauthorized file accesses for all users and root. Add the following
to | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | Jaundice | Chastity | DISA CCI 126 |
low | CCE-26457-2 | Ensure auditd Collects Information on the Use of Privileged Commands | At a minimum the audit system should collect the
execution of privileged commands for all users and root.
To find the relevant setuid programs:
| Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. | Eczema | Charity | DISA CCI 40 |
low | CCE-26573-6 | Ensure auditd Collects Information on Exporting to Media (successful) | At a minimum the audit system should collect media
exportation events for all users and root. Add the following to
| The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. | Dandruff | Kindness | DISA CCI 126 |
low | CCE-26651-0 | Ensure auditd Collects File Deletion Events by User | At a minimum the audit system should collect file
deletion events for all users and root. Add the following to
| Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | Constipation | Patience | DISA CCI 126 |
low | CCE-26662-7 | Ensure auditd Collects System Administrator Actions | At a minimum the audit system should collect
administrator actions for all users and root. Add the following to
| The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. | Jaundice | Humility | DISA CCI 126 |
low | CCE-26611-4 | Ensure auditd Collects Information on Kernel Module Loading and Unloading | Add the following to | The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | Pink Eye | Kindness | DISA CCI 126 |
low | CCE-26612-2 | Make the auditd Configuration Immutable | Add the following to | Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation | Poison Ivy | Charity | |
ServicesThe best protection against vulnerable software is running less software. This section describes how to review the software which Red Hat Enterprise Linux installs on a system and disable software which is not needed. It then enumerates the software packages installed on a default RHEL6 system and provides guidance about which ones can be safely disabled. | |||||||
Obsolete ServicesThis section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best available guidance for some time. As a result of this, many of these services are not installed as part of RHEL6 by default. | |||||||
XinetdThe | |||||||
medium | CCE-27046-2 | Disable xinetd Service |
The | The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself. | Overall Wellness | Chastity | DISA CCI 305 |
low | CCE-27005-8 | Uninstall xinetd Package | The |
Removing the | Insomnia | Kindness | DISA CCI 305 |
TelnetThe telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication information such as passwords. Organizations which use telnet should be actively working to migrate to a more secure protocol. | |||||||
high | CCE-26836-7 | Disable telnet Service |
The | The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. | Muscle Cramping | Patience | DISA CCI 68, 1436, 197, 877, 888 |
high | CCE-27073-6 | Uninstall telnet-server Package | The |
Removing the | Influenza | Charity | DISA CCI 305, 381 |
Rlogin, Rsh, and RexecThe Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model. | |||||||
high | CCE-27062-9 | Uninstall rsh-server Package | The | The | Diaper Rash | Kindness | DISA CCI 305, 381 |
high | CCE-27208-8 | Disable rexec Service | The | The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | Snake Bite | Patience | DISA CCI 68, 1436 |
high | CCE-26994-4 | Disable rsh Service | The | The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | Bloody Nose | Chastity | DISA CCI 68, 1436 |
high | CCE-26865-6 | Disable rlogin Service | The | The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | Arthritis | Patience | DISA CCI 1436 |
high | CCE-TODO | Remove Rsh Trust Files | The files | Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. | Canker Sores | Patience | DISA CCI 1436 |
NISThe Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS should not be used because it suffers from security problems inherent in its design, such as inadequate protection of important authentication information. | |||||||
medium | CCE-27079-3 | Uninstall ypserv Package | The | Removing the | Poison Ivy | Diligence | DISA CCI 305, 381 |
medium | CCE-26894-6 | Disable ypbind Service | The |
Disabling the | Anemia | Chastity | DISA CCI 305 |
TFTP ServerTFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides little security, and modern versions of networking operating systems frequently support configuration via SSH or other more secure protocols. A TFTP server should be run only if no more secure method of supporting existing equipment can be found. | |||||||
medium | CCE-27055-3 | Disable tftp Service | The |
Disabling the | Dandruff | Temperance | DISA CCI 1436 |
medium | CCE-26946-4 | Uninstall tftp-server Package |
The |
Removing the | Pain | Humility | DISA CCI 305 |
high | CCE-TODO | Ensure tftp Daemon Uses Secure Mode | If running the | Using the | Burns | Charity | DISA CCI 366 |
Base ServicesThis section addresses the base services that are installed on a RHEL 6 default installation which are not covered in other sections. Some of these services listen on the network and should be treated with particular discretion. Other services are local system utilities that may or may not be extraneous. In general, system services should be disabled if not required. | |||||||
low | CCE-TODO | Disable Automatic Bug Reporting Tool (abrtd) | The Automatic Bug Reporting Tool ( | Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers. | Pneumonia | Humility | DISA CCI 381 |
low | CCE-27061-1 | Disable Advanced Configuration and Power Interface (acpid) | The Advanced Configuration and Power Interface Daemon ( | ACPI support is highly desirable for systems in some network roles, such as laptops or desktops. For other systems, such as servers, it may permit accidental or trivially achievable denial of service situations and disabling it is appropriate. | Pain | Charity | NIST SP800-53 CM-7 |
low | CCE-TODO | Disable At Service (atd) | The |
The | Diabetes | Temperance | NIST SP800-53 CM-7 DISA CCI 381 |
low | CCE-TODO | Disable Certmonger Service (certmonger) | Certmonger is a D-Bus based service that attempts to simplify interaction
with certifying authorities on networks which use public-key infrastructure. It is often
combined with Red Hat's IPA (Identity Policy Audit) security information management
solution to aid in the management of certificates.
The | The services provided by certmonger may be essential for systems fulfilling some roles a PKI infrastructure, but its functionality is not necessary for many other use cases. | Bruising | Diligence | NIST SP800-53 CM-7 |
low | CCE-TODO | Disable Control Group Config (cgconfig) | Control groups allow an administrator to allocate system resources (such as CPU,
memory, network bandwidth, etc) among a defined group (or groups) of processes executing on
a system. The | Unless control groups are used to manage system resources, running the cgconfig service is not necessary. | Sprain | Patience | NIST SP800-53 CM-7 |
low | CCE-TODO | Disable Control Group Rules Engine (cgred) | The | Unless control groups are used to manage system resources, running the cgred service service is not necessary. | Parkinson's Disease | Temperance | NIST SP800-53 CM-7 |
low | CCE-26973-8 | Disable CPU Speed (cpuspeed) | The | The | Fever | Patience | NIST SP800-53 CM-7 |
low | CCE-27086-8 | Disable Hardware Abstraction Layer Service (haldaemon) | The Hardware Abstraction Layer Daemon ( | The haldaemon provides essential functionality on systems that use removable media or devices, but can be disabled for systems that do not require these. | Stress | Diligence | NIST SP800-53 CM-7 |
low | CCE-26990-2 | Enable IRQ Balance (irqbalance) | The | In an environment with multiple processors (now common), the irqbalance service provides potential speedups for handling interrupt requests. | Psoriasis | Humility | NIST SP800-53 CM-7 |
low | CCE-26850-8 | Disable KDump Kernel Crash Analyzer (kdump) | The | Unless the system is used for kernel development or testing, there is little need to run the kdump service. | Chickenpox | Humility | |
low | CCE-27193-2 | Disable Software RAID Monitor (mdmonitor) | The mdmonitor service is used for monitoring a software RAID (hardware
RAID setups do not use this service).
The | If software RAID monitoring is not required (and it is uncommon), there is no need to run the service. | Jaundice | Humility | NIST SP800-53 CM-7 |
low | CCE-26913-4 | Disable D-Bus IPC Service (messagebus) | D-Bus provides an IPC mechanism used by
a growing list of programs, such as those used for Gnome, Bluetooth, and Avahi.
Due to these dependencies, disabling D-Bus may not be practical for
many systems.
