This file is indexed.

/usr/share/openscap/scap-rhel6-xccdf.xml is in libopenscap8 1.0.2-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

   1
   2
   3
   4
   5
   6
   7
   8
   9
  10
  11
  12
  13
  14
  15
  16
  17
  18
  19
  20
  21
  22
  23
  24
  25
  26
  27
  28
  29
  30
  31
  32
  33
  34
  35
  36
  37
  38
  39
  40
  41
  42
  43
  44
  45
  46
  47
  48
  49
  50
  51
  52
  53
  54
  55
  56
  57
  58
  59
  60
  61
  62
  63
  64
  65
  66
  67
  68
  69
  70
  71
  72
  73
  74
  75
  76
  77
  78
  79
  80
  81
  82
  83
  84
  85
  86
  87
  88
  89
  90
  91
  92
  93
  94
  95
  96
  97
  98
  99
 100
 101
 102
 103
 104
 105
 106
 107
 108
 109
 110
 111
 112
 113
 114
 115
 116
 117
 118
 119
 120
 121
 122
 123
 124
 125
 126
 127
 128
 129
 130
 131
 132
 133
 134
 135
 136
 137
 138
 139
 140
 141
 142
 143
 144
 145
 146
 147
 148
 149
 150
 151
 152
 153
 154
 155
 156
 157
 158
 159
 160
 161
 162
 163
 164
 165
 166
 167
 168
 169
 170
 171
 172
 173
 174
 175
 176
 177
 178
 179
 180
 181
 182
 183
 184
 185
 186
 187
 188
 189
 190
 191
 192
 193
 194
 195
 196
 197
 198
 199
 200
 201
 202
 203
 204
 205
 206
 207
 208
 209
 210
 211
 212
 213
 214
 215
 216
 217
 218
 219
 220
 221
 222
 223
 224
 225
 226
 227
 228
 229
 230
 231
 232
 233
 234
 235
 236
 237
 238
 239
 240
 241
 242
 243
 244
 245
 246
 247
 248
 249
 250
 251
 252
 253
 254
 255
 256
 257
 258
 259
 260
 261
 262
 263
 264
 265
 266
 267
 268
 269
 270
 271
 272
 273
 274
 275
 276
 277
 278
 279
 280
 281
 282
 283
 284
 285
 286
 287
 288
 289
 290
 291
 292
 293
 294
 295
 296
 297
 298
 299
 300
 301
 302
 303
 304
 305
 306
 307
 308
 309
 310
 311
 312
 313
 314
 315
 316
 317
 318
 319
 320
 321
 322
 323
 324
 325
 326
 327
 328
 329
 330
 331
 332
 333
 334
 335
 336
 337
 338
 339
 340
 341
 342
 343
 344
 345
 346
 347
 348
 349
 350
 351
 352
 353
 354
 355
 356
 357
 358
 359
 360
 361
 362
 363
 364
 365
 366
 367
 368
 369
 370
 371
 372
 373
 374
 375
 376
 377
 378
 379
 380
 381
 382
 383
 384
 385
 386
 387
 388
 389
 390
 391
 392
 393
 394
 395
 396
 397
 398
 399
 400
 401
 402
 403
 404
 405
 406
 407
 408
 409
 410
 411
 412
 413
 414
 415
 416
 417
 418
 419
 420
 421
 422
 423
 424
 425
 426
 427
 428
 429
 430
 431
 432
 433
 434
 435
 436
 437
 438
 439
 440
 441
 442
 443
 444
 445
 446
 447
 448
 449
 450
 451
 452
 453
 454
 455
 456
 457
 458
 459
 460
 461
 462
 463
 464
 465
 466
 467
 468
 469
 470
 471
 472
 473
 474
 475
 476
 477
 478
 479
 480
 481
 482
 483
 484
 485
 486
 487
 488
 489
 490
 491
 492
 493
 494
 495
 496
 497
 498
 499
 500
 501
 502
 503
 504
 505
 506
 507
 508
 509
 510
 511
 512
 513
 514
 515
 516
 517
 518
 519
 520
 521
 522
 523
 524
 525
 526
 527
 528
 529
 530
 531
 532
 533
 534
 535
 536
 537
 538
 539
 540
 541
 542
 543
 544
 545
 546
 547
 548
 549
 550
 551
 552
 553
 554
 555
 556
 557
 558
 559
 560
 561
 562
 563
 564
 565
 566
 567
 568
 569
 570
 571
 572
 573
 574
 575
 576
 577
 578
 579
 580
 581
 582
 583
 584
 585
 586
 587
 588
 589
 590
 591
 592
 593
 594
 595
 596
 597
 598
 599
 600
 601
 602
 603
 604
 605
 606
 607
 608
 609
 610
 611
 612
 613
 614
 615
 616
 617
 618
 619
 620
 621
 622
 623
 624
 625
 626
 627
 628
 629
 630
 631
 632
 633
 634
 635
 636
 637
 638
 639
 640
 641
 642
 643
 644
 645
 646
 647
 648
 649
 650
 651
 652
 653
 654
 655
 656
 657
 658
 659
 660
 661
 662
 663
 664
 665
 666
 667
 668
 669
 670
 671
 672
 673
 674
 675
 676
 677
 678
 679
 680
 681
 682
 683
 684
 685
 686
 687
 688
 689
 690
 691
 692
 693
 694
 695
 696
 697
 698
 699
 700
 701
 702
 703
 704
 705
 706
 707
 708
 709
 710
 711
 712
 713
 714
 715
 716
 717
 718
 719
 720
 721
 722
 723
 724
 725
 726
 727
 728
 729
 730
 731
 732
 733
 734
 735
 736
 737
 738
 739
 740
 741
 742
 743
 744
 745
 746
 747
 748
 749
 750
 751
 752
 753
 754
 755
 756
 757
 758
 759
 760
 761
 762
 763
 764
 765
 766
 767
 768
 769
 770
 771
 772
 773
 774
 775
 776
 777
 778
 779
 780
 781
 782
 783
 784
 785
 786
 787
 788
 789
 790
 791
 792
 793
 794
 795
 796
 797
 798
 799
 800
 801
 802
 803
 804
 805
 806
 807
 808
 809
 810
 811
 812
 813
 814
 815
 816
 817
 818
 819
 820
 821
 822
 823
 824
 825
 826
 827
 828
 829
 830
 831
 832
 833
 834
 835
 836
 837
 838
 839
 840
 841
 842
 843
 844
 845
 846
 847
 848
 849
 850
 851
 852
 853
 854
 855
 856
 857
 858
 859
 860
 861
 862
 863
 864
 865
 866
 867
 868
 869
 870
 871
 872
 873
 874
 875
 876
 877
 878
 879
 880
 881
 882
 883
 884
 885
 886
 887
 888
 889
 890
 891
 892
 893
 894
 895
 896
 897
 898
 899
 900
 901
 902
 903
 904
 905
 906
 907
 908
 909
 910
 911
 912
 913
 914
 915
 916
 917
 918
 919
 920
 921
 922
 923
 924
 925
 926
 927
 928
 929
 930
 931
 932
 933
 934
 935
 936
 937
 938
 939
 940
 941
 942
 943
 944
 945
 946
 947
 948
 949
 950
 951
 952
 953
 954
 955
 956
 957
 958
 959
 960
 961
 962
 963
 964
 965
 966
 967
 968
 969
 970
 971
 972
 973
 974
 975
 976
 977
 978
 979
 980
 981
 982
 983
 984
 985
 986
 987
 988
 989
 990
 991
 992
 993
 994
 995
 996
 997
 998
 999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
3402
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419
3420
3421
3422
3423
3424
3425
3426
3427
3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
3447
3448
3449
3450
3451
3452
3453
3454
3455
3456
3457
3458
3459
3460
3461
3462
3463
3464
3465
3466
3467
3468
3469
3470
3471
3472
3473
3474
3475
3476
3477
3478
3479
3480
3481
3482
3483
3484
3485
3486
3487
3488
3489
3490
3491
3492
3493
3494
3495
3496
3497
3498
3499
3500
3501
3502
3503
3504
3505
3506
3507
3508
3509
3510
3511
3512
3513
3514
3515
3516
3517
3518
3519
3520
3521
3522
3523
3524
3525
3526
3527
3528
3529
3530
3531
3532
3533
3534
3535
3536
3537
3538
3539
3540
3541
3542
3543
3544
3545
3546
3547
3548
3549
3550
3551
3552
3553
3554
3555
3556
3557
3558
3559
3560
3561
3562
3563
3564
3565
3566
3567
3568
3569
3570
3571
3572
3573
3574
3575
3576
3577
3578
3579
3580
3581
3582
3583
3584
3585
3586
3587
3588
3589
3590
3591
3592
3593
3594
3595
3596
3597
3598
3599
3600
3601
3602
3603
3604
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628
3629
3630
3631
3632
3633
3634
3635
3636
3637
3638
3639
3640
3641
3642
3643
3644
3645
3646
3647
3648
3649
3650
3651
3652
3653
3654
3655
3656
3657
3658
3659
3660
3661
3662
3663
3664
3665
3666
3667
3668
3669
3670
3671
3672
3673
3674
3675
3676
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689
3690
3691
3692
3693
3694
3695
3696
3697
3698
3699
3700
3701
3702
3703
3704
3705
3706
3707
3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723
3724
3725
3726
3727
3728
3729
3730
3731
3732
3733
3734
3735
3736
3737
3738
3739
3740
3741
3742
3743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
3755
3756
3757
3758
3759
3760
3761
3762
3763
3764
3765
3766
3767
3768
3769
3770
3771
3772
3773
3774
3775
3776
3777
3778
3779
3780
3781
3782
3783
3784
3785
3786
3787
3788
3789
3790
3791
3792
3793
3794
3795
3796
3797
3798
3799
3800
3801
3802
3803
3804
3805
3806
3807
3808
3809
3810
3811
3812
3813
3814
3815
3816
3817
3818
3819
3820
3821
3822
3823
3824
3825
3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
3841
3842
3843
3844
3845
3846
3847
3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860
3861
3862
3863
3864
3865
3866
3867
3868
3869
3870
3871
3872
3873
3874
3875
3876
3877
3878
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893
3894
3895
3896
3897
3898
3899
3900
3901
3902
3903
3904
3905
3906
3907
3908
3909
3910
3911
3912
3913
3914
3915
3916
3917
3918
3919
3920
3921
3922
3923
3924
3925
3926
3927
3928
3929
3930
3931
3932
3933
3934
3935
3936
3937
3938
3939
3940
3941
3942
3943
3944
3945
3946
3947
3948
3949
3950
3951
3952
3953
3954
3955
3956
3957
3958
3959
3960
3961
3962
3963
3964
3965
3966
3967
3968
3969
3970
3971
3972
3973
3974
3975
3976
3977
3978
3979
3980
3981
3982
3983
3984
3985
3986
3987
3988
3989
3990
3991
3992
3993
3994
3995
3996
3997
3998
3999
4000
4001
4002
4003
4004
4005
4006
4007
4008
4009
4010
4011
4012
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
4030
4031
4032
4033
4034
4035
4036
4037
4038
4039
4040
4041
4042
4043
4044
4045
4046
4047
4048
4049
4050
4051
4052
4053
4054
4055
4056
4057
4058
4059
4060
4061
4062
4063
4064
4065
4066
4067
4068
4069
4070
4071
4072
4073
4074
4075
4076
4077
4078
4079
4080
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099
4100
4101
4102
4103
4104
4105
4106
4107
4108
4109
4110
4111
4112
4113
4114
4115
4116
4117
4118
4119
4120
4121
4122
4123
4124
4125
4126
4127
4128
4129
4130
4131
4132
4133
4134
4135
4136
4137
4138
4139
4140
4141
4142
4143
4144
4145
4146
4147
4148
4149
4150
4151
4152
4153
4154
4155
4156
4157
4158
4159
4160
4161
4162
4163
4164
4165
4166
4167
4168
4169
4170
4171
4172
4173
4174
4175
4176
4177
4178
4179
4180
4181
4182
4183
4184
4185
4186
4187
4188
4189
4190
4191
4192
4193
4194
4195
4196
4197
4198
4199
4200
4201
4202
4203
4204
4205
4206
4207
4208
4209
4210
4211
4212
4213
4214
4215
4216
4217
4218
4219
4220
4221
4222
4223
4224
4225
4226
4227
4228
4229
4230
4231
4232
4233
4234
4235
4236
4237
4238
4239
4240
4241
4242
4243
4244
4245
4246
4247
4248
4249
4250
4251
4252
4253
4254
4255
4256
4257
4258
4259
4260
4261
4262
4263
4264
4265
4266
4267
4268
4269
4270
4271
4272
4273
4274
4275
4276
4277
4278
4279
4280
4281
4282
4283
4284
4285
4286
4287
4288
4289
4290
4291
4292
4293
4294
4295
4296
4297
4298
4299
4300
4301
4302
4303
4304
4305
4306
4307
4308
4309
4310
4311
4312
4313
4314
4315
4316
4317
4318
4319
4320
4321
4322
4323
4324
4325
4326
4327
4328
4329
4330
4331
4332
4333
4334
4335
4336
4337
4338
4339
4340
4341
4342
4343
4344
4345
4346
4347
4348
4349
4350
4351
4352
4353
4354
4355
4356
4357
4358
4359
4360
4361
4362
4363
4364
4365
4366
4367
4368
4369
4370
4371
4372
4373
4374
4375
4376
4377
4378
4379
4380
4381
4382
4383
4384
4385
4386
4387
4388
4389
4390
4391
4392
4393
4394
4395
4396
4397
4398
4399
4400
4401
4402
4403
4404
4405
4406
4407
4408
4409
4410
4411
4412
4413
4414
4415
4416
4417
4418
4419
4420
4421
4422
4423
4424
4425
4426
4427
4428
4429
4430
4431
4432
4433
4434
4435
4436
4437
4438
4439
4440
4441
4442
4443
4444
4445
4446
4447
4448
4449
4450
4451
4452
4453
4454
4455
4456
4457
4458
4459
4460
4461
4462
4463
4464
4465
4466
4467
4468
4469
4470
4471
4472
4473
4474
4475
4476
4477
4478
4479
4480
4481
4482
4483
4484
4485
4486
4487
4488
4489
4490
4491
4492
4493
4494
4495
4496
4497
4498
4499
4500
4501
4502
4503
4504
4505
4506
4507
4508
4509
4510
4511
4512
4513
4514
4515
4516
4517
4518
4519
4520
4521
4522
4523
4524
4525
4526
4527
4528
4529
4530
4531
4532
4533
4534
4535
4536
4537
4538
4539
4540
4541
4542
4543
4544
4545
4546
4547
4548
4549
4550
4551
4552
4553
4554
4555
4556
4557
4558
4559
4560
4561
4562
4563
4564
4565
4566
4567
4568
4569
4570
4571
4572
4573
4574
4575
4576
4577
4578
4579
4580
4581
4582
4583
4584
4585
4586
4587
4588
4589
4590
4591
4592
4593
4594
4595
4596
4597
4598
4599
4600
4601
4602
4603
4604
4605
4606
4607
4608
4609
4610
4611
4612
4613
4614
4615
4616
4617
4618
4619
4620
4621
4622
4623
4624
4625
4626
4627
4628
4629
4630
4631
4632
4633
4634
4635
4636
4637
4638
4639
4640
4641
4642
4643
4644
4645
4646
4647
4648
4649
4650
4651
4652
4653
4654
4655
4656
4657
4658
4659
4660
4661
4662
4663
4664
4665
4666
4667
4668
4669
4670
4671
4672
4673
4674
4675
4676
4677
4678
4679
4680
4681
4682
4683
4684
4685
4686
4687
4688
4689
4690
4691
4692
4693
4694
4695
4696
4697
4698
4699
4700
4701
4702
4703
4704
4705
4706
4707
4708
4709
4710
4711
4712
4713
4714
4715
4716
4717
4718
4719
4720
4721
4722
4723
4724
4725
4726
4727
4728
4729
4730
4731
4732
4733
4734
4735
4736
4737
4738
4739
4740
4741
4742
4743
4744
4745
4746
4747
4748
4749
4750
4751
4752
4753
4754
4755
4756
4757
4758
4759
4760
4761
4762
4763
4764
4765
4766
4767
4768
4769
4770
4771
4772
4773
4774
4775
4776
4777
4778
4779
4780
4781
4782
4783
4784
4785
4786
4787
4788
4789
4790
4791
4792
4793
4794
4795
4796
4797
4798
4799
4800
4801
4802
4803
4804
4805
4806
4807
4808
4809
4810
4811
4812
4813
4814
4815
4816
4817
4818
4819
4820
4821
4822
4823
4824
4825
4826
4827
4828
4829
4830
4831
4832
4833
4834
4835
4836
4837
4838
4839
4840
4841
4842
4843
4844
4845
4846
4847
4848
4849
4850
4851
4852
4853
4854
4855
4856
4857
4858
4859
4860
4861
4862
4863
4864
4865
4866
4867
4868
4869
4870
4871
4872
4873
4874
4875
4876
4877
4878
4879
4880
4881
4882
4883
4884
4885
4886
4887
4888
4889
4890
4891
4892
4893
4894
4895
4896
4897
4898
4899
4900
4901
4902
4903
4904
4905
4906
4907
4908
4909
4910
4911
4912
4913
4914
4915
4916
4917
4918
4919
4920
4921
4922
4923
4924
4925
4926
4927
4928
4929
4930
4931
4932
4933
4934
4935
4936
4937
4938
4939
4940
4941
4942
4943
4944
4945
4946
4947
4948
4949
4950
4951
4952
4953
4954
4955
4956
4957
4958
4959
4960
4961
4962
4963
4964
4965
4966
4967
4968
4969
4970
4971
4972
4973
4974
4975
4976
4977
4978
4979
4980
4981
4982
4983
4984
4985
4986
4987
4988
4989
4990
4991
4992
4993
4994
4995
4996
4997
4998
4999
5000
5001
5002
5003
5004
5005
5006
5007
5008
5009
5010
5011
5012
5013
5014
5015
5016
5017
5018
5019
5020
5021
5022
5023
5024
5025
5026
5027
5028
5029
5030
5031
5032
5033
5034
5035
5036
5037
5038
5039
5040
5041
5042
5043
5044
5045
5046
5047
5048
5049
5050
5051
5052
5053
5054
5055
5056
5057
5058
5059
5060
5061
5062
5063
5064
5065
5066
5067
5068
5069
5070
5071
5072
5073
5074
5075
5076
5077
5078
5079
5080
5081
5082
5083
5084
5085
5086
5087
5088
5089
5090
5091
5092
5093
5094
5095
5096
5097
5098
5099
5100
5101
5102
5103
5104
5105
5106
5107
5108
5109
5110
5111
5112
5113
5114
5115
5116
5117
5118
5119
5120
5121
5122
5123
5124
5125
5126
5127
5128
5129
5130
5131
5132
5133
5134
5135
5136
5137
5138
5139
5140
5141
5142
5143
5144
5145
5146
5147
5148
5149
5150
5151
5152
5153
5154
5155
5156
5157
5158
5159
5160
5161
5162
5163
5164
5165
5166
5167
5168
5169
5170
5171
5172
5173
5174
5175
5176
5177
5178
5179
5180
5181
5182
5183
5184
5185
5186
5187
5188
5189
5190
5191
5192
5193
5194
5195
5196
5197
5198
5199
5200
5201
5202
5203
5204
5205
5206
5207
5208
5209
5210
5211
5212
5213
5214
5215
5216
5217
5218
5219
5220
5221
5222
5223
5224
5225
5226
5227
5228
5229
5230
5231
5232
5233
5234
5235
5236
5237
5238
5239
5240
5241
5242
5243
5244
5245
5246
5247
5248
5249
5250
5251
5252
5253
5254
5255
5256
5257
5258
5259
5260
5261
5262
5263
5264
5265
5266
5267
5268
5269
5270
5271
5272
5273
5274
5275
5276
5277
5278
5279
5280
5281
5282
5283
5284
5285
5286
5287
5288
5289
5290
5291
5292
5293
5294
5295
5296
5297
5298
5299
5300
5301
5302
5303
5304
5305
5306
5307
5308
5309
5310
5311
5312
5313
5314
5315
5316
5317
5318
5319
5320
5321
5322
5323
5324
5325
5326
5327
5328
5329
5330
5331
5332
5333
5334
5335
5336
5337
5338
5339
5340
5341
5342
5343
5344
5345
5346
5347
5348
5349
5350
5351
5352
5353
5354
5355
5356
5357
5358
5359
5360
5361
5362
5363
5364
5365
5366
5367
5368
5369
5370
5371
5372
5373
5374
5375
5376
5377
5378
5379
5380
5381
5382
5383
5384
5385
5386
5387
5388
5389
5390
5391
5392
5393
5394
5395
5396
5397
5398
5399
5400
5401
5402
5403
5404
5405
5406
5407
5408
5409
5410
5411
5412
5413
5414
5415
5416
5417
5418
5419
5420
5421
5422
5423
5424
5425
5426
5427
5428
5429
5430
5431
5432
5433
5434
5435
5436
5437
5438
5439
5440
5441
5442
5443
5444
5445
5446
5447
5448
5449
5450
5451
5452
5453
5454
5455
5456
5457
5458
5459
5460
5461
5462
5463
5464
5465
5466
5467
5468
5469
5470
5471
5472
5473
5474
5475
5476
5477
5478
5479
5480
5481
5482
5483
5484
5485
5486
5487
5488
5489
5490
5491
5492
5493
5494
5495
5496
5497
5498
5499
5500
5501
5502
5503
5504
5505
5506
5507
5508
5509
5510
5511
5512
5513
5514
5515
5516
5517
5518
5519
5520
5521
5522
5523
5524
5525
5526
5527
5528
5529
5530
5531
5532
5533
5534
5535
5536
5537
5538
5539
5540
5541
5542
5543
5544
5545
5546
5547
5548
5549
5550
5551
5552
5553
5554
5555
5556
5557
5558
5559
5560
5561
5562
5563
5564
5565
5566
5567
5568
5569
5570
5571
5572
5573
5574
5575
5576
5577
5578
5579
5580
5581
5582
5583
5584
5585
5586
5587
5588
5589
5590
5591
5592
5593
5594
5595
5596
5597
5598
5599
5600
5601
5602
5603
5604
5605
5606
5607
5608
5609
5610
5611
5612
5613
5614
5615
5616
5617
5618
5619
5620
5621
5622
5623
5624
5625
5626
5627
5628
5629
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-6" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="0" xml:lang="en-US">
  <status date="2011-10-12">draft</status>
  <title xml:lang="en-US">Example of SCAP Security Guidance</title>
  <description xml:lang="en-US">This example security guidance has been created to demonstrate SCAP functionality
on Linux.</description>
  <platform idref="cpe:/o:redhat:enterprise_linux:6"/>
  <version>0.2</version>
  <model system="urn:xccdf:scoring:default"/>
  <model system="urn:xccdf:scoring:flat"/>
  <Profile id="RHEL6-Default">
    <title xml:lang="en-US">Default install settings</title>
    <description xml:lang="en-US">This profile is an example policy that simply checks if some of RHEL6 default
install settings have been modified. It is not comprehensive nor checks security hardening. It is just for testing
purposes.</description>
    <select idref="rule-1005" selected="true"/>
    <select idref="rule-1007" selected="true"/>
    <select idref="rule-1008" selected="true"/>
    <select idref="rule-1010" selected="true"/>
    <select idref="rule-1011" selected="true"/>
    <select idref="rule-1012" selected="true"/>
    <select idref="rule-1013" selected="true"/>
    <select idref="rule-1014" selected="true"/>
    <select idref="rule-1015" selected="true"/>
    <select idref="rule-1016" selected="true"/>
    <select idref="rule-1017" selected="true"/>
    <select idref="rule-1018" selected="true"/>
    <select idref="rule-1019" selected="true"/>
    <select idref="rule-1020" selected="true"/>
    <select idref="rule-1021" selected="true"/>
    <select idref="rule-1022" selected="true"/>
    <select idref="rule-1023" selected="true"/> 
    <select idref="rule-1024" selected="true"/> 
    <select idref="rule-1025" selected="true"/> 
    <select idref="rule-1026" selected="true"/> 
    <select idref="rule-1027" selected="true"/> 
    <select idref="rule-1028" selected="true"/> 
    <refine-value idref="var-1029" selector="022"/>
    <select idref="rule-1029" selected="true"/>
    <select idref="rule-1031" selected="true"/>
    <select idref="rule-1032" selected="true"/>
    <select idref="rule-1033" selected="true"/>
    <select idref="rule-1035" selected="true"/>
    <select idref="rule-1036" selected="true"/>
    <select idref="rule-1039" selected="true"/>
    <select idref="rule-1040" selected="true"/>
    <select idref="rule-1041" selected="true"/>
    <refine-value idref="var-1042" selector="0_days"/>
    <select idref="rule-1042" selected="true"/>
    <refine-value idref="var-1043" selector="99999_days"/>
    <select idref="rule-1043" selected="true"/>
    <select idref="rule-1044" selected="true"/>
    <select idref="rule-1045" selected="true"/>
    <select idref="rule-1055" selected="true"/>
    <select idref="rule-1056" selected="true"/>
    <refine-value idref="var-1059" selector="002"/>
    <select idref="rule-1059" selected="true"/>
    <select idref="rule-1060" selected="true"/>
    <select idref="rule-1061" selected="true"/>
    <select idref="rule-1063" selected="true"/>
    <select idref="rule-1064" selected="true"/>
    <select idref="rule-1065" selected="true"/>
    <select idref="rule-1066" selected="true"/>
    <select idref="rule-1079" selected="true"/>
    <select idref="rule-1080" selected="true"/>
    <select idref="rule-1081" selected="true"/>
    <select idref="rule-1083" selected="true"/>
    <select idref="rule-1087" selected="true"/>
    <refine-value idref="var-1089" selector="enabled"/>
    <select idref="rule-1089" selected="true"/>
    <select idref="rule-1090" selected="true"/>
    <select idref="rule-1091" selected="true"/>
    <refine-value idref="var-1088" selector="enabled"/>
    <select idref="rule-1092" selected="true"/>
    <select idref="rule-1093" selected="true"/>
    <select idref="rule-1094" selected="true"/>
    <select idref="rule-1095" selected="true"/>
    <select idref="rule-1096" selected="true"/>
    <select idref="rule-1097" selected="true"/>
    <select idref="rule-1099" selected="true"/>
    <refine-value idref="var-1103" selector="3"/>
    <select idref="rule-1103" selected="true"/>