The | If no services which require D-Bus are needed, then it can be disabled. As a broker for IPC between processes of different privilege levels, it could be a target for attack. However, disabling D-Bus is likely to be impractical for any system which needs to provide a graphical login session. | Hives | Diligence | NIST SP800-53 CM-7 |
low | CCE-TODO | Disable Network Console (netconsole) | The | The | Sunburn Skin | Kindness | DISA CCI 381 |
low | CCE-TODO | Disable ntpdate Service (ntpdate) | The ntpdate service sets the local hardware clock by polling NTP servers
when the system boots. It synchronizes to the NTP servers listed in
| The | Spina Bifida | Patience | DISA CCI 382 |
low | CCE-TODO | Disable Odd Job Daemon (oddjobd) | The | The | Pain | Humility | NIST SP800-53 CM-7 DISA CCI 381 |
low | CCE-TODO | Disable Portreserve (portreserve) | The | The | Sunburn Skin | Charity | |
low | CCE-TODO | Enable Process Accounting (psacct) | The process accounting service ( | The | Sty | Patience | |
low | CCE-26928-2 | Disable Apache Qpid (qpidd) | The | The qpidd service is automatically installed when the "base"
package selection is selected during installation. The qpidd service listens
for network connections which increases the attack surface of the system. If
the system is not intended to receive AMQP traffic then the | Overall Wellness | Kindness | DISA CCI 382 |
low | CCE-TODO | Disable Quota Netlink (quota_nld) | The | If disk quotas are enforced on the local system, then the
| Seasonal Affective Disorder | Kindness | NIST SP800-53 CM-7 |
low | CCE-TODO | Disable Network Router Discovery Daemon (rdisc) | The | General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information. | Constipation | Patience | DISA CCI 382 |
low | CCE-26846-6 | Disable Red Hat Network Service (rhnsd) | The Red Hat Network service automatically queries Red Hat Network
servers to determine whether there are any actions that should be executed,
such as package updates. This only occurs if the system was registered to an
RHN server or satellite and managed as such.
The | Although systems management and patching is extremely important to
system security, management by a system outside the enterprise enclave is not
desirable for some environments. However, if the system is being managed by RHN or
RHN Satellite Server the | Hiccups | Temperance | DISA CCI 382 |
low | CCE-TODO | Disable Red Hat Subscription Manager Daemon (rhsmcertd) | The Red Hat Subscription Manager (rhsmcertd) periodically checks for
changes in the entitlement certificates for a registered system and updates it
accordingly.
The | The | Snake Bite | Humility | NIST SP800-53 CM-7 |
low | CCE-TODO | Disable Cyrus SASL Authentication Daemon (saslauthd) | The saslauthd service handles plaintext authentication requests on
behalf of the SASL library. The service isolates all code requiring superuser
privileges for SASL authentication into a single process, and can also be used
to provide proxy authentication services to clients that do not understand SASL
based authentication.
The | The | Sty | Patience | |
low | CCE-26853-2 | Disable SMART Disk Monitoring Service (smartd) | SMART (Self-Monitoring, Analysis, and Reporting Technology) is a
feature of hard drives that allows them to detect symptoms of disk failure and
relay an appropriate warning.
The | SMART can help protect against denial of service due to failing hardware. Nevertheless, if it is not needed or the system's drives are not SMART-capable (such as solid state drives), it can be disabled. | Fungal Infections | Patience | NIST SP800-53 CM-7 |
low | CCE-TODO | Disable System Statistics Reset Service (sysstat) | The | By default the | Motion Sickness | Patience | NIST SP800-53 CM-7 |
Cron and At DaemonsThe cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform necessary maintenance tasks, while at may or may not be required on a given system. Both daemons should be configured defensively. | |||||||
medium | CCE-27070-2 | Enable cron Service | The | Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. | Insomnia | Temperance | NIST SP800-53 CM-7 |
low | ns | Disable anacron Service | The | Migraine | Chastity | NIST SP800-53 CM-7 | |
low | CCE-26548-8 | Disable atd Service |
The | Many of the periodic or delayed execution features of the at daemon can be provided through the cron daemon instead. | Poison Ivy | Diligence | NIST SP800-53 CM-7 |
Restrict at and cron to Authorized Users if NecessaryThe | |||||||
SSH ServerThe SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, through the use of public key cryptography. The implementation included with the system is called OpenSSH, and more detailed documentation is available from its website, http://www.openssh.org. Its server program is called | |||||||
low | CCE-27054-6 | Disable SSH Server If Possible (Unusual) | The SSH server service, sshd, is commonly needed.
However, if it can be disabled, do so.
The | Stinging Nettle | Diligence | ||
low | CCE-27060-3 | Remove SSH Server iptables Firewall exception (Unusual) | By default, inbound connections to SSH's port are allowed. If
the SSH server is not being used, this exception should be removed from the
firewall configuration.
| If inbound SSH connections are not expected, disallowing access to the SSH port will avoid possible exploitation of the port by an attacker. | Bee Stings | Diligence | |
Configure OpenSSH Server if NecessaryIf the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file | |||||||
high | CCE-27072-8 | Allow Only SSH Protocol 2 | Only SSH protocol version 2 connections should be
permitted. The default setting in
| SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used. | Influenza | Chastity | NIST SP800-53 AC-17(8) DISA CCI 776, 774, 1436 |
low | ns | Limit Users' SSH Access | By default, the SSH configuration allows any user with an account
to access the system. In order to specify the users that are allowed to login
via SSH and deny all other users, add or correct the following line in the
| Specifying which accounts are allowed SSH access into the system reduces the possibility of unauthorized access to the system. | Spina Bifida | Charity | |
low | CCE-26919-1 | Set SSH Idle Timeout Interval | SSH allows administrators to set an idle timeout
interval.
After this interval has passed, the idle user will be
automatically logged out.
| Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another. | Overall Wellness | Diligence | DISA CCI 879, 1133 |
low | CCE-26282-4 | Set SSH Client Alive Count | To ensure the SSH idle timeout occurs precisely when the |
This ensures a user login will be terminated as soon as the | Bloody Nose | Charity | DISA CCI 879, 1133 |
medium | CCE-27124-7 | Disable SSH Support for .rhosts Files | SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | The Common Cold | Charity | DISA CCI 765, 766 |
medium | CCE-27091-8 | Disable Host-Based Authentication | SSH's cryptographic host-based authentication is
more secure than | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | Acne | Kindness | DISA CCI 765, 766 |
medium | CCE-27100-7 | Disable SSH Root Login | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line:
| Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password. | Migraine | Kindness | NIST SP800-53 AC-6(2) DISA CCI 770 |
high | CCE-26887-0 | Disable SSH Access via Empty Passwords | To explicitly disallow remote login from accounts with
empty passwords, add or correct the following line:
| Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. | Migraine | Diligence | DISA CCI 765, 766 |
medium | CCE-27112-2 | Enable SSH Warning Banner |
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in | The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. | Hiccups | Humility | DISA CCI 48 |
low | CCE-27201-3 | Do Not Allow SSH Environment Options | To ensure users are not able to present
environment options to the SSH daemon, add or correct the following line
in | SSH environment options potentially allow users to bypass access restriction in some configurations. | Arthritis | Chastity | DISA CCI 1414 |
medium | CCE-26555-3 | Use Only Approved Ciphers | Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in | Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. | Overall Wellness | Patience | DISA CCI 803, 1144, 1145, 1146 |
Strengthen Firewall Configuration if PossibleIf the SSH server is expected to only receive connections from the local network, then strengthen the default firewall rule for the SSH service to only accept connections from the appropriate network segment(s). | |||||||
X Window SystemThe X Window System implementation included with the system is called X.org. | |||||||
Disable X WindowsUnless there is a mission-critical reason for the system to run a graphical user interface, ensure X is not set to start automatically at boot and remove the X Windows software packages. There is usually no reason to run X Windows on a dedicated server machine, as it increases the system's attack surface and consumes system resources. Administrators of server systems should instead login via SSH or on the text console. | |||||||
low | CCE-27119-7 | Disable X Windows Startup By Setting Runlevel | Setting the system's runlevel to 3 will prevent automatic startup
of the X server. To do so, ensure the following line in | Unnecessary services should be disabled to decrease the attack surface of the system. | Chickenpox | Temperance | DISA CCI 366 |
low | CCE-27198-1 | Remove the X Windows Package Group | Removing all packages which constitute the X Window System
ensures users or malicious software cannot start X.
To do so, run the following command:
| Unnecessary packages should not be installed to decrease the attack surface of the system. | Muscle Soreness | Humility | DISA CCI 366 |
Avahi ServerThe Avahi daemon implements the DNS Service Discovery and Multicast DNS protocols, which provide service and host discovery on a network. It allows a system to automatically identify resources on the network, such as printers or web servers. This capability is also known as mDNSresponder and is a major part of Zeroconf networking. | |||||||
Disable Avahi Server if PossibleBecause the Avahi daemon service keeps an open network port, it is subject to network attacks. Disabling it can reduce the system's vulnerability to such attacks. | |||||||
low | CCE-27087-6 | Disable Avahi Server Software |
The | Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted. | Psoriasis | Diligence | NIST SP800-53 CM-7 DISA CCI 366 |
Configure Avahi if NecessaryIf your system requires the Avahi daemon, its configuration can be restricted to improve security. The Avahi daemon configuration file is | |||||||
low | ns | Serve Avahi Only via Required Protocol |
If you are using only IPv4, edit | Halitosis | Kindness | NIST SP800-53 CM-7 | |
low | ns | Check Avahi Responses' TTL Field |
To make Avahi ignore packets unless the TTL field is 255, edit
| This helps to ensure that only mDNS responses from the local network are processed, because the TTL field in a packet is decremented from its initial value of 255 whenever it is routed from one network to another. Although a properly-configured router or firewall should not allow mDNS packets into the local network at all, this option provides another check to ensure they are not permitted. | Tooth Ache | Humility | NIST SP800-53 CM-7 |
low | ns | Prevent Other Programs from Using Avahi's Port |
To prevent other mDNS stacks from running, edit | This helps ensure that only Avahi is responsible for mDNS traffic coming from that port on the system. | Parkinson's Disease | Kindness | NIST SP800-53 CM-7 |
low | ns | Disable Avahi Publishing |
To prevent other mDNS stacks from running, edit | This helps ensure that only Avahi is responsible for mDNS traffic coming from that port on the system. | Dehydration | Diligence | NIST SP800-53 CM-7 |
Restrict Information Published by AvahiIf it is necessary to publish some information to the network, it should not be joined by any extraneous information, or by information supplied by a non-trusted source on the system. Prevent user applications from using Avahi to publish services by adding or correcting the following line in the | NIST SP800-53 CM-7 | ||||||
Print SupportThe Common Unix Printing System (CUPS) service provides both local and network printing support. A system running the CUPS service can accept print jobs from other systems, process them, and send them to the appropriate printer. It also provides an interface for remote administration through a web browser. The CUPS service is installed and activated by default. The project homepage and more detailed documentation are available at http://www.cups.org. | |||||||
low | CCE-26899-5 | Disable the CUPS Service |
The | Turn off unneeded services to reduce attack surface. | Chapped Lips | Diligence | NIST SP800-53 CM-7 |
low | CCE-26884-7 | Enable Firewall Access to Printing Service | If the system must act as a network print server then
| By default, inbound connections to the Internet Printing Protocol port are not allowed. If the print server does need to be accessed this exception should be added to the firewall configuration. | Tooth Ache | Diligence | NIST SP800-53 CM-7 |
Configure the CUPS Service if NecessaryCUPS provides the ability to easily share local printers with other machines over the network. It does this by allowing machines to share lists of available printers. Additionally, each machine that runs the CUPS service can potentially act as a print server. Whenever possible, the printer sharing and print server capabilities of CUPS should be limited or disabled. The following recommendations should demonstrate how to do just that. | |||||||
low | CCE-27108-0 | Disable Printer Browsing Entirely if Possible | By default, CUPS listens on the network for printer list
broadcasts on UDP port 631. This functionality is called printer browsing.
To disable printer browsing entirely, edit the CUPS configuration
file, located at | The CUPS print service can be configured to broadcast a list of available printers to the network. Other machines on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing capability, the machine will no longer generate or receive such broadcasts. | Diabetes | Humility | NIST SP800-53 CM-7 |
low | CCE-27107-2 | Disable Print Server Capabilities | To prevent remote users from potentially connecting to and using
locally configured printers, disable the CUPS print server sharing
capabilities. To do so, limit how the server will listen for print jobs by
removing the more generic port directive from /etc/cups/cupsd.conf:
| By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers, even if they cannot actually print to them. To limit print serving to a particular set of users, use the Policy directive. | Canker Sores | Diligence | NIST SP800-53 CM-7 |
DHCPThe Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server. | |||||||
Disable DHCP ServerThe DHCP server | |||||||
medium | CCE-27074-4 | Disable DHCP Service | The | Unmanaged or unintentionally activated DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site DHCP server if there is one. | Sore Throat | Kindness | NIST SP800-53 CM-7 DISA CCI 366 |
medium | CCE-27120-5 | Uninstall DHCP Server Package | If the system does not need to act as a DHCP server,
the dhcp package can be uninstalled.
The | Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation. | Parkinson's Disease | Temperance | NIST SP800-53 CM-7 DISA CCI 366 |
Disable DHCP ServerIf the system must act as a DHCP server, the configuration information it serves should be minimized. Also, support for other protocols and DNS-updating schemes should be explicitly disabled unless needed. The configuration file for dhcpd is called | |||||||
low | CCE-27049-6 | Do Not Use Dynamic DNS | To prevent the DHCP server from receiving DNS information from
clients, edit | The Dynamic DNS protocol is used to remotely update the data served by a DNS server. DHCP servers can use Dynamic DNS to publish information about their clients. This setup carries security risks, and its use is not recommended. If Dynamic DNS must be used despite the risks it poses, it is critical that Dynamic DNS transactions be protected using TSIG or some other cryptographic authentication mechanism. See dhcpd.conf(5) for more information about protecting the DHCP server from passing along malicious DNS data from its clients. | Rheumatoid Arthritis | Humility | NIST SP800-53 CM-7 |
low | CCE-27106-4 | Deny Decline Messages | Edit | The DHCPDECLINE message can be sent by a DHCP client to indicate that it does not consider the lease offered by the server to be valid. By issuing many DHCPDECLINE messages, a malicious client can exhaust the DHCP server's pool of IP addresses, causing the DHCP server to forget old address allocations. | Dehydration | Charity | NIST SP800-53 CM-7 |
low | CCE-27077-7 | Deny BOOTP Queries | Unless your network needs to support older BOOTP clients, disable
support for the bootp protocol by adding or correcting the global option:
| The bootp option tells dhcpd to respond to BOOTP queries. If support for this simpler protocol is not needed, it should be disabled to remove attack vectors against the DHCP server. | Lice | Diligence | NIST SP800-53 CM-7 |
Minimize Served InformationEdit /etc/dhcpd.conf. Examine each address range section within the file, and ensure that the following options are not defined unless there is an operational need to provide this information via DHCP: | NIST SP800-53 CM-7 | ||||||
low | CCE-26898-7 | Configure Logging | Ensure that the following line exists in
| By default, dhcpd logs notices to the daemon facility. Sending all daemon messages to a dedicated log file is part of the syslog configuration outlined in the Logging and Auditing section | Muscle Cramping | Temperance | |
Disable DHCP ClientDHCP is the default network configuration method provided by the system installer, and common on many networks. Nevertheless, manual management of IP addresses for systems implies a greater degree of management and accountability for network activity. | |||||||
low | CCE-27021-5 | Disable DHCP Client |
For each interface on the system (e.g. eth0), edit
| DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances. | Hiccups | Charity | NIST SP800-53 CM-7 DISA CCI 366 |
Configure DHCP Client if NecessaryIf DHCP must be used, then certain configuration changes can minimize the amount of information it receives and applies from the network, and thus the amount of incorrect information a rogue DHCP server could successfully distribute. For more information on configuring dhclient, see the | |||||||
Minimize the DHCP-Configured OptionsCreate the file | |||||||
Network Time ProtocolThe Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can be used both to ensure that time is consistent among a network of machines, and that their time is consistent with the outside world. | |||||||
medium | CCE-27093-4 | Enable the NTP Daemon |
The | Enabling the | Pain | Humility | NIST SP800-53 AU-8(1) DISA CCI 160 |
medium | CCE-27098-3 | Specify a Remote NTP Server | To specify a remote NTP server for time synchronization, edit
the file | Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended. | Chapped Lips | Patience | NIST SP800-53 AU-8(1) DISA CCI 160 |
low | ns | Specify Additional Remote NTP Servers | Additional NTP servers can be specified for time synchronization
in the file | Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems. | Stress | Chastity | NIST SP800-53 AU-8(1) |
Mail Server SoftwareMail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that machines are not running MTAs unnecessarily, and configure needed MTAs as defensively as possible. | |||||||
low | CCE-26325-1 | Enable Postfix Service | The Postfix mail transfer agent is used for local mail delivery
within the system. The default configuration only listens for connections to
the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is
recommended to leave this service enabled for local mail delivery.