    <refine-value idref="var-1104" selector="yes"/>
    <select idref="rule-1104" selected="true"/>
    <refine-value idref="var-1105" selector="yes"/>
    <select idref="rule-1105" selected="true"/>
    <refine-value idref="var-1106" selector="yes"/>
    <select idref="rule-1106" selected="true"/>
    <refine-value idref="var-1107" selector="yes"/>
    <select idref="rule-1107" selected="true"/>
    <refine-value idref="var-1108" selector="1"/>
    <select idref="rule-1108" selected="true"/>
    <refine-value idref="var-1109" selector="16"/>
    <select idref="rule-1109" selected="true"/>
    <select idref="rule-1111" selected="true"/>
    <select idref="rule-1112" selected="true"/>
    <select idref="rule-1120" selected="true"/>
    <select idref="rule-1121" selected="true"/>
    <select idref="rule-1122" selected="true"/>
    <select idref="rule-1125" selected="true"/>
    <select idref="rule-1126" selected="true"/>
    <select idref="rule-1127" selected="true"/>
  </Profile>
  <Group id="gr-intro" hidden="false">
    <title xml:lang="en-US">Introduction</title>
    <description xml:lang="en-US"> The purpose of this guide is to provide security
			configuration recommendations for the Red Hat Enterprise Linux (RHEL) 6 operating
			system. The guidance provided here is applicable to desktop systems. Recommended
			settings for the basic operating system are provided, as well as for many commonly-used
			services that the system can host in a network environment.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
			<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The guide is intended for system administrators. Readers are assumed to
			possess basic system administration skills for Unix-like systems, as well as some
			familiarity with Red Hat's documentation and administration conventions. Some
			instructions within this guide are complex. All directions should be followed completely
			and with understanding of their effects in order to avoid serious adverse effects on the
			system and its security. </description>
  </Group>
  <Group id="gr-principles" hidden="false">
    <title xml:lang="en-US">General Principles</title>
    <description xml:lang="en-US"> The following general principles motivate much of the
				advice in this guide and should also influence any configuration decisions that are
				not explicitly covered.</description>
    <Group id="gr-principles-1" hidden="false" weight="10.000000">
      <title xml:lang="en-US">Encrypt Transmitted Data Whenever Possible</title>
      <description xml:lang="en-US"> Data transmitted over a network, whether wired or
					wireless, is susceptible to passive monitoring. Whenever practical solutions for
					encrypting such data exist, they should be applied. Even if data is expected to
					be transmitted only over a local network, it should still be encrypted.
					Encrypting authentication data, such as passwords, is particularly important.
					Networks of RHEL machines can and should be configured so that no unencrypted
					authentication data is ever transmitted between machines.</description>
    </Group>
    <Group id="gr-principles-2" hidden="false">
      <title xml:lang="en-US">Minimize Software to Minimize Vulnerability</title>
      <description xml:lang="en-US"> The simplest way to avoid vulnerabilities in software
					is to avoid installing that software. On RHEL, the RPM Package Manager
					(originally Red Hat Package Manager, abbreviated RPM) allows detailed
					management of the set of software packages installed on a system. Installed
					software contributes to system vulnerability in several ways. Packages that
					include setuid programs may provide local attackers a potential path to
					privilege escalation. Packages that include network services may give this
					opportunity to network-based attackers. Packages that include programs which are
					predictably executed by local users (e.g. after graphical login) may provide
					opportunities for trojan horses or other attack code to be run undetected. The
					number of software packages installed on a system can almost always be
					significantly pruned to include only the software for which there is an
					environmental or operational need.</description>
    </Group>
    <Group id="gr-principles-3" hidden="false">
      <title xml:lang="en-US">Run Different Network Services on Separate Systems</title>
      <description xml:lang="en-US"> Whenever possible, a server should be dedicated to
					serving exactly one network service. This limits the number of other services
					that can be compromised in the event that an attacker is able to successfully
					exploit a software flaw in one network service.</description>
    </Group>
    <Group id="gr-principles-4" hidden="false">
      <title xml:lang="en-US">Configure Security Tools to Improve System Robustness</title>
      <description xml:lang="en-US"> Several tools exist which can be effectively used to
					improve a system's resistance to and detection of unknown attacks. These tools
					can improve robustness against attack at the cost of relatively little
					configuration effort. In particular, this guide recommends and discusses the use
					of Iptables for host-based firewalling, SELinux for protection against
					vulnerable services, and a logging and auditing infrastructure for detection of
					problems.</description>
    </Group>
    <Group id="gr-principles-5" hidden="false">
      <title xml:lang="en-US">Least Privilege</title>
      <description xml:lang="en-US"> Grant the least privilege necessary for user accounts
					and software to perform tasks. For example, do not allow users except those that
					need administrator access to use sudo. Another example is to limit logins on
					server systems to only those administrators who need to log into them in order
					to perform administration tasks. Using SELinux also follows the principle of
					least privilege: SELinux policy can confine software to perform only actions on
					the system that are specifically allowed. This can be far more restrictive than
					the actions permissible by the traditional Unix permissions model.</description>
    </Group>
  </Group>
  <Group id="gr-configuration" hidden="false">
    <title xml:lang="en-US">System-wide Configuration</title>
    <Group id="gr-software" hidden="false">
      <title xml:lang="en-US">Installing and Maintaining Software</title>
      <description xml:lang="en-US"> The following sections contain information on
				security-relevant choices during the initial operating system installation process
				and the setup of software updates.</description>
      <Group id="gr-installation" hidden="false">
        <title xml:lang="en-US">Initial Installation Recommendations</title>
        <description xml:lang="en-US"> The recommendations here apply to a clean
					installation of the system, where any previous installations are wiped out. The
					sections presented here are in the same order that the installer presents, but
					only installation choices with security implications are covered. Many of the
					configuration choices presented here can also be applied after the system is
					installed. The choices can also be automatically applied via Kickstart
					files.</description>
        <Group id="gr-installation-1" hidden="false">
          <title xml:lang="en-US">Disk Partitioning</title>
          <description xml:lang="en-US"> Some system directories should be placed on their
						own partitions (or logical volumes). This allows for better separation and
						protection of data. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The installer’s default partitioning scheme
						creates separate partitions (or logical volumes) for /, /boot, and swap.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>If starting with any of the default layouts, check the box to
								“Review and modify partitioning.” This allows for the easy creation
								of additional logical volumes inside the volume group already
								created, though it may require making /’s logical volume smaller to
								create space. In general, using logical volumes is preferable to
								using partitions because they can be more easily adjusted
								later.</xhtml:li>
							<xhtml:li>If creating a custom layout, create the partitions mentioned
								in the previous paragraph (which the installer will require anyway),
								as well as separate ones described in the following
								sections.</xhtml:li>
						</xhtml:ul>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If a system has already been installed, and the default
						partitioning scheme was used, it is possible but nontrivial to modify it to
						create separate logical volumes for the directories listed above. The
						Logical Volume Manager (LVM) makes this possible. See the LVM HOWTO at
						http://tldp.org/HOWTO/LVM-HOWTO/ for more detailed information on LVM. </description>
          <Group id="gr-installation-1.1" hidden="false">
            <title xml:lang="en-US">Create Separate Partition or Logical Volume for /tmp</title>
            <description xml:lang="en-US"> The /tmp directory is a world-writable
							directory used for temporary file storage. Ensure that it has its own
							partition or logical volume.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Because software may need to use /tmp to temporarily store
							large files, ensure that it is of adequate size. For a modern,
							general-purpose system, 10GB should be adequate. Smaller or larger sizes
							could be used, depending on the availability of space on the drive and
							the system’s operating requirements </description>
            <Rule id="rule-1000" selected="false" weight="10.000000">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure that /tmp has its own partition or logical volume</title>
              <description xml:lang="en-US">The /tmp directory is a world-writable
								directory used for temporary file storage. Ensure that it has its own
								partition or logical volume.</description>
              <ident system="http://cce.mitre.org">CCE-14161-4</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1000" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-installation-1.2" hidden="false">
            <title xml:lang="en-US">Create Separate Partition or Logical Volume for /var</title>
            <description xml:lang="en-US"> The /var directory is used by daemons and
							other system services to store frequently-changing data. It is not
							uncommon for the /var directory to contain world-writable directories,
							installed by other software packages. Ensure that /var has its own
							partition or logical volume.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Because the yum package manager and other software uses /var
							to temporarily store large files, ensure that it is of adequate size. For
							a modern, general-purpose system, 10GB should be adequate. </description>
            <Rule id="rule-1001" selected="false" weight="10.000000" severity="low">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure that /var has its own partition or logical volume</title>
              <description xml:lang="en-US">The /var directory is used by daemons and
								other system services to store frequently-changing data. It is not
								uncommon for the /var directory to contain world-writable
								directories, installed by other software packages. Ensure that /var
								has its own partition or logical volume.</description>
              <ident system="http://cce.mitre.org">CCE-14777-7</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1001" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-installation-1.3" hidden="false">
            <title xml:lang="en-US">Create Separate Partition or Logical Volume for /var/log</title>
            <description xml:lang="en-US"> System logs are stored in the /var/log
							directory. Ensure that it has its own partition or logical volume.
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> See 2.6 for more information about logging and
							auditing.</description>
            <Rule id="rule-1002" selected="false" weight="10.000000">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure that /var/log has its own partition or logical volume</title>
              <description xml:lang="en-US"> System logs are stored in the /var/log
								directory. Ensure that it has its own partition or logical
								volume.</description>
              <ident system="http://cce.mitre.org">CCE-14011-1</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1002" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-installation-1.4" hidden="false">
            <title xml:lang="en-US">Create Separate Partition or Logical Volume for /var/log/audit</title>
            <description xml:lang="en-US"> Audit logs are stored in the /var/log/audit
							directory. Ensure that it has its own partition or logical volume. Make
							absolutely certain that it is large enough to store all audit logs that
							will be created by the auditing daemon.</description>
            <Rule id="rule-1003" selected="false" weight="10.000000">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure that /var/log/audit has its own partition or logical volume</title>
              <description xml:lang="en-US"> Audit logs are stored in the
								/var/log/audit directory. Ensure that it has its own partition or
								logical volume. Make absolutely certain that it is large enough to
								store all audit logs that will be created by the auditing
								daemon.</description>
              <ident system="http://cce.mitre.org">CCE-14171-3</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1003" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-installation-1.5" hidden="false">
            <title xml:lang="en-US">Create Separate Partition or Logical Volume for	/home if Using Local Home Directories</title>
            <description xml:lang="en-US"> If user home directories will be stored
							locally, create a separate partition for /home. If /home will be mounted
							from another system such as an NFS server, then creating a separate
							partition is not necessary at this time, and the mountpoint can instead
							be configured later.</description>
            <Rule id="rule-1004" selected="false" weight="10.000000" severity="low">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure that /home has its own partition or logical volume</title>
              <description xml:lang="en-US"> If user home directories will be stored
								locally, create a separate partition for /home. If /home will be
								mounted from another system such as an NFS server, then creating a
								separate partition is not necessary at this time, and the mountpoint
								can instead be configured later.</description>
              <ident system="http://cce.mitre.org">CCE-14559-9</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1004" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
        </Group>
        <Group id="gr-installation-2" hidden="false">
          <title xml:lang="en-US">Boot Loader Configuration</title>
          <description xml:lang="en-US"> Check the box to "Use a boot loader password" and
						create a password. Once this password is set, anyone who wishes to change
						the boot loader configuration will need to enter it. Assigning a boot loader password 
						prevents a local user with physical access from altering the boot loader configuration 
						at system startup. </description>
        </Group>
        <Group id="gr-installation-3" hidden="false">
          <title xml:lang="en-US">First-boot Configuration</title>
          <description xml:lang="en-US"> The system presents more configuration options
						during the first boot after installation. For the screens listed, implement
						the security-related recommendations:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li> Set Up Software Updates - If the system is
							connected to the Internet now, click 'Yes, I'd like to register now.'
							This will require a connection to either the Red Hat Network servers or
							their proxies or satellites.</xhtml:li>
							<xhtml:li> Create User - If the system
							will require a local user account, it can be created here. Even if the
							system will be using a network-wide authentication system, 
							do not click on the 'Use Network Login...' button.
							Manually applying configuration later is preferable.</xhtml:li>
							<xhtml:li> Kdump - Leave Kdump
							off unless the feature is required, such as for kernel development and
							testing.</xhtml:li>
							<xhtml:li> Firewall - Leave set to 'Enabled.' Only check the 'Trusted
							Services' that this system needs to serve. Uncheck the default selection
							of SSH if the system does not need to serve SSH.</xhtml:li>
							<xhtml:li> SELinux - Leave SELinux set to 'Enforcing' mode.</xhtml:li>
						</xhtml:ul>
					</description>
        </Group>
      </Group>
      <Group id="gr-updating" hidden="false">
        <title xml:lang="en-US">Updating Software</title>
        <description xml:lang="en-US"> The yum command line tool is used to install and
					update software packages. Yum replaces the up2date utility used in previous
					system releases. The system also provides PackageKit, which is  a graphical package manager.
					It consists of several graphical interfaces that can be opened from the GNOME panel menu, 
					or from the Notification Area when PackageKit alerts you that updates are available. 
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It is recommended that these tools be used to keep systems up to
					date with the latest security patches. </description>
        <Group id="gr-updating-1" hidden="false">
          <title xml:lang="en-US">Ensure Red Hat GPG Keys are Installed</title>
          <description xml:lang="en-US"> To ensure that the system can
							cryptographically verify update packages (and also connect to the Red
							Hat Network to receive them if desired) run the following command to
							ensure that the system has the Red Hat GPG keys properly installed:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ rpm -q gpg-pubkey</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The command should return the strings:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpg-pubkey-fd431d51-4ae0493b</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpg-pubkey-2fa658e0-45700c69</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							corresponding to these keys:
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpg(Red Hat, Inc. (release key 2) &lt;security@redhat.com&gt;)</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpg(Red Hat, Inc. (auxiliary key) &lt;security@redhat.com&gt;)</xhtml:code></description>
          <Rule id="rule-1005" selected="false" weight="10.000000">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">Red Hat GPG Keys are Installed</title>
            <description xml:lang="en-US">The GPG keys should be installed.</description>
            <ident system="http://cce.mitre.org">CCE-14440-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1005" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-updating-2" hidden="false">
          <title xml:lang="en-US">Configure Connection to the RHN RPM Repositories</title>
          <description xml:lang="en-US">
						<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml" class="block"> The first step in configuring a system for updates
							is to register with the Red Hat Network (RHN). For most systems, this is
							done during the initial installation. Successfully registered systems
							will appear on the RHN web site. If the system is not listed, run the
							Red Hat Subscription Manager tool, which can be found in the
							<xhtml:b>System =&gt; Administration</xhtml:b> menu in the top management bar.
							or on the command line: </xhtml:p>
							
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># subscription-manager register --username admin-example --password secret
							</xhtml:code>
							
							<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> Follow the prompts on the screen. If successful, the system
							will appear on the RHN web site and be subscribed to one or more
							software update channels. Additionally, a new daemon, rhnsd, will be
							enabled.</xhtml:p>

						<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml" class="block"> If the system will not have access to the Internet, it will not
						be able to directly subscribe to the RHN update repository. Updates will
						have to be downloaded from the RHN web site manually. The command line tool
						yum and the graphical front-end PackageKit can be configured to handle
						this situation. </xhtml:p> </description>
        </Group>
        <Group id="gr-updating-3" hidden="false">
          <title xml:lang="en-US">Disable the rhnsd Daemon</title>
          <description xml:lang="en-US"> The rhnsd daemon polls the Red Hat Network web
						site for scheduled actions. Unless it is actually necessary to schedule
						updates remotely through the RHN website, it is recommended that the service
						be disabled.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The rhnsd daemon is enabled by default, but until the system has
						been registered with the Red Hat Network, it will not run. However, once the
						registration process is complete, the rhnsd daemon will run in the
						background and periodically call the rhn check utility. It is the rhn check
						utility that communicates with the Red Hat Network web site.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This utility is not required for the system to be able to access
						and install system updates. Once the system has been registered, either use
						the provided yum-updatesd service or create a cron job to automatically
						apply updates. </description>
          <Rule id="rule-1006" selected="false" weight="10.000000" severity="low">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Disable the rhnsd Daemon</title>
            <description xml:lang="en-US">The rhnsd service should be disabled.</description>
            <ident system="http://cce.mitre.org">CCE-3416-5</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1006" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-updating-4" hidden="false">
          <title xml:lang="en-US">Obtain Software Package Updates with yum</title>
          <description xml:lang="en-US"> The yum update utility can be run by hand from
						the command line, called through one of the provided front-end tools, or
						configured to run automatically at specified intervals.</description>
          <Group id="gr-updating-4.1" hidden="false">
            <title xml:lang="en-US">Manually Update Packages Where Appropriate</title>
            <description xml:lang="en-US"> The following command prints a list of
							packages that need to be updated:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum check-update</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To actually install these updates, run:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum update</xhtml:code>
						</description>
          </Group>
          <Group id="gr-updating-4.2" hidden="false">
            <title xml:lang="en-US">Configure Automatic Update Retrieval and Installation with Cron</title>
            <description xml:lang="en-US"> Create the file yum.cron, make it executable, and place it
							in /etc/cron.daily:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
							#!/bin/sh <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							/usr/bin/yum -R 120 -e 0 -d 0 -y update yum <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							/usr/bin/yum -R 10 -e 0 -d 0 -y update  <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This particular script instructs yum to update any packages
							it finds. Placing the script in /etc/cron.daily ensures its daily
							execution. To only apply updates once a week, place the script in
							/etc/cron.weekly instead. </description>
          </Group>
          <Group id="gr-updating-4.3" hidden="false">
            <title xml:lang="en-US">Ensure Package Signature Checking is Globally Activated</title>
            <description xml:lang="en-US"> The gpgcheck option should be used to ensure
							that checking of an RPM package’s signature always occurs prior to its installation.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To force yum to check package signatures before installing
							them, ensure that the following line appears in /etc/yum.conf in the
							[main] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> gpgcheck=1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						</description>
            <Rule id="rule-1007" selected="false" weight="10.000000">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">gpgcheck is Globally Activated</title>
              <description xml:lang="en-US"> The gpgcheck option should be used to ensure that checking
								of an RPM package’s signature always occurs prior to its installation.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
								<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>To force yum to check package signatures before
								installing them, ensure that the following line appears in
								/etc/yum.conf in the [main] section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
								<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> gpgcheck=1</description>
              <ident system="http://cce.mitre.org">CCE-14914-6</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1007" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-updating-4.4" hidden="false">
            <title xml:lang="en-US">Ensure Package Signature Checking is Not Disabled For Any Repos</title>
            <description xml:lang="en-US"> To ensure that signature checking is not
							disabled for any repos, ensure that the following line DOES NOT appear
							in any repo configuration files in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> gpgcheck=0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						</description>
            <Rule id="rule-1008" selected="false" weight="10.000000">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Package Signature Checking is Not Disabled For Any Repos</title>
              <description xml:lang="en-US"> To ensure that signature checking is not disabled for any
								repos, ensure that the following line DOES NOT appear in any repo
								configuration files in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
								<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>gpgcheck=0</description>
              <ident system="http://cce.mitre.org">CCE-14813-0</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1008" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-updating-4.5" hidden="false">
            <title xml:lang="en-US">Ensure Repodata Signature Checking is Globally Activated</title>
            <description xml:lang="en-US"> The repo_gpgcheck option should be used to
							ensure that checking of a signature on repodata is performed prior to
							using it.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To force yum to check the signature on repodata sent by a
							repository prior to using it, ensure that the following line appears in
							/etc/yum.conf in the [main] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> repo_gpgcheck=1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						</description>
          </Group>
          <Group id="gr-updating-4.6" hidden="false">
            <title xml:lang="en-US">Ensure Repodata Signature Checking is Not Disabled For Any Repos</title>
            <description xml:lang="en-US"> To ensure that signature checking is not
							disabled for any repos, ensure that the following line DOES NOT appear
							in any repo configuration files in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> repo_gpgcheck=0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Note: Red Hat’s repositories support signatures on repodata,
							but some public repositories do not. If a repository does not support
							signature checking on repodata, then this risk must be weighed against
							the value of using the repository. </description>
          </Group>
        </Group>
      </Group>
      <Group id="gr-integrity" hidden="false">
        <title xml:lang="en-US">Software Integrity Checking</title>
        <description xml:lang="en-US"> 	Integrity checking cannot prevent intrusions into your
					system, but can detect that they have occurred. Any integrity checking software 
					should be configured before the	system is deployed and able to provides services 
					to users. Ideally, the integrity checking database would be built before the system 
					is connected to any network, though this may prove impractical due to registration 
					and software updates. </description>
        <Group id="gr-integrity-1" hidden="false">
          <title xml:lang="en-US">Verify Package Integrity Using RPM</title>
          <description xml:lang="en-US"> The RPM package management system includes the
						ability to verify the integrity of installed packages by comparing the
						installed files with information about the files taken from the package
						metadata stored in the RPM database. Although an attacker could corrupt the
						RPM database (analogous to attacking the AIDE database as described above),
						this check can still reveal modification of important files.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To determine which files on the system differ from what is
						expected by the RPM database:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -Va<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A “c” in the second column indicates that a file is a
						configuration file (and may be expected to change). In order to exclude
						configuration files from this list, run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -Va | awk '$2!="c" {print $0}'<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The man page rpm(8) describes the format of the output. Any files
						that do not match the expected output demand further investigation if the
						system is being seriously examined. This check could also be run as a cron
						job. </description>
          <Rule id="rule-1009" selected="false" weight="10.000000">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">Package Integrity is correct according to package management system</title>
            <description xml:lang="en-US">Verify the integrity of installed packages by comparing the
							installed files with information about the files taken from the package
							metadata stored in the RPM database.</description>
            <ident system="http://cce.mitre.org">CCE-14931-0</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:tst:1009" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
    </Group>
    <Group id="gr-permissions" hidden="false">
      <title xml:lang="en-US">File Permissions and Masks</title>
      <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> Traditional Unix security relies heavily on file and
				directory permissions to prevent unauthorized users from reading or modifying files
				to which they should not have access. Adhere to the principle of least privilege —
				configure each file, directory, and filesystem to allow only the access needed in
				order for that file to serve its purpose. </xhtml:p>
				<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> However, Linux systems contain a large number of files, so it is often
				prohibitively time-consuming to ensure that every file on a machine has exactly the
				permissions needed. This section introduces several permission restrictions which
				are almost always appropriate for system security, and which are easy to test and
				correct. </xhtml:p> 
				<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> Note: Several of the commands in this section search filesystems for
				files or directories with certain characteristics, and are intended to be run on
				every local ext2, ext3 or ext4 partition on a given machine. When the variable 
				<xhtml:em xmlns:xhtml="http://www.w3.org/1999/xhtml">PART</xhtml:em> appears in one of the commands below, it means that
				the command is intended to be run repeatedly, with the name of each local partition
				substituted for <xhtml:em xmlns:xhtml="http://www.w3.org/1999/xhtml">PART</xhtml:em> in turn. </xhtml:p>