The | Local mail delivery is essential to some system maintenance and notification tasks. | Diarrhea | Temperance | |
medium | ns | Uninstall Sendmail Package | Sendmail is not the default mail transfer agent and is
not installed by default.
The | The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead. | Overall Wellness | Patience | NIST SP800-53 CM-7 |
Configure SMTP For Mail ClientsThis section discusses settings for Postfix in a submission-only e-mail configuration. | |||||||
medium | CCE-26780-7 | Disable Postfix Network Listening |
Edit the file |
This ensures | Pink Eye | Patience | NIST SP800-53 CM-7 DISA CCI 382 |
Configure Operating System to Protect Mail ServerThe guidance in this section is appropriate for any host which is operating as a site MTA, whether the mail server runs using Sendmail, Postfix, or some other software. | |||||||
Use Separate Hosts for External and Internal Mail if PossibleThe mail server is a frequent target of network attack from the outside. However, since all site users receive mail, the mail server must be open to some connection from each inside users. It is strongly recommended that these functions be separated, by having an externally visible mail server which processes all incoming and outgoing mail, then forwards internal mail to a separate machine from which users can access it. | |||||||
Protect the MTA Host from User AccessThe mail server contains privileged data belonging to all users and performs a vital network function. Preventing users from logging into this server is a precaution against privilege escalation or denial of service attacks which might compromise the mail service. Take steps to ensure that only system administrators are allowed shell access to the MTA host. | |||||||
Restrict Remote Access to the Mail SpoolThe mail server contains privileged data belonging to all users and performs a vital network function. Preventing users from logging into this server is a precaution against privilege escalation or denial of service attacks which might compromise the mail service. Take steps to ensure that only system administrators are allowed shell access to the MTA host. | |||||||
low | ns | Configure iptables to Allow Access to the Mail Server |
To configure | The default Iptables configuration does not allow inbound access to the SMTP service. This modification allows that access, while keeping other ports on the server in their default protected state. | Arthritis | Diligence | |
low | ns | Verify System Logging and Log Permissions for Mail | Edit the file | Lice | Temperance | ||
Configure SSL Certificates for Use with SMTP AUTHIf SMTP AUTH is to be used, the use of SSL to protect credentials in transit is strongly recommended. There are also configurations for which it may be desirable to encrypt all mail in transit from one MTA to another, though such configurations are beyond the scope of this guide. In either event, the steps for creating and installing an SSL certificate are independent of the MTA in use, and are described here. | |||||||
Create an SSL CertificateChange into the CA certificate directory: | |||||||
low | ns | Install the SSL Certificate | Create the PKI directory for mail certificates, if it does not already exist:
| Acne | Charity | ||
Configure Postfix if NecessaryPostfix stores its configuration files in the directory /etc/postfix by default. The primary configuration file is /etc/postfix/main.cf. Other files will be introduced as needed. | |||||||
low | ns | Limit Denial of Service Attacks | Edit | These configuration options serve to make it more difficult for attackers to consume resources on the MTA host.
The | Anemia | Humility | NIST SP800-53 SC-5 |
medium | ns | Configure SMTP Greeting Banner | Edit | The default greeting banner discloses that the listening mail process is Postfix. When remote mail senders connect to the MTA on port 25, they are greeted by an initial banner as part of the SMTP dialogue. This banner is necessary, but it frequently gives away too much information, including the MTA software which is in use, and sometimes also its version number. Remote mail senders do not need this information in order to send mail, so the banner should be changed to reveal only the hostname (which is already known and may be useful) and the word ESMTP, to indicate that the modern SMTP protocol variant is supported. | Muscle Aches | Kindness | |
Control Mail RelayingPostfix's mail relay controls are implemented with the help of the smtpd recipient restrictions option, which controls the restrictions placed on the SMTP dialogue once the sender and recipient envelope addresses are known. The guidance in the following sections should be applied to all machines. If there are machines which must be allowed to relay mail, but which cannot be trusted to relay unconditionally, configure SMTP AUTH with SSL support. | |||||||
low | ns | Configure Trusted Networks and Hosts | Edit | The | Diabetes | Humility | |
low | ns | Allow Unlimited Relaying for Trusted Networks Only | Edit | The full contents of | Burns | Diligence | NIST SP800-53 SI-8 |
low | ns | Require SMTP AUTH Before Relaying from Untrusted Clients | SMTP authentication allows remote clients to relay mail safely by requiring them to authenticate before submit-
ting mail. Postfix's SMTP AUTH uses an authentication library called SASL, which is not part of Postfix itself.
This section describes how to configure authentication using the Cyrus-SASL implementation. See below for a
discussion of other options.
| Postfix can use either the Cyrus library or Dovecot as a source for SASL authentication. If this host is running
Dovecot for some other reason, it is recommended that Dovecot's SASL support be used instead of running the
Cyrus code as well. See http://www.postfix.org/SASL_README.html for instructions on implementing that
configuration, which is not described in this guide.
| High Cholesterol | Kindness | |
low | ns | Require TLS for SMTP AUTH | Edit | These options tell Postfix to protect all SMTP AUTH transactions using TLS. The first four options describe
the locations of the necessary TLS key files.
The | Overall Wellness | Humility | |
LDAPLDAP is a popular directory service, that is, a standardized way of looking up information from a central database. It is relatively simple to configure a RHEL6 machine to obtain authentication information from an LDAP server. If your network uses LDAP for authentication, be sure to configure both clients and servers securely. | |||||||
Configure OpenLDAP ClientsThis guide recommends configuring OpenLDAP clients by manually editing the appropriate configuration files. RHEL6 provides an automated configuration tool called authconfig and a graphical wrapper for authconfig called | |||||||
medium | CCE-26690-8 | Configure LDAP to Use TLS For All Transactions | Configure LDAP to enforce TLS use. First, edit the file
| The ssl directive specifies whether to use ssl or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. | Bloody Nose | Charity | NIST SP800-53 CM-7 DISA CCI 776, 778, 1453 |
medium | CCE-27189-0 | Configure Certificate Directives for LDAP Use of TLS | Ensure a copy of the site's CA certificate has been placed in
the file | The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA. | Sty | Charity | NIST SP800-53 CM-7 DISA CCI 776, 778, 1453 |
Configure OpenLDAP ServerThis section contains guidance on how to configure an OpenLDAP server to securely provide information for use in a centralized authentication service. This is not a comprehensive guide to maintaining an OpenLDAP server, but may be helpful in securing an OpenLDAP infrastructure nonetheless. | |||||||
low | CCE-26858-1 | Uninstall openldap-servers Package | The | Unnecessary packages should not be installed to decrease the attack surface of the system. | Parkinson's Disease | Kindness | NIST SP800-53 CM-7 DISA CCI 366 |
low | CCE-27191-6 | Configure Domain-Specific Parameters | The | Hiccups | Temperance | ||
low | ns | LDAP Configuration File Security | Is this system an OpenLDAP server? If so,
ensure that the configuration files are protected from unauthorized
access or modification.