				<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The following command prints a list of ext2, ext3 and ext4 partitions on a
				given machine: </xhtml:p>
				<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ mount -t ext2,ext3,ext4 | awk '{print $3}'</xhtml:code>
				<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If your site uses a local filesystem type other than those, you
				will need to modify this command. </xhtml:p> </description>
      <Group id="gr-verify-files" hidden="false">
        <title xml:lang="en-US">Verify Permissions on Important Files and Directories</title>
        <description xml:lang="en-US"> Permissions for many files on a system should be set
					to conform to system policy. This section discusses important permission
					restrictions which should be checked on a regular basis to ensure that
					no harmful discrepancies have arisen.</description>
        <Group id="gr-verify-shadow" hidden="false">
          <title xml:lang="en-US">Verify Permissions on passwd, shadow, group and gshadow Files</title>
          <description xml:lang="en-US"> Many utilities need read access to the passwd file in order to
						function properly, but read access to the shadow file allows malicious
						attacks against system passwords, and should never be enabled.</description>
          <Rule id="rule-1010" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">User ownership of 'shadow' file</title>
            <description xml:lang="en-US">The /etc/shadow file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-3918-0</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1010" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1011" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Group ownership of 'shadow' file</title>
            <description xml:lang="en-US">The /etc/shadow file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-3988-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1011" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1012" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">User ownership of 'group' file</title>
            <description xml:lang="en-US">The /etc/group file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-3276-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1012" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1013" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Group ownership of 'group' file</title>
            <description xml:lang="en-US">The /etc/group file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-3883-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1013" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1014" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">User ownership of 'gshadow' file</title>
            <description xml:lang="en-US">The /etc/gshadow file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-4210-1</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1014" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1015" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Group ownership of 'gshadow' file</title>
            <description xml:lang="en-US">The /etc/gshadow file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-4064-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1015" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1016" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">User ownership of 'passwd' file</title>
            <description xml:lang="en-US">The /etc/passwd file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-3958-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1016" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1017" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Group ownership of 'passwd' file</title>
            <description xml:lang="en-US">The /etc/passwd file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-3495-9</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1017" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1018" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Permissions on 'shadow' file</title>
            <description xml:lang="en-US">File permissions for /etc/shadow should be set
							correctly.</description>
            <ident system="http://cce.mitre.org">CCE-4130-1</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1018" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1019" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Permissions on 'group' file</title>
            <description xml:lang="en-US">File permissions for /etc/group should be set
							correctly.</description>
            <ident system="http://cce.mitre.org">CCE-3967-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1019" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1020" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Permissions on 'gshadow' file</title>
            <description xml:lang="en-US">File permissions for /etc/gshadow should be set
							correctly.</description>
            <ident system="http://cce.mitre.org">CCE-3932-1</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1020" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1021" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Permissions on 'passwd' file</title>
            <description xml:lang="en-US">File permissions for /etc/passwd should be set
							correctly.</description>
            <ident system="http://cce.mitre.org">CCE-3566-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1021" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-verify-sticky" hidden="false">
          <title xml:lang="en-US">Verify that All World-Writable Directories Have Sticky Bits Set</title>
          <description xml:lang="en-US"> When the so-called 'sticky bit' is set on a
						directory, only the owner of a given file may remove that file from the
						directory. Without the sticky bit, any user with write access to a directory
						may remove any file in the directory. Setting the sticky bit prevents users
						from removing each other's files. In cases where there is no reason for a
						directory to be world-writable, a better solution is to remove that
						permission rather than to set the sticky bit. However, if a directory is
						used by a particular application, consult that application's documentation
						instead of blindly changing modes.</description>
          <Rule id="rule-1022" selected="false" weight="10.000000" severity="low">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">All World-Writable Directories Have Sticky Bits Set</title>
            <description xml:lang="en-US">The sticky bit should be set for all world-writable
							directories.</description>
            <ident system="http://cce.mitre.org">CCE-3399-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1022" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-verify-fwritable" hidden="false">
          <title xml:lang="en-US">Find Unauthorized World-Writable Files</title>
          <description xml:lang="en-US"> Data in world-writable files can be modified by
						any user on the system. In almost all circumstances, files can be configured
						using a combination of user and group permissions to support whatever
						legitimate access is needed without the risk caused by world-writable files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It is generally a good idea to remove global (other) write
						access to a file when it is discovered. However, check with documentation
						for specific applications before making changes. Also, monitor for recurring
						world-writable files, as these may be symptoms of a misconfigured
						application or user account. </description>
          <Rule id="rule-1023" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Unauthorized World-Writable Files</title>
            <description xml:lang="en-US">The world-write permission should be disabled for all
							files.</description>
            <ident system="http://cce.mitre.org">CCE-3795-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1023" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-verify-suid" hidden="false">
          <title xml:lang="en-US">Find Unauthorized SUID/SGID System Executables</title>
          <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The following command discovers and prints any
						setuid or setgid files on local partitions. Run it once for each local
						partition: </xhtml:p>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> find PART -xdev \( -perm -4000 -o -perm -2000 \) -type f -print </xhtml:code>
						<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If the file does not require a setuid or setgid bit, then these bits can be removed with the command: </xhtml:p>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> chmod -s file </xhtml:code>
						<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The following table contains all setuid and setgid files which
						are expected to be on a stock system. To reduce system risk, the packages containing these files may be removed
						in some cases; alternatively, the setuid or setgid bit on these
						files may be disabled to reduce system risk if only an administrator
						requires their functionality. </xhtml:p>

						<xhtml:table xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:tr>
								<xhtml:th>File</xhtml:th>
								<xhtml:th>Set-UID</xhtml:th>
								<xhtml:th>Set-GID</xhtml:th>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/bin/cgexec</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>cgred</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/bin/fusermount</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/bin/mount</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/bin/ping6</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/bin/ping</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/bin/su</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/bin/umount</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/lib64/dbus-1/dbus-daemon-launch-helper</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/lib/dbus-1/dbus-daemon-launch-helper</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/sbin/mount.ecryptfs_private</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/sbin/mount.nfs</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/sbin/netreport</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>root</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/sbin/pam_timestamp_check</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/sbin/unix_chkpwd</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/at</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/chage</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/chfn</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/chsh</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/crontab</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>root</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/gnomine</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>games</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/gpasswd</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/iagno</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>games</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/kgrantpty</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/kpac_dhcp_helper</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/ksu</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/locate</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>slocate</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/lockfile</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mail</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/newgrp</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/newrole</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/passwd</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/pkexec</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/rcp</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/rlogin</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/rsh</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/same-gnome</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>games</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/screen</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>screen</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/sperl5.10.1</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/ssh-agent</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>nobody</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/staprun</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/sudoedit</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/sudo</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/wall</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>tty</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/write</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>tty</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/bin/Xorg</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib64/amanda/calcsize</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib64/amanda/dumper</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib64/amanda/killpgrp</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib64/amanda/planner</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib64/amanda/rundump</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib64/amanda/runtar</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib64/nspluginwrapper/plugin-config</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib64/vte/gnome-pty-helper</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>utmp</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/amanda/calcsize</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/amanda/dumper</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/amanda/killpgrp</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/amanda/planner</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/amanda/rundump</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/amanda/runtar</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/libexec/kde4/kdesud</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>root</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/libexec/mc/cons.saver</xhtml:td>
								<xhtml:td>vcsa</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/libexec/openssh/ssh-keysign</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/libexec/polkit-1/polkit-agent-helper-1</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/libexec/pt_chown</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/libexec/pulse/proximity-helper</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/libexec/utempter/utempter</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>utmp</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/admindb</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/admin</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/confirm</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/create</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/edithtml</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/listinfo</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/options</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/private</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/rmlist</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/roster</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/cgi-bin/subscribe</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/mailman/mail/mailman</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>mailman</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/nspluginwrapper/plugin-config</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/lib/vte/gnome-pty-helper</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>utmp</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/amcheck</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/lockdev</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>lock</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/postdrop</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>postdrop</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/postqueue</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>postdrop</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/sendmail.sendmail</xhtml:td>
								<xhtml:td>-</xhtml:td>
								<xhtml:td>smmsp</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/seunshare</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/suexec</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/userhelper</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
							<xhtml:tr>
								<xhtml:td>/usr/sbin/usernetctl</xhtml:td>
								<xhtml:td>root</xhtml:td>
								<xhtml:td>-</xhtml:td>
							</xhtml:tr>
						</xhtml:table>
					</description>
          <Rule id="rule-1024" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Unauthorized SGID System Executables</title>
            <description xml:lang="en-US">The sgid bit should not be set for all files.</description>
            <ident system="http://cce.mitre.org">CCE-14340-4</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1024" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1025" selected="false" weight="10.000000" severity="high">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Unauthorized SUID System Executables</title>
            <description xml:lang="en-US">The suid bit should not be set for all files.</description>
            <ident system="http://cce.mitre.org">CCE-14340-4</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1025" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-verify-unowned" hidden="false">
          <title xml:lang="en-US">Find and Repair Unowned Files</title>
          <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The following command will discover and print any
						files on local partitions which do not belong to a valid user and a valid
						group. Run it once for each local partition PART: </xhtml:p>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># find PART
							-xdev \( -nouser -o -nogroup \) -print </xhtml:code>
						<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If this command
						prints any results, investigate each reported file and either assign it to
						an appropriate user and group or remove it. Unowned files are not directly
						exploitable, but they are generally a sign that something is wrong with some
						system process. They may be caused by an intruder, by incorrect software
						installation or draft software removal, or by failure to remove all files
						belonging to a deleted account. The files should be repaired so that they
						will not cause problems when accounts are created in the future, and the
						problem which led to unowned files should be discovered and
						addressed.</xhtml:p> </description>
          <Rule id="rule-1026" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Files unowned by any user</title>
            <description xml:lang="en-US">All files should be owned by a user</description>
            <ident system="http://cce.mitre.org">CCE-4223-4</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1026" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1027" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Files unowned by any group</title>
            <description xml:lang="en-US">All files should be owned by a group</description>
            <ident system="http://cce.mitre.org">CCE-3573-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1027" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-verify-dwritable" hidden="false">
          <title xml:lang="en-US">Verify that All World-Writable Directories Have Proper Ownership</title>
          <description xml:lang="en-US"> Locate any directories in local partitions which
						are world-writable and ensure that they are owned by root or another system
						account. The following command will discover and print these (assuming only
						system accounts have a uid lower than 500). Run it once for each local
						partition PART:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># find PART -xdev -type d -perm -0002 -uid +500
							-print<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If this command produces any output, investigate why the current
						owner is not root or another system account.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Allowing a user account to own a world-writeable directory is
						undesirable because it allows the owner of that directory to remove or
						replace any files that may be placed in the directory by other
						users.</description>
          <Rule id="rule-1028" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">World writable directories not owned by a system account</title>
            <description xml:lang="en-US">All world writable directories should be owned by a system
							user</description>
            <ident system="http://cce.mitre.org">CCE-14794-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1028" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="gr-restrict" hidden="false">
        <title xml:lang="en-US">Restrict Programs from Dangerous Execution Patterns</title>
        <description xml:lang="en-US"> The recommendations in this section provide broad
					protection against information disclosure or other misbehavior. These
					protections are applied at the system initialization or kernel level, and defend
					against certain types of badly-configured or compromised programs.</description>
        <Group id="gr-restrict-umask" hidden="false">
          <title xml:lang="en-US">Set Daemon umask</title>
          <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The file /etc/rc.d/init.d/functions
						which is used by most or all shell scripts in the /etc/init.d directory, set an umask. 
						The system umask
						must be set to at least 022, or daemon processes may create world-writable
						files. The more restrictive setting 027 protects files, including temporary
						files and log files, from unauthorized reading by unprivileged users on the
						system. </xhtml:p>
						<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If a particular daemon needs a less restrictive umask, consider
						editing the startup script or sysconfig file of that daemon to make a
						specific exception.</xhtml:p> </description>
          <Value id="var-1029" operator="equals" type="string">
            <title xml:lang="en-US">daemon umask</title>
            <description xml:lang="en-US">Enter umask for daemons</description>
            <value>027</value>
            <value selector="022">022</value>
            <value selector="027">027</value>
          </Value>
          <Rule id="rule-1029" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Daemon umask setting</title>
            <description xml:lang="en-US">The daemon umask should be set as appropriate</description>
            <ident system="http://cce.mitre.org">CCE-4220-0</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1029" value-id="var-1029"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1029" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-restrict-dumps" hidden="false">
          <title xml:lang="en-US">Disable Core Dumps</title>
          <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> A core dump file is the memory image of an
						executable program when it was terminated by the operating system due to
						errant behavior. In most cases, only software developers would legitimately
						need to access these files. The core dump files may also contain sensitive
						information, or unnecessarily occupy large amounts of disk space. </xhtml:p>
					<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> By default, the system sets a soft limit to stop the creation of
						core dump files for all users. However, compliance with
						this limit is voluntary; it is a default intended only to protect users from
						the annoyance of generating unwanted core files. Users can increase the
						allowed core file size up to the hard limit, which is unlimited by default.
						Once a hard limit is set in /etc/security/limits.conf, </xhtml:p>
				        <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> *               hard    core            0 </xhtml:code> 
					<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml">
						the user cannot increase that limit within his own session. If access to core dumps
						is required, consider restricting them to only certain users or groups. See
						the limits.conf man page for more information. </xhtml:p>  </description>
          <Rule id="rule-1030" selected="false" weight="10.000000" severity="low">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Disable Core Dumps for all users</title>
            <description xml:lang="en-US">Core dumps for all users should be disabled</description>
            <ident system="http://cce.mitre.org">CCE-4225-9</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1030" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group> 