| Sunburn Skin | Chastity | ||
low | ns | Configure LDAP Root Password | Is this system an OpenLDAP server? If so,
ensure that the RootDN uses a secure password.
| Stress | Patience | NIST SP800-53 IA-2 | |
low | CCE-27082-7 | Protect LDAP Certificate Files | Create the PKI directory for LDAP certificates if it does not already exist:
| Poison Sumac | Humility | ||
Create Top-level LDAP Structure for DomainCreate a structure for the domain itself with at least the following attributes: | NIST SP800-53 AC-2 | ||||||
Create LDAP Structures for Users and GroupsCreate LDAP structures for people (users) and for groups with at least the following attributes: | |||||||
Create Unix AccountsFor each Unix user, create an LDAP entry with at least the following attributes (others may be appropriate for your site as well), using variable values appropriate to that user: | |||||||
Create Unix GroupsFor each Unix group, create an LDAP entry with at least the following attributes: | |||||||
Create Groups to Administer LDAPIf a group of LDAP administrators is desired, that group must be created somewhat differently. The specification should have these attributes: | |||||||
low | ns | Configure slapd to Protect Authentication Information | Use ldapmodify to add these entries to the database. Add or correct the following access specifications:
1. Protect the user's password by allowing the user himself or the LDAP administrators to change it,
allowing the anonymous user to authenticate against it, and allowing no other access:
| Canker Sores | Temperance | ||
low | CCE-27125-4 | Correct Permissions on LDAP Server Files | Correct the permissions on the ldap server's files.
| Bruising | Temperance | ||
low | ns | Configure iptables to Allow Access to the LDAP Server | Determine an appropriate network block representing the machines on
your network which will synchronize to this server:
To configure | Muscle Soreness | Temperance | ||
low | ns | Configure Logging for LDAP | Black Eye | Temperance | |||
NFS and RPCThe Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NFS and its dependencies, and then details steps which should be taken to secure NFS's configuration. This section is relevant to machines operating as NFS clients, as well as to those operating as NFS servers. | |||||||
Disable All NFS Services if PossibleIf there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable subsystems required by NFS. | |||||||
Disable Services Used Only by NFSIf NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. | |||||||
low | CCE-27104-9 | Disable Network File System Lock Service (nfslock) | The Network File System Lock (nfslock) service starts the required
remote procedure call (RPC) processes which allow clients to lock files on the
server. If the local machine is not configured to mount NFS filesystems then
this service should be disabled.
The | Sunburn Skin | Chastity | ||
low | CCE-26864-9 | Disable Secure RPC Client Service (rpcgssd) |
The rpcgssd service manages RPCSEC GSS contexts required to secure protocols
that use RPC (most often Kerberos and NFS). The rpcgssd service is the
client-side of RPCSEC GSS. If the system does not require secure RPC then this
service should be disabled.
The | Bruising | Chastity | ||
low | CCE-26870-6 | Disable RPC ID Mapping Service (rpcidmapd) | The rpcidmapd service is used to map user names and groups to UID
and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then
this service should be disabled.
The | Headache | Patience | ||
Disable netfs if PossibleTo determine if any network filesystems handled by netfs are currently mounted on the system execute the following command: | |||||||
low | CCE-27137-9 | Disable Network File Systems (netfs) | The netfs script manages the boot-time mounting of several types
of networked filesystems, of which NFS and Samba are the most common. If these
filesystem types are not in use, the script can be disabled, protecting the
system somewhat against accidental or malicious changes to | Gallstones | Chastity | ||
Disable RPC Bind Service if PossibleIf: | |||||||
low | CCE-TODO | Disable RPC Bind Service (rpcbind) | The rpcbind service is responsible for mapping RPC services to the
TCP ports that they listen on. The rpcbind service also directs RPC clients to
the proper port number that corresponds to the service the clients wants to
communicate with. Unless RPC services are needed on the local system it is
recommended to disable this service.
The | Muscle Cramping | Chastity | ||
Configure All Machines which Use NFSThe steps in this section are appropriate for all machines which run NFS, whether they operate as clients or as servers. | |||||||
Make Each Machine a Client or a Server, not BothIf NFS must be used, it should be deployed in the simplest configuration possible to avoid maintainability problems which may lead to unnecessary security exposure. Due to the reliability and security problems caused by NFS (specially NFSv3 and NFSv2), it is not a good idea for machines which act as NFS servers to also mount filesystems via NFS. At the least, crossed mounts (the situation in which each of two servers mounts a filesystem from the other) should never be used. | |||||||
Restrict Access to rpcbindWhen using NFSv2 or NFSv3 which require | |||||||
Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)Firewalling should be done at each host and at the border firewalls to protect the NFS daemons from remote access, since NFS servers should never be accessible from outside the organization. However, by default for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port dynamically at service startup time. Dynamic ports cannot be protected by port filtering firewalls such as iptables. | |||||||
low | CCE-27149-4 | Configure lockd to use static TCP port | Configure the | Restrict service to always use a given port, so that firewalling can be done effectively. | Fever | Diligence | |
low | CCE-27063-7 | Configure lockd to use static UDP port | Configure the | Restrict service to always use a given port, so that firewalling can be done effectively. | Halitosis | Charity | |
low | CCE-26889-6 | Configure statd to use static port | Configure the | Restrict service to always use a given port, so that firewalling can be done effectively. | Cold Sore | Humility | |
low | CCE-27114-8 | Configure mountd to use static port | Configure the | Restrict service to always use a given port, so that firewalling can be done effectively. | Lice | Temperance | |
Configure NFS ClientsThe steps in this section are appropriate for machines which operate as NFS clients. | |||||||
Disable NFS Server DaemonsThere is no need to run the NFS server daemons | |||||||
low | CCE-27199-9 | Disable Network File System (nfs) | The Network File System (NFS) service allows remote hosts to mount
and interact with shared filesystems on the local machine. If the local machine
is not designated as a NFS server then this service should be disabled.
The | Unnecessary services should be disabled to decrease the attack surface of the system. | Alzheimer’s Disease | Diligence | |
low | CCE-27122-1 | Disable Secure RPC Server Service (rpcsvcgssd) | The rpcsvcgssd service manages RPCSEC GSS contexts required to
secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd
service is the server-side of RPCSEC GSS. If the system does not require secure
RPC then this service should be disabled.
The | Unnecessary services should be disabled to decrease the attack surface of the system. | Spina Bifida | Kindness | |
Mount Remote Filesystems with Restrictive OptionsEdit the file | |||||||
medium | CCE-27090-0 | Mount Remote Filesystems with nodev |
Add the | Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. | Diaper Rash | Humility | |
medium | CCE-26972-0 | Mount Remote Filesystems with nosuid |
Add the | NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. | Alzheimer’s Disease | Diligence | |
Configure NFS ServersThe steps in this section are appropriate for machines which operate as NFS servers. | |||||||
Configure the Exports File RestrictivelyLinux's NFS implementation uses the file | |||||||
Use Access Lists to Enforce Authorization RestrictionsWhen configuring NFS exports, ensure that each export line in | |||||||
Export Filesystems Read-Only if PossibleIf a filesystem is being exported so that users can view the files in a convenient fashion, but there is no need for users to edit those files, exporting the filesystem read-only removes an attack vector against the server. The default filesystem export mode is | |||||||
Specify UID and GID for Anonymous ConnectionsWhen an NFS server is configured to deny remote | |||||||
low | CCE-27138-7 | Use Root-Squashing on All Exports | If a filesystem is exported using root squashing, requests from root on the client
are considered to be unprivileged (mapped to a user such as nobody). This provides some mild
protection against remote abuse of an NFS server. Root squashing is enabled by default, and
should not be disabled.
| If the NFS server allows root access to local file systems from remote hosts, this access could be used to compromise the system. | Carpal Tunnel Syndrome | Patience | |
low | CCE-27121-3 | Restrict NFS Clients to Privileged Ports | By default, Linux's NFS implementation requires that all client requests be made
from ports less than 1024. If your organization has control over machines connected to its
network, and if NFS requests are prohibited at the border firewall, this offers some protection
against malicious requests from unprivileged users. Therefore, the default should not be changed.
| Allowing client requests to be made from ports higher than 1024 could allow a unprivileged user to initiate an NFS connection. If the unprivileged user account has been compromised, an attacker could gain access to data on the NFS server. | Poison Ivy | Charity | |
medium | CCE-27167-6 | Ensure Insecure File Locking is Not Allowed | By default the NFS server requires secure file-lock requests,
which require credentials from the client in order to lock a file. Most NFS
clients send credentials with file lock requests, however, there are a few
clients that do not send credentials when requesting a file-lock, allowing the
client to only be able to lock world-readable files. To get around this, the
| Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. | Diabetes | Patience | DISA CCI 764 |
DNS ServerMost organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS server software, and this server software should be disabled on any system on which it is not needed. | |||||||
Disable DNS ServerDNS software should be disabled on any machine which does not need to be a nameserver. Note that the BIND DNS server software is not installed on RHEL6 by default. The remainder of this section discusses secure configuration of machines which must be nameservers. | |||||||
low | CCE-26873-0 | Disable DNS Server |
The | All network services involve some risk of compromise due to implementation flaws and should be disabled if possible. | Diabetes | Chastity | NIST SP800-53 CM-7 DISA CCI 366 |
low | CCE-27030-6 | Uninstall bind Package | To remove the | If there is no need to make DNS server software available, removing it provides a safeguard against its activation. | Seasonal Affective Disorder | Kindness | NIST SP800-53 CM-7 DISA CCI 366 |
Isolate DNS from Other ServicesThis section discusses mechanisms for preventing the DNS server from interfering with other services. This is done both to protect the remainder of the network should a nameserver be compromised, and to make direct attacks on nameservers more difficult. | |||||||
Run DNS Software on Dedicated ServersSince DNS is a high-risk service which must frequently be made available to the entire Internet, it is strongly recommended that no other services be offered by machines which act as organizational DNS servers. | |||||||
low | CCE-26957-1 | Run DNS Software in a chroot Jail | Install the | Chroot jails are not foolproof. However, they serve to make it more difficult for a compromised program to be used to attack the entire host. They do this by restricting a program's ability to traverse the directory upward, so that files outside the jail are not visible to the chrooted process. Since RHEL supports a standard mechanism for placing BIND in a chroot jail, you should take advantage of this feature. | Poison Ivy | Patience | NIST SP800-53 CM-7 |
Configure Firewalls to Protect the DNS ServerBy default, | NIST SP800-53 CM-7 | ||||||
Protect DNS Data from Tampering or AttackThis section discusses DNS configuration options which make it more difficult for attackers to gain access to private DNS data or to modify DNS data. | |||||||
Run Separate DNS Servers for External and Internal QueriesIs it possible to run external and internal nameservers on separate machines? If so, follow the configuration guidance in this section. On the external nameserver, edit | |||||||
Use Views to Partition External and Internal InformationIf it is not possible to run external and internal nameservers on separate physical machines, run BIND9 and simulate this feature using views. Edit | |||||||
low | ns | Disable Zone Transfers from the Nameserver | Is it necessary for a secondary nameserver to receive zone data
via zone transfer from the primary server? If not, follow the instructions in
this section. If so, see the next section for instructions on protecting zone
transfers.
Add or correct the following directive within | If both the primary and secondary nameserver are under your control, or if you have only one nameserver, it may be possible to use an external configuration management mechanism to distribute zone updates. In that case, it is not necessary to allow zone transfers within BIND itself, so they should be disabled to avoid the potential for abuse. | Parkinson's Disease | Charity | NIST SP800-53 CM-7 |
low | ns | Authenticate Zone Transfers | If it is necessary for a secondary nameserver to receive zone data
via zone transfer from the primary server, follow the instructions here. Use
dnssec-keygen to create a symmetric key file in the current directory:
| The BIND transaction signature (TSIG) functionality allows primary and secondary nameservers to use a shared secret to verify authorization to perform zone transfers. This method is more secure than using IP-based limiting to restrict nameserver access, since IP addresses can be easily spoofed. However, if you cannot configure TSIG between your servers because, for instance, the secondary nameserver is not under your control and its administrators are unwilling to configure TSIG, you can configure an allow-transfer directive with numerical IP addresses or ACLs as a last resort. | Red Eyes | Charity | NIST SP800-53 CM-7 |
low | CCE-27105-6 | Disable Dynamic Updates | Is there a mission-critical reason to enable the risky dynamic
update functionality? If not, edit | Dynamic updates allow remote servers to add, delete, or modify any entries in your zone file. Therefore, they should be considered highly risky, and disabled unless there is a very good reason for their use. If dynamic updates must be allowed, IP-based ACLs are insufficient protection, since they are easily spoofed. Instead, use TSIG keys (see the previous section for an example), and consider using the update-policy directive to restrict changes to only the precise type of change needed. | Spina Bifida | Temperance | |
FTP ServerFTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data transmitted during the session can be captured and that the session is vulnerable to hijacking. Therefore, running the FTP server software is not recommended. | |||||||
Disable vsftpd if Possible | |||||||
low | CCE-26948-0 | Disable vsftpd Service |
The | Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information. | Motion Sickness | Chastity | NIST SP800-53 CM-7 DISA CCI 1436 |
low | CCE-26687-4 | Uninstall vsftpd Package |
The | Removing the vsftpd package decreases the risk of its accidental activation. | Bedwetting | Temperance | NIST SP800-53 CM-7 DISA CCI 1436 |
Use vsftpd to Provide FTP Service if Necessary | |||||||
low | CCE-27187-4 | Install vsftpd Package | If this machine must operate as an FTP server, install the | After RHEL 2.1, Red Hat switched from distributing wu-ftpd with RHEL to distributing vsftpd. For security and for consistency with future Red Hat releases, the use of vsftpd is recommended. | Cold Sore | Chastity | NIST SP800-53 CM-7 |
Use vsftpd to Provide FTP Service if NecessaryThe primary vsftpd configuration file is | |||||||
low | CCE-27142-9 | Enable Logging of All FTP Transactions | Add or correct the following configuration options within the | To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to
the ftp server are logged using the verbose vsftpd log
format. The default vsftpd log file is | Motion Sickness | Chastity | |
medium | CCE-27145-2 | Create Warning Banners for All FTP Users | Edit the vsftpd configuration file, which resides at | This setting will cause the system greeting banner to be used for FTP connections as well. | Diabetes | Humility | DISA CCI 48 |
Restrict the Set of Users Allowed to Access FTPThis section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an identified need for this access. | |||||||
low | CCE-27115-5 | Restrict Access to Anonymous Users if Possible | Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than
using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option:
| The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access. | Arthritis | Humility | |
Limit Users Allowed FTP Access if NecessaryIf there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options: | |||||||
low | CCE-27117-1 | Disable FTP Uploads if Possible | Is there a mission-critical reason for users to upload files via FTP? If not,
edit the vsftpd configuration file to add or correct the following configuration options:
| Anonymous FTP can be a convenient way to make files available for universal download. However, it is less common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it is necessary to ensure that files cannot be uploaded and downloaded from the same directory. | Hiccups | Temperance | |
low | ns | Place the FTP Home Directory on its Own Partition | By default, the anonymous FTP root is the home directory of the ftp user account. The df command can be used to verify that this directory is on its own partition. | If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent these users from filling a disk used by other services. | Motion Sickness | Temperance | |
Configure Firewalls to Protect the FTP ServerBy default, | |||||||
Web ServerThe web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: | |||||||
Disable Apache if PossibleIf Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system. | |||||||
low | CCE-27075-1 | Disable httpd Service |
The | Running web server software provides a network-based avenue of attack, and should be disabled if not needed. | Motion Sickness | Diligence | NIST SP800-53 CM-7 |
low | CCE-27133-8 | Uninstall httpd Package |
The | If there is no need to make the web server software available, removing it provides a safeguard against its activation. | Spina Bifida | Humility | NIST SP800-53 CM-7 |
Install Apache if NecessaryIf | |||||||
Confirm Minimal Built-in Modules InstalledThe default | |||||||
Secure Apache ConfigurationThe | |||||||
Restrict Web Server Information LeakageThe | |||||||
low | ns | Set httpd ServerTokens Directive to Prod | Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. | Ingrown Toenails | Patience | NIST SP800-53 CM-7 | |
low | ns | Set httpd ServerSignature Directive to Off | Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. | Psoriasis | Temperance | NIST SP800-53 CM-7 | |
Minimize Web Server Loadable ModulesA default installation of | |||||||
httpd Core ModulesThese modules comprise a basic subset of modules that are likely needed for base | |||||||
Minimize Modules for HTTP Basic AuthenticationThe following modules are necessary if this web server will provide content that will be restricted by a password. | |||||||
low | ns | Disable HTTP Digest Authentication |
The | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. | Constipation | Patience | |
low | ns | Disable HTTP mod_rewrite |
The | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. | Insomnia | Chastity | |
low | ns | Disable LDAP Support |
The | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. | Obesity | Charity | |
low | ns | Disable Server Side Includes |
Server Side Includes provide a method of dynamically generating web pages through the
insertion of server-side code. However, the technology is also deprecated and
introduces significant security concerns.