         <Group id="gr-restrict-SUID_Dumps" hidden="false">
            <title xml:lang="en-US">Ensure SUID Core Dumps are Disabled</title>
            <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The sysctl variable fs.suid_dumpable 
            					controls whether the kernel allows core dumps from these programs at all. It
						should be checked to ensure that it has not been enabled at any time during
						system operation. To check this, issue the command: </xhtml:p>
					    <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># sysctl fs.suid_dumpable </xhtml:code>
					    <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The output should indicate that the setting is 0. (Use of
						the -n option causes output to consist of only the value, which may make
						automated checking easier.) </xhtml:p> </description>
          <Rule id="rule-1031" selected="false" weight="10.000000" severity="low">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Disable Core Dumps for SUID programs</title>
            <description xml:lang="en-US">Core dumps for setuid programs should be disabled</description>
            <ident system="http://cce.mitre.org">CCE-4247-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1031" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
         </Group>
        <Group id="gr-restrict-execshield" hidden="false">
          <title xml:lang="en-US">Enable ExecShield</title>
          <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> ExecShield comprises a number of kernel features
						to provide protection against buffer overflows. These features include
						random placement of the stack and other memory regions, prevention of
						execution in memory that should only hold data, and special handling of text
						buffers. This protection is enabled by default, but the sysctl variables
						kernel.exec-shield and kernel.randomize va space should be checked to ensure
						that it has not been disabled. </xhtml:p>
					<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml">	To check that
							ExecShield (including random placement of virtual memory regions) is
							currently running, issue the following commands: </xhtml:p>

					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># sysctl kernel.exec-shield </xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># sysctl kernel.randomize_va_space </xhtml:code>
					<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The output should indicate that the
							setting of kernel.exec-shield is 1 and the setting of kernel.randomize_va_space is 2.
							(Use of the -n option causes output to consist of only the
							value, which may make automated checking easier.) </xhtml:p> </description>
            <Value id="var-1033" operator="equals" type="string">
              <title xml:lang="en-US">kernel.randomize_va_space</title>
              <description xml:lang="en-US">Enter whether virtual address space should be randomized</description>
              <value>2</value>
              <value selector="enabled_with_heap">2</value>
              <value selector="enabled_without_heap">1</value>
              <value selector="disabled">0</value>
            </Value>
          <Rule id="rule-1032" selected="false" weight="10.000000">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">ExecShield is enabled (runtime)</title>
            <description xml:lang="en-US">ExecShield should be enabled</description>
            <ident system="http://cce.mitre.org">CCE-4168-1</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1032" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1033" selected="false" weight="10.000000">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">ExecShield randomized placement of virtual memory regions is enabled (runtime)</title>
            <description xml:lang="en-US">ExecShield randomized placement of virtual memory regions
							should be enabled</description>
            <ident system="http://cce.mitre.org">CCE-4146-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1033" value-id="var-1033"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1033" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
    </Group>
    <Group id="gr-accounts" hidden="false">
      <title xml:lang="en-US">Account and Access Control</title>
      <description xml:lang="en-US"> In traditional Unix security, if an attacker gains shell
				access to a certain login account, he can perform any action or access any file to
				which that account has access. Therefore, making it more difficult for unauthorized
				people to gain shell access to accounts, particularly to privileged accounts, is a
				necessary part of securing a system. This section introduces mechanisms for
				restricting access to accounts..</description>
      <Group id="gr-accounts-login" hidden="false">
        <title xml:lang="en-US">Protect Accounts by Restricting Password-Based Login</title>
        <description xml:lang="en-US"> Conventionally, Unix shell accounts are accessed by
					providing a username and password to a login program, which tests these values
					for correctness using the /etc/passwd and /etc/shadow files. Password-based
					login is vulnerable to guessing of weak passwords, and to sniffing and
					man-in-the-middle attacks against passwords entered over a network or at an
					insecure console. Therefore, mechanisms for accessing accounts by entering
					usernames and passwords should be restricted to those which are operationally
					necessary.</description>
        <Group id="gr-accounts-login.1" hidden="false">
          <title xml:lang="en-US">Restrict Root Logins to System Console</title>
          <description xml:lang="en-US"> Edit the file /etc/securetty. Ensure that the
						file contains only the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>The primary system console device:
								<xhtml:br/>console</xhtml:li>
							<xhtml:li>The virtual console devices: <xhtml:br/>tty1 tty2 tty3 tty4
								tty5 tty6 ... </xhtml:li>
							<xhtml:li>If required by your organization, the deprecated virtual
								console interface may be retained for backwards
								compatibility:<xhtml:br/>vc/1 vc/2 vc/3 vc/4 vc/5 vc/6
								...</xhtml:li>
							<xhtml:li>If required by your organization, the serial consoles may be
								added:<xhtml:br/> ttyS0 ttyS1</xhtml:li>
						</xhtml:ul> Direct root logins should be allowed only for emergency use. In
						normal situations, the administrator should access the system via a unique
						unprivileged account, and use su or sudo to execute privileged commands.
						Discouraging administrators from accessing the root account directly ensures
						an audit trail in organizations with multiple administrators. Locking down
						the channels through which root can connect directly reduces opportunities
						for password-guessing against the root account. The login program uses the
						file /etc/securetty to determine which interfaces should allow root logins.
						The virtual devices /dev/console and /dev/tty* represent the system consoles
						(accessible via the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a
						default installation). The default securetty file also contains /dev/vc/*.
						These are likely to be deprecated in most environments, but may be retained
						for compatibility. Root should also be prohibited from connecting via
						network protocols. </description>
          <Rule id="rule-1034" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Root logins to virtual console are not permited</title>
            <description xml:lang="en-US">Root logins through the virtual console devices should be
							disabled</description>
            <ident system="http://cce.mitre.org">CCE-3485-0</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1034" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1035" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Root logins to serial ports are not permited</title>
            <description xml:lang="en-US">Root logins on serial ports should be disabled.</description>
            <ident system="http://cce.mitre.org">CCE-4256-4</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1035" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-login.2" hidden="false">
          <title xml:lang="en-US">Configure su to Restrict the Root Access</title>
          <description xml:lang="en-US">
						<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Ensure that the group wheel exists, and that the usernames of
								all administrators who should be allowed to execute commands as root
								are members of that group. <xhtml:br/>
								<xhtml:br/>
								<xhtml:code># grep ^wheel /etc/group</xhtml:code>
							</xhtml:li>
							<xhtml:li>Edit the file /etc/pam.d/su. Add, uncomment, or correct the
								line: <xhtml:br/>
								<xhtml:code>auth required pam_wheel.so use_uid</xhtml:code>
							</xhtml:li>
						</xhtml:ol> The su command allows a user to gain the privileges of another
						user by entering the password for that user's account. It is desirable to
						restrict the root user so that only known administrators are ever allowed to
						access the root account. This restricts password-guessing against the root
						account by unauthorized users or by accounts which have been compromised. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By convention, the group wheel contains all users who are
						allowed to run privileged commands. The PAM module pam_wheel.so is used to
						restrict root access to this set of users.</description>
          <Rule id="rule-1036" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">The 'wheel' group should exist</title>
            <description xml:lang="en-US">Ensure that the group wheel exists</description>
            <ident system="http://cce.mitre.org">CCE-14088-9</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1036" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1037" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Access to the root account via su is restricted to the wheel group</title>
            <description xml:lang="en-US">Command access to the root account should be restricted to the
							wheel group.</description>
            <ident system="http://cce.mitre.org">CCE-15047-4</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1037" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-login.3" hidden="false">
          <title xml:lang="en-US">Configure sudo to Improve Auditing of Root Access</title>
          <description xml:lang="en-US">
						<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Ensure that the group wheel exists, and that the usernames of
								all administrators who should be allowed to execute commands as root
								are members of that group. <xhtml:br/>
								<xhtml:br/>
								<xhtml:code># grep ^wheel /etc/group</xhtml:code>
							</xhtml:li>
							<xhtml:li>Edit the file /etc/sudoers. Add, uncomment, or correct the
								line: <xhtml:br/>
								<xhtml:br/> %wheel ALL=(ALL) ALL</xhtml:li>
						</xhtml:ol>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The sudo command allows fine-grained control over which users
						can execute commands using other accounts. The primary benefit of sudo when
						configured as above is that it provides an audit trail of every command run
						by a privileged user. It is possible for a malicious administrator to
						circumvent this restriction, but, if there is an established procedure that
						all root commands are run using sudo, then it is easy for an auditor to
						detect unusual behavior when this procedure is not followed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Editing /etc/sudoers by hand can be dangerous, since a
						configuration error may make it impossible to access the root account
						remotely. The recommended means of editing this file is using the visudo
						command, which checks the file's syntax for correctness before allowing it
						to be saved.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Note that sudo allows any attacker who gains access to the
						password of an administrator account to run commands as root. This is a
						downside which must be weighed against the benefits of increased audit
						capability and of being able to heavily restrict the use of the high-value
						root password (which can be logistically difficult to change often). As a
						basic precaution, never use the NOPASSWD directive, which would allow anyone
						with access to an administrator account to execute commands as root without
						knowing the administrator's password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The sudo command has many options which can be used to further
						customize its behavior. See the sudoers(5) man page for
						details.</description>
        </Group>
        <Group id="gr-accounts-login.4" hidden="false">
          <title xml:lang="en-US">Block Shell and Login Access for Non-Root System Accounts</title>
          <description xml:lang="en-US"> Using /etc/passwd, obtain a listing of all users,
						their UIDs, and their shells, for instance by running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Identify the system accounts from this listing. These will
						primarily be the accounts with UID numbers less than 500, other than root.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For each identified system account SYSACCT , lock the account: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># usermod -L SYSACCT <xhtml:br/>
						</xhtml:code> and disable its shell: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># usermod -s /sbin/nologin SYSACCT <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These are the accounts which are not associated with a human
						user of the system, but which exist to perform some administrative function.
						Make it more difficult for an attacker to use these accounts by locking
						their passwords and by setting their shells to some non-valid shell. The
						default non-valid shell is /sbin/nologin, but any command which will
						exit with a failure status and disallow execution of any further commands,
						such as /bin/false or /dev/null, will work.</description>
          <warning xml:lang="en-US" override="false" category="functionality">Do not perform the steps in
						this section on the root account. Doing so might cause the system to become
						inaccessible.</warning>
          <Rule id="rule-1038" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Login Access for Non-Root System Accounts is blocked</title>
            <description xml:lang="en-US">Login access to non-root system accounts should be
							disabled</description>
            <ident system="http://cce.mitre.org">CCE-3987-5</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1038" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>

        <Group id="gr-accounts-login.5" hidden="false">
            <title xml:lang="en-US">Verify that No Accounts Have Empty Password Fields</title>
            <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If an account has an empty password, 
            					anybody may log in and run commands with the privileges of that account. Accounts 
            					with empty passwords should never be used in operational environments. </xhtml:p>
					    <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> Run the command: </xhtml:p>
					    <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($2 == "") {print}' /etc/shadow </xhtml:code>
					    <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If this produces any output, fix the problem by locking each
						account or by setting a password. </xhtml:p> </description>
            <Rule id="rule-1039" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">No Accounts Have Empty Password Fields</title>
              <description xml:lang="en-US">Login access to accounts without passwords should be
								disabled</description>
              <ident system="http://cce.mitre.org">CCE-4238-2</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1039" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
        </Group>

        <Group id="gr-accounts-login.6" hidden="false">
            <title xml:lang="en-US">Verify that All Account Password Hashes are Shadowed</title>
            <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The hashes for all user account 
            					passwords should be stored in the file /etc/shadow and never in /etc/passwd, which 
            					is readable by all users. </xhtml:p>
					    <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> To ensure that no password hashes are stored
							in /etc/passwd, the following command should have no output: </xhtml:p>
					    <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($2 != "x") {print}' /etc/passwd </xhtml:code>
						</description>
            <Rule id="rule-1040" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">All Account Password Hashes are Shadowed</title>
              <description xml:lang="en-US">Check that passwords are shadowed</description>
              <ident system="http://cce.mitre.org">CCE-14300-8</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1040" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
        </Group>

        <Group id="gr-accounts-login.7" hidden="false">
          <title xml:lang="en-US">Verify that No Non-Root Accounts Have UID 0</title>
          <description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> In general, the best practice solution for auditing use of the
						root account is to restrict the set of cases in which root must be accessed
						anonymously by requiring use of su or sudo in almost all cases. Some sites
						choose to have more than one account with UID 0 in order to differentiate
						between administrators, but this practice may have unexpected side effects,
						and is therefore not recommended. </xhtml:p>


					<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> This command will print all password file entries
						for accounts with UID 0: </xhtml:p>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($3 == "0") {print}' /etc/passwd </xhtml:code>
					<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> This should print only one line, for the user root. If any other
						lines appear, ensure that these additional UID-0 accounts are authorized,
						and that there is a good reason for them to exist. </xhtml:p> </description>
          <Rule id="rule-1041" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">No Non-Root Accounts Have UID 0</title>
            <description xml:lang="en-US">Anonymous root logins should be disabled</description>
            <ident system="http://cce.mitre.org">CCE-4009-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1041" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>

        <Group id="gr-accounts-login.8" hidden="false">
          <title xml:lang="en-US">Set Password Expiration Parameters</title>
          <description xml:lang="en-US"> Edit the file /etc/login.defs to specify password
						expiration settings for new accounts. Add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_MAX_DAYS=180</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_MIN_DAYS=7</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_WARN_AGE=7</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						For each existing human user USER , modify the current expiration settings to match these: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
						# chage -M 180 -m 7 -W 7 USER<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Users should be forced to change their passwords, in order to
						decrease the utility of compromised passwords. However, the need to change
						passwords often should be balanced against the risk that users will reuse or
						write down passwords if forced to change them too often. Forcing password
						changes every 90-360 days, depending on the environment, is recommended. Set
						the appropriate value as PASS_MAX_DAYS and apply it to existing accounts
						with the -M flag. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The PASS_MIN_DAYS (-m) setting prevents password changes for 7
						days after the first change, to discourage password cycling. If you use this
						setting, train users to contact an administrator for an emergency password
						change in case a new password becomes compromised. The PASS_WARN_AGE (-W)
						setting gives users 7 days of warnings at login time that their passwords
						are about to expire.</description>
          <Value id="var-1042" operator="equals" type="string">
            <title xml:lang="en-US">Minimum password age</title>
            <description xml:lang="en-US">Enter minimum duration before allowing a
							password change</description>
            <value>7</value>
            <value selector="0_days">0</value>
            <value selector="1_day">1</value>
            <value selector="7_days">7</value>
          </Value>
          <Value id="var-1043" operator="equals" type="string">
            <title xml:lang="en-US">Maximum password age</title>
            <description xml:lang="en-US">Enter age before which a password must be
							changed</description>
            <value>180</value>
            <value selector="0_days">0</value>
            <value selector="30_days">30</value>
            <value selector="60_days">60</value>
            <value selector="90_days">90</value>
            <value selector="120_days">120</value>
            <value selector="150_days">150</value>
            <value selector="180_days">180</value>
            <value selector="99999_days">99999</value>
          </Value>
          <Value id="var-1044" operator="equals" type="string">
            <title xml:lang="en-US">Password warn age</title>
            <description xml:lang="en-US"> The number of days warning given before a
							password expires. A zero means warning is given only upon the day of
							expiration, a negative value means no warning is given. If not
							specified, no warning will be provided.</description>
            <value>7</value>
            <value selector="7_days">7</value>
            <value selector="8_days">8</value>
            <value selector="14_days">14</value>
          </Value>
          <Rule id="rule-1042" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Minimum password age</title>
            <description xml:lang="en-US">The minimum password age should be set
							appropriately</description>
            <ident system="http://cce.mitre.org">CCE-4180-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1042" value-id="var-1042"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1042" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1043" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Maximum password age</title>
            <description xml:lang="en-US">The maximum password age should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1043"/>
						</description>
            <ident system="http://cce.mitre.org">CCE-4092-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1043" value-id="var-1043"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1043" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1044" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Password warn age</title>
            <description xml:lang="en-US">The password warn age should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1044"/>
						</description>
            <ident system="http://cce.mitre.org">CCE-4097-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1044" value-id="var-1044"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1044" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>