If this functionality is unnecessary, comment out the related module:
| Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. | Carpal Tunnel Syndrome | Diligence | |
low | ns | Disable MIME Magic |
The | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. | Fever | Charity | |
low | ns | Disable WebDAV (Distributed Authoring and Versioning) |
WebDAV is an extension of the HTTP protocol that provides distributed and
collaborative access to web content. If its functionality is unnecessary,
comment out the related modules:
| Minimizing the number of loadable modules available to the web server, reduces risk by limiting the capabilities allowed by the web server. | Pink Eye | Patience | |
low | ns | Disable Server Activity Status |
The | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. | Hangover | Temperance | |
low | ns | Disable Web Server Configuration Display |
The | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. | Poison Oak | Charity | |
low | ns | Disable URL Correction on Misspelled Entries |
The | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. | Chapped Lips | Kindness | |
low | ns | Disable Proxy Support |
The | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. | The Common Cold | Patience | |
low | ns | Disable Cache Support |
The | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. | Acne | Kindness | |
low | ns | Disable CGI Support |
The | Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. | Stomach Ache | Patience | |
Minimize Various Optional ComponentsThe following modules perform very specific tasks, sometimes providing access to just a few additional directives. If such functionality is not required (or if you are not using these directives), comment out the associated module: | |||||||
Minimize Configuration Files IncludedThe | |||||||
Directory RestrictionsThe Directory tags in the web server configuration file allow finer grained access control for a specified directory. All web directories should be configured on a case-by-case basis, allowing access only where needed. | |||||||
low | ns | Restrict Root Directory |
The | The Web Server's root directory content should be protected from unauthorized access by web clients. | Decongestion | Patience | |
low | ns | Restrict Web Directory |
The default configuration for the web ( | Access to the web server's directory hierarchy could allow access to unauthorized files by web clients. Following symbolic links could also allow such access. | Ingrown Toenails | Kindness | |
low | ns | Restrict Other Critical Directories |
All accessible web directories should be configured with similarly restrictive settings.
The | Directories accessible from a web client should be configured with the least amount of access possible in order to avoid unauthorized access to restricted content or server information. | The Common Cold | Temperance | |
low | ns | Limit Available Methods |
Web server methods are defined in section 9 of RFC 2616 (http://www.ietf.org/rfc/rfc2616.txt).
If a web server does not require the implementation of all available methods,
they should be disabled.
| Minimizing the number of available methods to the web client reduces risk by limiting the capabilities allowed by the web server. | Bad Breath | Diligence | |
Use Appropriate Modules to Improve httpd's SecurityAmong the modules available for | |||||||
Deploy mod_sslBecause HTTP is a plain text protocol, all traffic is susceptible to passive monitoring. If there is a need for confidentiality, SSL should be configured and enabled to encrypt content. | |||||||
low | ns | Install mod_ssl |
Install the | Diabetes | Patience | ||
Deploy mod_securityThe | |||||||
low | ns | Install mod_security |
Install the | Ingrown Toenails | Kindness | ||
Use Denial-of-Service Protection ModulesDenial-of-service attacks are difficult to detect and prevent while maintaining acceptable access to authorized users. However, some traffic-shaping modules can be used to address the problem. Well-known DoS protection modules include: | |||||||
Configure PHP SecurelyPHP is a widely-used and often misconfigured server-side scripting language. It should be used with caution, but configured appropriately when needed. | |||||||
Configure Operating System to Protect Web ServerThe following configuration steps should be taken on the machine which hosts the web server, in order to provide as safe an environment as possible for the web server. | |||||||
Restrict File and Directory AccessMinimize access to critical | |||||||
low | CCE-27150-2 | Set Permissions on the /var/log/httpd/ Directory |
Ensure that the permissions on the web server log directory is set to 700:
| Access to the web server's log files may allow an unauthorized user or attacker to access information about the web server or alter the server's log files. | Tooth Ache | Kindness | NIST SP800-53 CM-7 |
low | ns | Set Permissions on the /etc/httpd/conf/ Directory |
Set permissions on the web server configuration directory to 750:
| Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or alter the server's configuration files. | Diabetes | Charity | |
low | ns | Set Permissions on All Configuration Files Inside /etc/httpd/conf/ |
Set permissions on the web server configuration files to 640:
| Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files. | Asthma | Chastity | NIST SP800-53 CM-7 |
Configure iptables to Allow Access to the Web ServerBy default, | |||||||
Run httpd in a chroot Jail if PracticalRunning | |||||||
IMAP and POP3 ServerDovecot provides IMAP and POP3 services. It is not installed by default. The project page at http://www.dovecot.org contains more detailed information about Dovecot configuration. | |||||||
Disable DovecotIf the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed. | |||||||
low | CCE-26922-5 | Disable Dovecot Service |
The | Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed. | Anemia | Diligence | |
low | CCE-27039-7 | Uninstall dovecot Package | The | If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation. | Cuts | Patience | |
Configure Dovecot if NecessaryIf the system will operate as an IMAP or POP3 server, the dovecot software should be configured securely by following the recommendations below. | |||||||
low | CCE-27097-5 | Support Only the Necessary Protocols | Dovecot supports the IMAP and POP3 protocols, as well as
SSL-protected versions of those protocols. Configure the Dovecot server
to support only the protocols needed by your site. Edit | Configuring Dovecot to only support the protocols the protocols needed by your site reduces the risk of an attacker using one of the unused protocols to base an attack. | Sprain | Diligence | |
Enable SSL SupportSSL should be used to encrypt network traffic between the Dovecot server and its clients. Users must authenticate to the Dovecot server in order to read their mail, and passwords should never be transmitted in clear text. In addition, protecting mail as it is downloaded is a privacy measure, and clients may use SSL certificates to authenticate the server, preventing another system from impersonating the server. | |||||||
low | ns | Enable the SSL flag in /etc/dovecot.conf | To allow clients to make encrypted connections the | SSL encrypt network traffic between the Dovecot server and its clients protecting user credentials, mail as it is downloaded, and clients may use SSL certificates to authenticate the server, preventing another system from impersonating the server. | Headache | Chastity | |
low | ns | Configure Dovecot to Use the SSL Certificate file | This option tells Dovecot where to find the the mail
server's SSL Certificate.
| SSL certificates are used by the client to authenticate the identity of the server, as well as to encrypt credentials and message traffic. Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network. | Canker Sores | Diligence | |
low | ns | Configure Dovecot to Use the SSL Key file | This option tells Dovecot where to find the the mail
server's SSL Key.