      <Group id="gr-accounts-pam" hidden="false">
        <title xml:lang="en-US">Protect Accounts by Configuring PAM</title>
        <description xml:lang="en-US"> PAM, or Pluggable Authentication Modules, is a system
					which implements modular authentication for Linux programs. PAM is
					well-integrated into Linux's authentication architecture, making it difficult to
					remove, but it can be configured to minimize your system's exposure to
					unnecessary risk. This section contains guidance on how to accomplish that, and
					how to ensure that the modules used by your PAM configuration do what they are
					supposed to do. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> PAM is implemented as a set of shared objects which are loaded and
					invoked whenever an application wishes to authenticate a user. Typically, the
					application must be running as root in order to take advantage of PAM.
					Traditional privileged network listeners (e.g. sshd) or SUID programs (e.g.
					sudo) already meet this requirement. An SUID root application, userhelper, is
					provided so that programs which are not SUID or privileged themselves can still
					take advantage of PAM. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> PAM looks in the directory /etc/pam.d for application-specific
					configuration information. For instance, if the program login attempts to
					authenticate a user, then PAM's libraries follow the instructions in the file
					/etc/pam.d/login to determine what actions should be taken. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>One very important file in /etc/pam.d is /etc/pam.d/system-auth. This
					file, which is included by many other PAM configuration files, defines 'default'
					system authentication measures. Modifying this file is a good way to make
					far-reaching authentication changes, for instance when implementing a
					centralized authentication service. Another important file is password-auth. It contains just the same
					things as system-auth except modules that make sense only for local
					services are removed (used for sshd for example)</description>
        <warning xml:lang="en-US"> Be careful when making changes to PAM's configuration
					files. The syntax for these files is complex, and modifications can have
					unexpected consequences. The default configurations shipped with applications
					should be sufficient for most users. </warning>
        <warning xml:lang="en-US"> Running authconfig or system-config-authentication will
					re-write the PAM configuration files, destroying any manually made changes and
					replacing them with a series of system defaults. The reference to the
					configuration file syntax can be found at
					http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html. </warning>
        <Group id="gr-accounts-pam.1" hidden="false">
          <title xml:lang="en-US">Set Password Quality Requirements</title>
          <description xml:lang="en-US"> The default pam_cracklib PAM module provides
						strength checking for passwords. It performs a number of checks, such as
						making sure passwords are not similar to dictionary words, are of at least a
						certain length, are not the previous password reversed, and are not simply a
						change of case from the previous password. It can also require passwords to
						be in certain character classes.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The pam_passwdqc PAM module provides the ability to enforce even
						more stringent password strength requirements. It is provided in an RPM of
						the same name. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The man pages pam_cracklib(8) and pam_passwdqc(8) provide
						information on the capabilities and configuration of each. </description>

          <Group id="gr-accounts-pam.1.1" hidden="false">
            <title xml:lang="en-US">Password Quality Requirements Set By pam_cracklib module</title>
            <description xml:lang="en-US"> The default pam_cracklib PAM module provides
                                                strength checking for passwords. It performs a number of checks, such as
                                                making sure passwords are not similar to dictionary words, are of at least a
                                                certain length, are not the previous password reversed, and are not simply a
                                                change of case from the previous password. It can also require passwords to
                                                be in certain character classes. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						For example to configure pam_cracklib to require at least one uppercase	character, 
						lowercase character, digit, and other (special) character, locate the following line in 
						/etc/pam.d/system-auth and /etc/pam.d/password-auth:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
						password requisite pam_cracklib.so try_first_pass retry=3 <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and then alter it to read:
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 