| SSL certificates are used by the client to authenticate the identity of the server, as well as to encrypt credentials and message traffic. Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network. | Obesity | Chastity | |
low | CCE-27144-5 | Disable Plaintext Authentication | To prevent Dovecot from attempting plaintext
authentication of clients, edit | Using plain text authentication to the mail server could allow an attacker access to credentials by monitoring network traffic. | Baldness | Temperance | |
Allow IMAP Clients to Access the ServerThe default iptables configuration does not allow inbound access to any services. This modification will allow remote hosts to initiate connections to the IMAP daemon, while keeping all other ports on the server in their default protected state. To configure | |||||||
Samba(SMB) Microsoft Windows File Sharing ServerWhen properly configured, the Samba service allows Linux machines to provide file and print sharing to Microsoft Windows machines. There are two software packages that provide Samba support. The first, | |||||||
Disable Samba if PossibleEven after the Samba server package has been installed, it will remain disabled. Do not enable this service unless it is absolutely necessary to provide Microsoft Windows file and print sharing functionality. | |||||||
low | CCE-27143-7 | Disable Samba |
The | Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed. | Poison Oak | Patience | DISA CCI 1436 |
Configure Samba if NecessaryAll settings for the Samba daemon can be found in | |||||||
low | ns | Disable Root Access | Administrators should not use administrator accounts to access
Samba file and printer shares. Disable the root user and the wheel
administrator group:
| Typically, administrator access is required when Samba must create user and machine accounts and shares. Domain member servers and standalone servers may not need administrator access at all. If that is the case, add the invalid users parameter to [global] instead. | Bedwetting | Humility | |
low | ns | Disable Root Access | By default, Samba will attempt to negotiate with Microsoft Windows
machines to set a common communication protocol. Newer versions of Microsoft
Windows may require the use of NTLMv2. NTLMv2 is the preferred protocol for
authentication, but since older machines do not support it, Samba has disabled
it by default. Enable it with the following:
| For the sake of backwards compatibility, most modern Windows machines will still allow other machines to communicate with them over weak protocols such as LANMAN. On Samba, by enabling NTLMv2, you are also disabling LANMAN and NTLMv1. If NTLMv1 is required, it is still possible to individually disable LANMAN. | Stress | Temperance | |
Let Domain Controllers Create Machine Trust Accounts On-the-FlyAdd or correct an add machine script entry to the | |||||||
Restrict Access to the [IPC$] ShareLimit access to the | |||||||
Restrict File SharingOnly users with local user accounts will be able to log in to Samba shares by default. Shares can be limited to particular users or network addresses. Use the | |||||||
low | CCE-26328-5 | Require Client SMB Packet Signing, if using smbclient |
To require samba clients running | Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. | Hiccups | Kindness | |
low | CCE-26792-2 | Require Client SMB Packet Signing, if using mount.cifs | Require packet signing of clients who mount Samba
shares using the | Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. | Seasonal Affective Disorder | Chastity | |
Restrict Printer SharingBy default, Samba utilizes the CUPS printing service to enable printer sharing with Microsoft Windows workstations. If there are no printers on the local machine, or if printer sharing with Microsoft Windows is not required, disable the printer sharing capability by commenting out the following lines, found in | |||||||
Proxy ServerA proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow through it. Therefore, if one is required, the machine acting as a proxy server should be dedicated to that purpose alone and be stored in a physically secure location. The system's default proxy server software is Squid, and provided in an RPM package of the same name. | |||||||
Disable Squid if PossibleIf Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed. | |||||||
low | CCE-27146-0 | Disable Squid |
The | Running proxy server software provides a network-based avenue of attack, and should be removed if not needed. | Migraine | Kindness | |
low | CCE-26977-9 | Uninstall squid Package |
The | If there is no need to make the proxy server software available, removing it provides a safeguard against its activation. | Red Eyes | Humility | |
SNMP ServerThe Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP were well-known for weak security, such as plaintext transmission of the community string (used for authentication) and usage of easily-guessable choices for the community string. | |||||||
Disable SNMP Server if PossibleThe system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated, the software should be disabled and removed. | |||||||
low | CCE-26906-8 | Disable snmpd Service |
The | Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed. | Bedwetting | Kindness | |
low | CCE-26332-7 | Uninstall net-snmp Package | The | If there is no need to run SNMP server software, removing the package provides a safeguard against its activation. | Sunburn Skin | Chastity | |
Configure SNMP Server if NecessaryIf it is necessary to run the snmpd agent on the system, some best practices should be followed to minimize the security risk from the installation. The multiple security models implemented by SNMP cannot be fully covered here so only the following general configuration advice can be offered: | |||||||
medium | ns | Configure SNMP Service to Use Only SNMPv3 or Newer |
Edit | Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information. | Cramps | Temperance | |
medium | ns | Ensure Default Password Is Not Used |
Edit | Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system. | Spina Bifida | Chastity | |
Documentation to Support DISA OS SRG MappingThese groups exist to document how the Red Hat Enterprise Linux product meets (or does not meet) requirements listed in the DISA OS SRG, for those cases where Groups or Rules elsewhere in scap-security-guide do not clearly relate. | |||||||
low | ns | Product Meets this Requirement | This requirement is a permanent not a finding. No fix is required. | Red Hat Enterprise Linux meets this requirement through design and implementation. | Red Eyes | Temperance | DISA CCI 42, 56, 206, 1084, 66, 85, 86, 185, 223, 171, 172, 1694, 770, 804, 162, 163, 164, 345, 346, 1096, 1111, 1291, 386, 156, 186, 1083, 1082, 1090, 804, 1127, 1128, 1129, 1248, 1265, 1314, 1362, 1368, 1310, 1311, 1328, 1399, 1400, 1427, 1499, 1632, 1693, 1665, 1674 |
low | ns | Product Meets this Requirement | This requirement is a permanent not a finding. No fix is required. | The Red Hat Enterprise Linux audit system meets this requirement through design and implementation. | Burns | Humility | DISA CCI 130, 157, 131, 132, 133, 134, 135, 159, 174 |
low | ns | Product Meets this Requirement | This requirement is a permanent not a finding. No fix is required. | Red Hat Enterprise Linux meets this requirement through design and implementation. | Rheumatoid Arthritis | Chastity | DISA CCI 34, 35, 99, 154, 226, 802, 872, 1086, 1087, 1089, 1091, 1424, 1426, 1428, 1209, 1214, 1237, 1269, 1338, 1425, 1670 |
low | ns | Guidance Does Not Meet this Requirement Due to Impracticality or Scope | This requirement is NA. No fix is required. | The guidance does not meet this requirement. The requirement is impractical or out of scope. | Upset Stomach | Kindness | DISA CCI 21, 25, 28, 29, 30, 165, 221, 354, 553, 779, 780, 781, 1009, 1094, 1123, 1124, 1125, 1132, 1135, 1140, 1141, 1142, 1143, 1145, 1147, 1148, 1166, 1295, 1340, 1341, 1350, 1356, 1373, 1374, 1383, 1391, 1392, 1395, 1662 |
low | ns | Implementation of the Requirement is Not Supported | This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented but this finding cannot be considered fixed. | RHEL6 does not support this requirement. | Diabetes | Patience | DISA CCI 20, 31, 52, 53, 144, 218, 219, 1158, 1294, 1295, 1500 |
low | ns | Guidance Does Not Meet this Requirement Due to Impracticality or Scope | This requirement is NA. No fix is required. | The guidance does not meet this requirement. The requirement is impractical or out of scope. | Headache | Diligence | DISA CCI 15, 27, 371, 372, 535, 537, 539, 1682, 370, 37, 24, 1112, 1126, 1143, 1149, 1157, 1159, 1210, 1211, 1274, 1372, 1376, 1377, 1352, 1401, 1555, 1556, 1150 |
low | ns | A process for prompt installation of OS updates must exist. | Procedures to promptly apply software updates must be established and executed. The Red Hat operating system provides support for automating such a process, by running the yum program through a cron job or by managing the system and its packages through the Red Hat Network or a Satellite Server. | This is a manual inquiry about update procedure. | Pain | Charity | DISA CCI 1232 |