						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
						password required pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If necessary, modify the arguments to ensure compliance with
 						your organization’s security policy. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						The man page pam_cracklib(8) provide information on the capabilities and configuration.
						</description> 
            <warning xml:lang="en-US">Note that the password quality requirements are not enforced for the root account for some reason. </warning>
            <Value id="var-1045" type="number">
              <title xml:lang="en-US">retry</title>
              <description xml:lang="en-US">Number of retry attempts before erroring out</description>
              <value>3</value>
              <value selector="1">1</value>
              <value selector="2">2</value>
              <value selector="3">3</value>
            </Value>
            <Value id="var-1046" type="number">
              <title xml:lang="en-US">minlen</title>
              <description xml:lang="en-US">Minimum number of characters in password</description>
              <value>12</value>
              <value selector="6">6</value>
              <value selector="8">8</value>
              <value selector="10">10</value>
              <value selector="12">12</value>
              <value selector="14">14</value>
              <value selector="15">15</value>
            </Value>
            <Value id="var-1047" type="number">
              <title xml:lang="en-US">dcredit</title>
              <description xml:lang="en-US">Mininum number of digits in	password</description>
              <value>-2</value>
              <value selector="2">-2</value>
              <value selector="1">-1</value>
              <value selector="0">0</value>
            </Value>
            <Value id="var-1049" type="number">
              <title xml:lang="en-US">ocredit</title>
              <description xml:lang="en-US">Mininum number of other (special characters) in password</description>
              <value>-2</value>
              <value selector="2">-2</value>
              <value selector="1">-1</value>
              <value selector="0">0</value>
            </Value>
            <Value id="var-1050" type="number">
              <title xml:lang="en-US">lcredit</title>
              <description xml:lang="en-US">Mininum number of lower case in password</description>
              <value>-2</value>
              <value selector="2">-2</value>
              <value selector="1">-1</value>
              <value selector="0">0</value>
            </Value>
            <Value id="var-1048" type="number">
              <title xml:lang="en-US">ucredit</title>
              <description xml:lang="en-US">Mininum number of upper case in
								password</description>
              <value>-2</value>
              <value selector="2">-2</value>
              <value selector="1">-1</value>
              <value selector="0">0</value>
            </Value>
            <Value id="var-1051" type="number">
              <title xml:lang="en-US">difok</title>
              <description xml:lang="en-US">Mininum number of characters not present
								in old password</description>
              <warning xml:lang="en-US">Keep this high for short passwords</warning>
              <value>5</value>
              <value selector="2">2</value>
              <value selector="3">3</value>
              <value selector="4">4</value>
              <value selector="5">5</value>
            </Value>
            <Rule id="rule-1045" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Password retry Requirements</title>
              <description xml:lang="en-US">The password retry should meet minimum
								requirements</description>
              <ident system="http://cce.mitre.org">CCE-15054-0</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1045" value-id="var-1045"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1045" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1046" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Password minlen Requirements</title>
              <description xml:lang="en-US">The password minlen should meet minimum
								requirements</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1046" value-id="var-1046"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1046" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1047" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">The password strength parameters should require a minimum number of digits</title>
              <description xml:lang="en-US">The password dcredit should meet minimum
								requirements</description>
              <ident system="http://cce.mitre.org">CCE-14113-5</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1047" value-id="var-1047"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1047" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1048" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">The password strength parameters should require a minimum number of uppercase characters</title>
              <description xml:lang="en-US">The password ucredit should meet minimum
								requirements</description>
              <ident system="http://cce.mitre.org">CCE-14672-0</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1048" value-id="var-1048"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1048" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1049" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">The password strength parameters should require a minimum number of special characters</title>
              <description xml:lang="en-US">The password strength parameters should require a minimum number of special characters</description>
              <ident system="http://cce.mitre.org">CCE-14122-6</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1049" value-id="var-1049"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1049" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1050" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Set Password lcredit Requirements</title>
              <description xml:lang="en-US">The password strength parameters should require a minimum number of lowercase characters</description>
              <ident system="http://cce.mitre.org">CCE-14712-4</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1050" value-id="var-1050"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1050" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1051" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">The password strength parameters should require new passwords to difer from old ones by a minimum number of characters</title>
              <description xml:lang="en-US">The password difok should meet minimum
								requirements</description>
              <ident system="http://cce.mitre.org">CCE-14701-7</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1051" value-id="var-1051"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1051" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-accounts-pam.1.2" hidden="false">
            <title xml:lang="en-US">Set Password Quality Requirements, if using pam_passwdqc</title>
            <description xml:lang="en-US"> If password strength stronger than that
							guaranteed by pam_cracklib is required, configure PAM to use pam_passwdqc.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To activate pam_passwdqc, locate the following line in /etc/pam.d/system-auth:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> password requisite pam_cracklib.so try_first_pass retry=3<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and then replace it with the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> password requisite pam_passwdqc.so min=disabled,disabled,16,12,8<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If necessary, modify the arguments
							(min=disabled,disabled,16,12,8) to ensure compliance with your
							organization’s security policy. Configuration options are described in
							the man page pam_passwdqc(8) and also in
							/usr/share/doc/pam_passwdqc-version. The minimum lengths provided here
							supercede that specified by the argument PASS_MIN_LEN in login.defs.
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The options given in the example above set a minimum length
							for each of the password “classes” that pam_passwdqc recognizes. Setting
							a particular minimum value to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">disabled</xhtml:code>
							will stop users from choosing a
							password that falls into that category alone. </description>
	    <!-- The individual values do not have a generic meaning that is likely to make sense outside of pam_passwdqc, so this test only allows verifying
		 a policy specifically designed for pam_passwdqc. -->
            <Value id="var-1052" type="string">
              <title xml:lang="en-US">pam_passwdqc min</title>
              <description xml:lang="en-US">"min" parameter for pam_passwdqc</description>
              <value>disabled,disabled,16,12,8</value>
            </Value>
            <Rule id="rule-1052" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">The password strength parameters should be configured using pam_passwdqc</title>
              <description xml:lang="en-US">pam_passwdqc "min" should be configured as described by the policy</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1052" value-id="var-1052"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1052" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
        </Group>
        <Group id="gr-accounts-pam.2" hidden="false">
          <title xml:lang="en-US">Set Lockouts for Failed Password Attempts</title>
          <description xml:lang="en-US"> The pam_tally2 PAM module provides the capability
						to lock out user accounts after a number of failed login attempts. Its
						documentation is available in the man page pam_tally2(8). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If locking out accounts after a number of incorrect login
						attempts is required by your security policy, implement use of pam_tally2.so
						for the relevant PAM-aware programs such as login, sshd, and vsftpd. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Find the following line in /etc/pam.d/system-auth: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> auth sufficient pam_unix.so nullok try_first_pass <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and then change it so that it reads as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> auth required pam_unix.so nullok try_first_pass <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> In the same file, comment out or delete the lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> auth requisite pam_succeed_if.so uid &gt;= 500 quiet <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						auth required pam_deny.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						After changing /etc/pam.d/system-auth as described above, perform the same set of changes in /etc/pam.d/password-auth as well.
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To enforce password lockout, add the following to the individual
						programs' configuration files in /etc/pam.d. First, add to end of the auth
						lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> auth required pam_tally2.so deny=5 onerr=fail <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Second, add to the end of the account lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> account required pam_tally2.so<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Adjust the deny argument to conform to your system security
						policy. The pam_tally2 utility can be used to unlock user accounts as
						follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># /sbin/pam_tally2 --user username --reset <xhtml:br/>
						</xhtml:code>
					</description>
          <warning xml:lang="en-US"> Locking out user accounts presents the risk of a
						denial-of-service attack. The security policy regarding system lockout must
						weigh whether the risk of such a denial-of-service attack outweighs the
						benefits of thwarting password guessing attacks. The pam_tally2 utility can
						be run from a cron job on a hourly or daily basis to try and offset this
						risk. </warning>
	  <!-- Not tested, this needs to be tested in files specific for each service, and coordinated editing of several PAM configuration items is required. -->
        </Group>
        <Group id="gr-accounts-pam.3" hidden="false">
          <title xml:lang="en-US">Use pam_deny.so to Quickly Deny Access to a Service</title>
          <description xml:lang="en-US"> In order to deny access to a service SVCNAME via
						PAM, edit the file /etc/pam.d/SVCNAME . Prepend this line to the beginning
						of the file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> auth requisite pam_deny.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Under most circumstances, there are better ways to disable a
						service than to deny access via PAM. However, this should suffice as a way
						to quickly make a service unavailable to future users (existing sessions
						which have already been authenticated, are not affected). The requisite tag
						tells PAM that, if the named module returns failure, authentication should
						fail, and PAM should immediately stop processing the configuration file. The
						pam_deny.so module always returns failure regardless of its
						input.</description>
        </Group>
        <Group id="gr-accounts-pam.4" hidden="false">
          <title xml:lang="en-US">Ensure the Password Hashing Algorithm is SHA-512</title>
          <description xml:lang="en-US"> The default algorithm for storing password hashes
						in /etc/shadow is SHA-512, but a weaker algorithm could have been configured.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> In order to configure the system to use the SHA-512 algorithm,
						issue the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># /usr/sbin/authconfig --passalgo=sha512 --update<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> When users changes their passwords, hashes for the new passwords
						will be generated using the SHA-512 algorithm.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> </description>
          <Value id="var-1053" operator="equals" type="string">
            <title xml:lang="en-US">Password hashing algorithm</title>
            <description xml:lang="en-US">Enter /etc/shadow password hashing
							algorithm</description>
            <value>sha512</value>
            <value selector="MD5">md5</value>
            <value selector="SHA-256">sha256</value>
            <value selector="SHA-512">sha512</value>
          </Value>
          <Rule id="rule-1053" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">Password hashing algorithm</title>
            <description xml:lang="en-US">The password hashing algorithm should be set to
		    <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1053"/></description>
            <ident system="http://cce.mitre.org">CCE-14063-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1053" value-id="var-1053"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1053" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-pam.5" hidden="false">
          <title xml:lang="en-US">Limit Password Reuse</title>
          <description xml:lang="en-US"> Do not allow users to reuse recent passwords.
						This can be accomplished by using the remember option for the pam_unix PAM
						module. In order to prevent a user from re-using any of his or her last 5
						passwords, locate the <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> password requisite pam_cracklib.so ... </xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> or <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">password requisite pam_passwdqc.so ... </xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>line in /etc/pam.d/system-auth,
						and add the following line immediately below:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> password requisite pam_pwhistory.so use_authtok remember=5 </xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Old (and thus no longer valid) passwords are stored in the file
						/etc/security/opasswd. </description>
          <Value id="var-1054" operator="equals" type="number">
            <title xml:lang="en-US">remember</title>
            <description xml:lang="en-US"> The last n passwords for each user are saved
							in /etc/security/opasswd in order to force password change history and
							keep the user from alternating between the same password too frequently. </description>
            <value>5</value>
            <value selector="0">0</value>
            <value selector="5">5</value>
            <value selector="10">10</value>
          </Value>
          <Rule id="rule-1054" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">Limit password reuse</title>
            <description xml:lang="en-US">The passwords to remember should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1054"/>
						</description>
            <ident system="http://cce.mitre.org">CCE-14939-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1054" value-id="var-1054"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1054" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="gr-accounts-config" hidden="false">
        <title xml:lang="en-US">Secure Session Configuration Files for Login Accounts</title>
        <description xml:lang="en-US"> When a user logs into a Unix account, the system
					configures the user's session by reading a number of files. Many of these files
					are located in the user's home directory, and may have weak permissions as a
					result of user error or misconfiguration. If an attacker can modify or even read
					certain types of account configuration information, he can often gain full
					access to the affected user's account. Therefore, it is important to test and
					correct configuration file permissions for interactive accounts, particularly
					those of privileged users such as root or system administrators.</description>
        <Group id="gr-accounts-config.1" hidden="false">
          <title xml:lang="en-US">Ensure that No Dangerous Directories Exist in Root's Path</title>
          <description xml:lang="en-US"> The active path of the root account can be
						obtained by starting a new root shell and running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># echo $PATH </xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>This will produce a colon-separated list of directories in the
						path. For each directory DIR in the path, ensure that DIR is not equal to a
						single . character. Also ensure that there are no 'empty' elements in the
						path, such as in these examples: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH=:/bin</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH=/bin:</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH=/bin::/sbin</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These empty elements have the same effect as a single .
						character. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For each element in the path, run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld DIR <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and ensure that write permissions are disabled for group and
						other. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It is important to prevent root from executing unknown or
						untrusted programs, since such programs could contain malicious code.
						Therefore, root should not run programs installed by unprivileged users.
						Since root may often be working inside untrusted directories, the .
						character, which represents the current directory, should never be in the
						root path, nor should any directory which can be written to by an
						unprivileged or semi-privileged (system) user. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It is a good practice for administrators to always execute
						privileged commands by typing the full path to the command.</description>
          <Rule id="rule-1055" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">No Dangerous Directories Exist in Root's PATH variable</title>
            <description xml:lang="en-US">The PATH variable should be set correctly for user
							root</description>
            <ident system="http://cce.mitre.org">CCE-3301-9</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1055" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1056" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">The PATH variable for root does not include any world-writable or group-writable directories</title>
            <description xml:lang="en-US">Check each directory in root's path and make use it does not
							grant write permission to group and other</description>
            <ident system="http://cce.mitre.org">CCE-14957-5</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1056" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-config.2" hidden="false">
          <title xml:lang="en-US">Ensure that User Home Directories are not Group-Writable or World-Readable</title>
          <description xml:lang="en-US"> For each human user USER of the system, view the
						permissions of the user's home directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld /home/USER <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Ensure that the directory is not group-writable and that it is
						not world-readable. If necessary, repair the permissions:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod g-w /home/USER</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod o-rwx /home/USER</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> User home directories contain many configuration files which
						affect the behavior of a user's account. No user should ever have write
						permission to another user's home directory. Group shared directories can be
						configured in subdirectories or elsewhere in the filesystem if they are
						needed. Typically, user home directories should not be world-readable. If a
						subset of users need read access to one another's home directories, this can
						be provided using groups.</description>
          <warning xml:lang="en-US">This section recommends modifying user home
						directories. Notify your user community, and solicit input if appropriate,
						before making this type of change. </warning>
          <Rule id="rule-1057" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">User Home Directories are not Group-Writable or World-Readable</title>
            <description xml:lang="en-US">File permissions should be set correctly for the home
							directories for all user accounts.</description>
            <ident system="http://cce.mitre.org">CCE-4090-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1057" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-config.3" hidden="false">
          <title xml:lang="en-US">Ensure that User Dot-Files are not World-writable</title>
          <description xml:lang="en-US"> For each human user USER of the system, view the
						permissions of all dot-files in the user's home directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld /home/USER/.[A-Za-z0-9]* <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Ensure that none of these files are group- or world-writable.
						Correct each misconfigured file FILE by executing: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod go-w /home/USER/FILE <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A user who can modify another user's configuration files can
						likely execute commands with the other user's privileges, including stealing
						data, destroying files, or launching further attacks on the
						system.</description>
          <warning xml:lang="en-US">This section recommends modifying user home
						directories. Notify your user community, and solicit input if appropriate,
						before making this type of change. </warning>
          <Rule id="rule-1058" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">User Home Directories are not Group-Writable or World-Readable</title>
            <description xml:lang="en-US">File permissions should be set correctly for the home
							directories for all user accounts.</description>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1058" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-config.4" hidden="false">
          <title xml:lang="en-US">Ensure that Users Have Sensible Umask Values</title>
          <description xml:lang="en-US">
						<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Edit the global configuration files /etc/profile, /etc/bashrc,
								and /etc/csh.cshrc. Add or correct the line: <xhtml:br/>
								<xhtml:br/> umask 077</xhtml:li>
							<xhtml:li>Edit the user definitions file /etc/login.defs. Add or correct
								the line:<xhtml:br/>
								<xhtml:br/> UMASK 077 </xhtml:li>
							<xhtml:li>View the additional configuration files /etc/csh.login and
								/etc/profile.d/*, and ensure that none of these files redefine the
								umask to a more permissive value unless there is a good reason for
								it.</xhtml:li>
							<xhtml:li>Edit the root shell configuration files /root/.bashrc,
								/root/.bash profile, /root/.cshrc, and /root/.tcshrc. Add or correct
								the line: <xhtml:br/>
								<xhtml:br/> umask 077 </xhtml:li>
						</xhtml:ol> With a default umask setting of 077, files and directories
						created by users will not be readable by any other user on the system. Users
						who wish to make specific files group- or world-readable can accomplish this
						using the chmod command. Additionally, users can make all their files
						readable to their group by default by setting a umask of 027 in their shell
						configuration files. If default per-user groups exist (that is, if every
						user has a default group whose name is the same as that user's username and
						whose only member is the user), then it may even be safe for users to select
						a umask of 007, making it very easy to intentionally share files with group
						s of which the user is a member. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> In addition, it may be necessary to change root's umask
						temporarily in order to install software or files which must be readable by
						other users, or to change the default umasks of certain service accounts
						such as the FTP user. However, setting a restrictive default protects the
						files of users who have not taken steps to make their files more available,
						and preventing files from being inadvertently shared.</description>
          <warning xml:lang="en-US">This sections recommends modifying user home
						directories. Notify your user community, and solicit input if appropriate,
						before making this type of change. </warning>
          <Value id="var-1059" operator="equals" type="string">
            <title xml:lang="en-US">Default user umask</title>
            <description xml:lang="en-US">Enter default user umask</description>
            <value>022</value>
            <value selector="002">002</value>
            <value selector="007">007</value>
            <value selector="022">022</value>
            <value selector="027">027</value>
            <value selector="077">077</value>
          </Value>
          <Value id="var-1061" operator="equals" type="string">
            <title xml:lang="en-US">umask for shadow-utils</title>
            <description xml:lang="en-US">Enter default user umask</description>
            <value>077</value>
            <value selector="007">007</value>
            <value selector="022">022</value>
            <value selector="027">027</value>
            <value selector="077">077</value>
          </Value>
          <Rule id="rule-1059" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">The default umask for all users is set correctly in /etc/bashrc</title>
            <description xml:lang="en-US">The default umask for all users for the bash shell should be
							set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1059"/>
						</description>
            <ident system="http://cce.mitre.org">CCE-3844-8</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1059" value-id="var-1059"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1059" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1060" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">The default umask for all users is set correctly in /etc/csh.cshrc</title>
            <description xml:lang="en-US">The default umask for all users for the csh shell should be set
							to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1059"/>
						</description>
            <ident system="http://cce.mitre.org">CCE-4227-5</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1059" value-id="var-1059"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1060" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1061" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">The default umask for all users is set correctly in /etc/login.defs</title>
            <description xml:lang="en-US">The default umask for all users should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1061"/>
						</description>
            <ident system="http://cce.mitre.org">CCE-14107-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1061" value-id="var-1061"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1061" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1062" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">The default umask for all users is set correctly in /etc/profile</title>
            <description xml:lang="en-US">The default umask for all users should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1059"/>
						</description>
            <ident system="http://cce.mitre.org">CCE-14847-8</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1059" value-id="var-1059"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1062" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-config.5" hidden="false">
          <title xml:lang="en-US">Ensure that Users do not Have .netrc Files</title>
          <description xml:lang="en-US"> For each human user USER of the system, ensure
						that the user has no .netrc file. The command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -l /home/USER/.netrc <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> should return the error 'No such file or directory'. If any user
						has such a file, approach that user to discuss removing this file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The .netrc file is a configuration file used to make unattended
						logins to other systems via FTP. When this file exists, it frequently
						contains unencrypted passwords which may be used to attack other
						systems.</description>
          <warning xml:lang="en-US">This section recommends modifying user home
						directories. Notify your user community, and solicit input if appropriate,
						before making this type of change. </warning>
          <Rule id="rule-1063" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">No ~/.netrc files exist</title>
            <description xml:lang="en-US">No user's home directory should contain a .netrc file</description>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1063" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="gr-accounts-physical" hidden="false">
        <title xml:lang="en-US">Protect Physical Console Access</title>
        <description xml:lang="en-US"> It is impossible to fully protect a system from an
					attacker with physical access, so securing the space in which the system is
					located should be considered a necessary step. However, there are some steps
					which, if taken, make it more difficult for an attacker to quickly or
					undetectably modify a system from its console.</description>
        <Group id="gr-accounts-physical.1" hidden="false">
          <title xml:lang="en-US">Set BIOS Password</title>
          <description xml:lang="en-US"> The BIOS (on x86 systems) is the first code to
						execute during system startup and controls many important system parameters,
						including which devices the system will try to boot from, and in which
						order. Assign a password to prevent any unauthorized changes to the BIOS
						configuration. The exact steps will vary depending on your machine, but are
						likely to include:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Reboot the machine.</xhtml:li>
							<xhtml:li>Press the appropriate key during the initial boot screen (F2
								is typical)</xhtml:li>
							<xhtml:li>Navigate the BIOS configuration menu to add a
								password.</xhtml:li>
						</xhtml:ol> The exact process will be system-specific and the system's
						hardware manual may provide detailed instructions. This password should
						prevent attackers with physical access from attempting to change important
						parameters.
						However, an attacker with physical access can usually clear the BIOS
						password. The password should be written down and stored in a
						physically-secure location, such as a safe, in the event that it is
						forgotten and must be retrieved.</description>
        </Group>
        <Group id="gr-accounts-physical.2" hidden="false">
          <title xml:lang="en-US">Boot Loader Password</title>
          <description xml:lang="en-US"> During the boot process, the boot loader is
						responsible for starting the execution of the kernel and passing options to
						it. The boot loader allows for the selection of different kernels – possibly
						on different partitions or media. Options it can pass to the kernel include
						'single-user mode,' which provides root access without any authentication,
						and the ability to disable SELinux. To prevent local users from modifying
						the boot parameters and endangering security, the boot loader configuration
						should be protected with a password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default RHEL boot loader for x86 systems is called GRUB. To
						protect its configuration: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Select a password and then generate a hash from it by running: <xhtml:br/>
								<xhtml:br/>
								<xhtml:code># grub-crypt --sha-512 </xhtml:code>
							</xhtml:li>
							<xhtml:li>Insert the following line into /boot/grub/grub.conf immediately
								after the header comments. (Use the output from grub-crypt as
								the value of password-hash ): <xhtml:br/>
								<xhtml:br/>
								<xhtml:code>password --encrypted password-hash </xhtml:code>
							</xhtml:li>
							<xhtml:li>Verify the permissions on /boot/grub/grub.conf (which is a symlink
								to ../boot/grub/grub.conf): <xhtml:br/>
								<xhtml:br/>
								<xhtml:code> # chown root:root /boot/grub/grub.conf</xhtml:code><xhtml:br/>
								<xhtml:code> # chmod 600 /boot/grub/grub.conf</xhtml:code>
							</xhtml:li>
						</xhtml:ol> Boot loaders for other platforms should offer a similar password
						protection feature.</description>
          <Value id="var-1064" operator="equals" type="string">
            <title xml:lang="en-US">User that owns /boot/grub/grub.conf</title>
            <description xml:lang="en-US">Choose user that should own
							/boot/grub/grub.conf</description>
	    <value>0</value>
            <value selector="root">0</value>
          </Value>
          <Value id="var-1065" operator="equals" type="string">
            <title xml:lang="en-US">Group that owns /boot/grub/grub.conf</title>
            <description xml:lang="en-US">Choose group that should own
							/boot/grub/grub.conf</description>
	    <value>0</value>
            <value selector="root">0</value>
          </Value>
          <Rule id="rule-1064" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Boot Loader user owner</title>
            <description xml:lang="en-US">Boot Loader configuration file should be owned by root.</description>
            <ident system="http://cce.mitre.org">CCE-4144-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1064" value-id="var-1064"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1064" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1065" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Boot Loader group owner</title>
            <description xml:lang="en-US">Boot Loader configuration file should be owned by group
							root.</description>
            <ident system="http://cce.mitre.org">CCE-4197-0</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1065" value-id="var-1065"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1065" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1066" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Permissions on boot loader</title>
            <description xml:lang="en-US">Boot Loader configuration file permissions should be set
							correctly.</description>
            <ident system="http://cce.mitre.org">CCE-3923-0</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1066" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1067" selected="false" weight="10.000000" severity="high">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Enable Boot Loader Password</title>
            <description xml:lang="en-US">The grub boot loader should have sha-512 password protection
							enabled</description>
            <ident system="http://cce.mitre.org">CCE-3818-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1067" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-physical.3" hidden="false">
          <title xml:lang="en-US">Require Authentication for Single-User Mode</title>
          <description xml:lang="en-US"> Single-user mode is intended as a system recovery
						method, providing a single user root access to the system by providing a
						boot option at startup. By default, no authentication is performed if
						single-user mode is selected. This provides a trivial mechanism of bypassing
						security on the machine and gaining root access. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To require entry of the root password even if the system is
						started in single-user mode, change the SINGLE value in /etc/sysconfig/init as follows:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
	                                        <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SINGLE=/sbin/sulogin</xhtml:code></description>
          <Rule id="rule-1068" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Require Authentication for Single-User Mode</title>
            <description xml:lang="en-US">A password should be required to boot into single-user mode.</description>
            <ident system="http://cce.mitre.org">CCE-4241-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1068" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-physical.4" hidden="false">
          <title xml:lang="en-US">Disable Interactive Boot</title>
          <description xml:lang="en-US"> Edit the file /etc/sysconfig/init. Add or correct
						the setting:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> PROMPT=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The PROMPT option allows the console user
						to perform an interactive system startup, in which it is possible to select
						the set of services which are started on boot. Using interactive boot, the
						console user could disable auditing, firewalls, or other services, weakening
						system security.</description>
          <Rule id="rule-1069" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Disable Interactive Boot</title>
            <description xml:lang="en-US">The ability for users to perform interactive startups should be
							disabled.</description>
            <ident system="http://cce.mitre.org">CCE-4245-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1069" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-physical.5" hidden="false">
          <title xml:lang="en-US">Implement Inactivity Time-out for Login Shells</title>
          <description xml:lang="en-US"> If the system does not run X Windows, then the
						login shells can be configured to automatically log users out after a period
						of inactivity. The following instructions are not practical for systems
						which run X Windows, as they will close terminal windows in the X
						environment. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To implement a 15-minute idle time-out for the default /bin/bash
						shell, create a new file tmout.sh in the directory /etc/profile.d with the
						following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> TMOUT=900 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> readonly TMOUT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> export TMOUT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To implement a 15-minute idle time-out for the tcsh shell,
						create a new file autologout.csh in the directory /etc/profile.d with the
						following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> set -r autologout=15 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Similar actions should be taken for any other login shells used. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The example time-out here of 15 minutes should be adjusted to
						whatever your security policy requires. The readonly line for bash and the
						-r option for tcsh can be omitted if policy allows users to override the
						value. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The automatic shell logout only occurs when the shell is the
						foreground process. If, for example, a vi session is left idle, then
						automatic logout would not occur. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> When logging in through a remote connection, as with SSH, it may
						be more effective to set the timeout value directly through that service.</description>
          <Value id="var-1070" operator="equals" type="number">
            <title xml:lang="en-US">Inactivity timeout</title>
            <description xml:lang="en-US">Choose allowed duration of inactive SSH
							connections, shells, and X sessions</description>
            <value>15</value>
            <value selector="0_minutes">0</value>
            <value selector="10_minutes">10</value>
            <value selector="15_minutes">15</value>
          </Value>
          <Rule id="rule-1070" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Enforce an inactivity timeout for Bourne shells</title>
            <description xml:lang="en-US">Bourne shells should be closed after <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1070"/> minutes of inactivity.</description>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1070" value-id="var-1070"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1070" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1071" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Enforce an inactivity timeout for C shells</title>
            <description xml:lang="en-US">C shells should be closed after <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1070"/> minutes of inactivity.</description>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1070" value-id="var-1070"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1071" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-physical.6" hidden="false">
          <title xml:lang="en-US">Configure Screen Locking</title>
          <description xml:lang="en-US"> When a user must temporarily leave an account
						logged-in, screen locking should be employed to prevent passersby from
						abusing the account. User education and training is particularly important
						for screen locking to be effective. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A policy should be implemented that trains all users to lock the
						screen when they plan to temporarily step away from a logged-in account.
						Automatic screen locking is only meant as a safeguard for those cases where
						a user forgot to lock the screen.</description>
          <Group id="gr-accounts-physical.6.1" hidden="false">
            <title xml:lang="en-US">Configure GUI Screen Locking</title>
            <description xml:lang="en-US"> In the default GNOME desktop, the screen can
							be locked by choosing Lock Screen from the System menu. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The gconftool-2 program can be used to enforce mandatory
							screen locking settings for the default GNOME environment. Run the
							following commands to enforce idle activation of the screen saver,
							screen locking, a blank-screen screensaver, and 15-minute idle
							activation time: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
							# gconftool-2 --direct
							--config-source	xml:readwrite:/etc/gconf/gconf.xml.mandatory
							--type bool
							--set /apps/gnome-screensaver/idle_activation_enabled true
							</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
							# gconftool-2 --direct
							--config-source	xml:readwrite:/etc/gconf/gconf.xml.mandatory
							--type bool
							--set /apps/gnome-screensaver/lock_enabled true
							</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
							# gconftool-2 --direct
							--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
							--type string
							--set /apps/gnome-screensaver/mode blank-only
							</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
							# gconftool-2 --direct
							--config-source	xml:readwrite:/etc/gconf/gconf.xml.mandatory
							--type int
							--set /desktop/gnome/session/idle_delay 15
							</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default setting of 15 minutes for idle activation is
							reasonable for many office environments, but the setting should conform
							to whatever policy is defined. The screensaver mode blank-only is
							selected to conceal the contents of the display from passersby. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Because users should be trained to lock the screen when they
							step away from the computer, the automatic locking feature is only meant
							as a backup. The Lock Screen icon from the System menu can also be
							dragged to the taskbar in order to facilitate even more convenient
							screen-locking. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The root account cannot be screen-locked, but this should
							have no practical effect as the root account should never be used to log
							into an X Windows environment, and should only be used to for direct
							login via console in emergency circumstances. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For more information about configuring GNOME screensaver,
							see http://live.gnome.org/GnomeScreensaver. For more information about
							enforcing preferences in the GNOME environment using the GConf
							configuration system, see http://www.gnome.org/projects/gconf and the
							man page gconftool-2(1).</description>
            <Rule id="rule-1072" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Implement Inactivity Time-out for GNOME</title>
              <description xml:lang="en-US">The idle time-out value for GNOME
								desktop lockout should be 15 minutes</description>
              <ident system="http://cce.mitre.org">CCE-3315-9</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1070" value-id="var-1070"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1072" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1073" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">The gnome desktop screensaver should be enabled.</title>
              <description xml:lang="en-US">Idle activation of the screen saver should be
								enabled</description>
              <ident system="http://cce.mitre.org">CCE-14604-3</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1073" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1074" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Lock the screensaver with a password</title>
              <description xml:lang="en-US">The screensaver should ask for a password</description>
              <ident system="http://cce.mitre.org">CCE-14023-6</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1074" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1075" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Implement blank screen saver</title>
              <description xml:lang="en-US">The screen saver should be blank</description>
              <ident system="http://cce.mitre.org">CCE-14735-5</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1075" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-accounts-physical.6.2" hidden="false">
            <title xml:lang="en-US">Configure Console Screen Locking</title>
            <description xml:lang="en-US"> A console screen locking mechanism is
							provided in the vlock package, which is not installed by default. If the
							ability to lock console screens is necessary, install the vlock package: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install vlock <xhtml:br/>
							</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Instruct users to invoke the program when necessary, in
							order to prevent passersby from abusing their login: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ vlock <xhtml:br/>
							</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The -a option can be used to prevent switching to other
							virtual consoles.</description>
            <Rule id="rule-1076" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure console screen locking</title>
              <description xml:lang="en-US">The vlock package should be installed</description>
              <ident system="http://cce.mitre.org">CCE-3910-7</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1076" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
        </Group>
        <Group id="gr-accounts-physical.7" hidden="false">
          <title xml:lang="en-US">Disable Unnecessary Ports</title>
          <description xml:lang="en-US"> Though unusual, some systems may be managed only
						remotely and yet also exposed to risk from attackers with direct physical
						access to them. In these cases, reduce an attacker’s access to the system by
						disabling unnecessary external ports (e.g. USB, FireWire, NIC) in the
						system’s BIOS.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Disable ports on the system which are not necessary for normal
						system operation. The exact steps will vary depending on your machine, but
						are likely to include: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Reboot the machine.</xhtml:li>
							<xhtml:li>Press the appropriate key during the initial boot screen (F2
								is typical). </xhtml:li>
							<xhtml:li>Navigate the BIOS conguration menu to disable ports, such as
								USB, FireWire, and NIC.</xhtml:li>
						</xhtml:ol>
					</description>
          <warning xml:lang="en-US">Disabling USB ports is particularly unusual and will
						cause problems for important input devices such as keyboards or mice
						attached to the system.</warning>
        </Group>
      </Group>
      <Group id="gr-accounts-centralized" hidden="false">
        <title xml:lang="en-US">Use a Centralized Authentication Service</title>
        <description xml:lang="en-US"> A centralized authentication service is any method of
					maintaining central control over account and authentication data and of keeping
					this data synchronized between machines. Such services can range in complexity
					from a script which pushes centrally-generated password files out to all
					machines, to a managed scheme such as LDAP or Kerberos. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If authentication information is not centrally managed, it quickly
					becomes inconsistent, leading to out-of-date credentials and forgotten accounts
					which should have been deleted. In addition, many older protocols (such as NFS)
					make use of the UID to identify users over a network. This is not a good
					practice, and these protocols should be avoided if possible. However, since most
					sites must still make use of some older protocols, having consistent UIDs and
					GIDs site-wide is a significant benefit. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Centralized authentication services do have the disadvantage that
					authentication information must be transmitted over a network, leading to a risk
					that credentials may be intercepted or manipulated. Therefore, these services
					must be deployed carefully. The following precautions should be taken when
					configuring any authentication service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
						<xhtml:li>Ensure that authentication information and any sensitive account
							information are never sent over the network unencrypted.</xhtml:li>
						<xhtml:li>Ensure that the root account has a local password, to allow
							recovery in case of network outage or authentication server
							failure.</xhtml:li>
					</xhtml:ul> This guide recommends the use of LDAP. Kerberos is also
					a good choice for a centralized authentication service, but a description of its
					configuration is beyond the scope of this guide. The NIS service is not
					recommended, and should be considered obsolete. </description>
      </Group>
      <Group id="gr-accounts-banners" hidden="false">
        <title xml:lang="en-US">Warning Banners for System Accesses</title>
        <description xml:lang="en-US"> Each system should expose as little information about
					itself as possible. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> System banners, which are typically displayed just before a login
					prompt, give out information about the service or the host's operating system.
					This might include the distribution name and the system kernel version, and the
					particular version of a network service. This information can assist intruders
					in gaining access to the system as it can reveal whether the system is running
					vulnerable software. Most network services can be configured to limit what
					information is displayed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Many organizations implement security policies that require a system
					banner provide notice of the system's ownership, provide warning to unauthorized
					users, and remind authorized users of their consent to monitoring.</description>
        <Value id="var-1077" operator="equals" type="string">
          <title xml:lang="en-US">login banner verbiage</title>
          <description xml:lang="en-US">Enter an appropriate login banner for your
					organization</description>
	  <value/>
        </Value>
        <Group id="gr-accounts-banners.1" hidden="false">
          <title xml:lang="en-US">Modify the System Login Banner</title>
          <description xml:lang="en-US"> The contents of the file /etc/issue are displayed
						on the screen just above the login prompt for users logging directly into a
						terminal. Remote login programs such as SSH or FTP can be configured to
						display /etc/issue as well.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By default, the system will display the version of the OS, the
						kernel version, and the host name. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit /etc/issue. Replace the default text with a message
						compliant with the local site policy or a legal disclaimer.</description>
          <Rule id="rule-1077" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Modify the System Login Banner</title>
            <description xml:lang="en-US">The system login banner text should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1077"/>
						</description>
            <ident system="http://cce.mitre.org">CCE-4060-0</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1077" value-id="var-1077"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1077" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-accounts-banners.2" hidden="false">
          <title xml:lang="en-US">Implement a GUI Warning Banner</title>
          <description xml:lang="en-US"> In the default graphical environment, users
						logging directly into the system are greeted with a login screen provided by
						the GNOME display manager. The warning banner should be displayed in this
						graphical environment for these users.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						Configure the banner using the following commands:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
						# gconftool-2 --direct
						--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
						--type bool
						--set /apps/gdm/simple-greeter/banner_message_enable true
						</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
						# gconftool-2 --direct
						--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
						--type string
						--set /apps/gdm/simple-greeter/banner_message_text 'YOUR_TEXT'
						</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
	  </description>
          <Rule id="rule-1078" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Implement a GUI Warning Banner</title>
            <description xml:lang="en-US">The direct gnome login warning banner text should be set
							appropriately</description>
            <ident system="http://cce.mitre.org">CCE-4188-9</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1077" value-id="var-1077"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1078" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
    </Group>
    <Group id="gr-selinux" hidden="false">
      <title xml:lang="en-US">SELinux</title>
      <description xml:lang="en-US"> SELinux is a feature of the Linux kernel which can be
				used to guard against misconfigured or compromised programs. SELinux enforces the
				idea that programs should be limited in what files they can access and what actions
				they can take. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
				<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default SELinux policy, as configured on RHEL6,
				should be usable on almost any RHEL
				machine with minimal configuration and a small amount of system administrator
				training. This policy prevents system services — including most of the common
				network-visible services such as mail servers, ftp servers, and DNS servers — from
				accessing files which those services have no valid reason to access. This action
				alone prevents a huge amount of possible damage from network attacks against
				services, from trojaned software, and so forth. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
				<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This guide recommends that SELinux be enabled using the default
				(targeted) policy on every RHEL system, unless that system has requirements which
				make a stronger policy appropriate.</description>
      <Group id="gr-selinux-intro" hidden="false">
        <title xml:lang="en-US">How SELinux Works</title>
        <description xml:lang="en-US"> In the traditional Linux/Unix security model, known
					as Discretionary Access Control (DAC), processes run under a user and group
					identity, and enjoy that user and group's access rights to all files and other
					objects on the system. This system brings with it a number of security problems,
					most notably: that processes frequently do not need and should not have the full
					rights of the user who ran them; that user and group access rights are not very
					granular, and may require administrators to allow too much access in order to
					allow the access that is needed; that the Unix filesystem contains many
					resources (such as temporary directories and world-readable files) which are
					accessible to users who have no legitimate reason to access them; and that
					legitimate users can easily provide open access to their own resources through
					confusion or carelessness. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> SELinux provides a Mandatory Access Control (MAC) system that
					greatly augments the DAC model. Under SELinux, every process and every object
					(e.g. file, socket, pipe) on the system is given a security context, a label
					which include detailed type information about the object. The kernel allows
					processes to access objects only if that access is explicitly allowed by the
					policy in effect. The policy defines transitions, so that a user can be allowed
					to run software, but the software can run under a different context than the
					user's default. This automatically limits the damage that the software can do to
					files accessible by the calling user — the user does not need to take any action
					to gain this benefit. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For an action to occur, both the traditional DAC permissions must be
					satisifed as well as SELinux's MAC rules. If either do not permit the action,
					then it will not be allowed. In this way, SELinux rules can only make a system's
					permissions more restrictive and secure. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> SELinux requires a complex policy in order to allow all the actions
					required of a system under normal operation. Three such policies have been
					designed for use with RHEL6, and are included with the system. In increasing
					order of power and complexity, they are: targeted, strict (which is newly not provided
					as an individual package but is part of targeted policy package. The process
					of making strict policy is described later) and mls. The targeted
					SELinux policy consists mostly of Type Enforcement (TE) rules, and a small
					number of Role-Based Access Control (RBAC) rules. It restricts the actions of
					many types of programs, but leaves interactive users largely unaffected. The
					strict policy also uses TE and RBAC rules, but on more programs and more
					aggressively. The mls policy implements Multi-Level Security (MLS), which
					introduces even more kinds of labels — sensitivity and category — and rules that
					govern access based on these. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The remainder of this section provides guidance for the
					configuration of the targeted policy and the administration of systems under
					this policy. Some pointers will be provided for readers who are interested in
					further strengthening their systems by using one of the stricter policies
					provided with RHEL6 or in writing their own policy.</description>
      </Group>
      <Group id="gr-selinux-enable" hidden="false">
        <title xml:lang="en-US">Enable SELinux</title>
        <description xml:lang="en-US"> The SELinux is enabled by default on RHEL6. The file /etc/selinux/config should contain
					the following lines for targeted policy: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SELINUX=enforcing </xhtml:code> 
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SELINUXTYPE=targeted </xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit the file /boot/grub/grub.conf. Ensure that the following arguments DO
					NOT appear on any kernel command line in the file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">selinux=0 </xhtml:code> or
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">enforcing=0 </xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The directive SELINUX=enforcing enables SELinux at boot time. If
					SELinux is causing a lot of problems or preventing the system from booting, it
					is possible to boot into the warning-only mode SELINUX=permissive for debugging
					purposes. Make certain to change the mode back to enforcing after debugging, set
					the filesystems to be relabeled for consistency using the command touch
					/.autorelabel, and reboot. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> However, the RHEL6 default SELinux configuration should be
					sufficiently reasonable that most systems will boot without serious problems.
					Some applications that require deep or unusual system privileges, may not be compatible with SELinux in its default
					configuration. However, this should be uncommon, and SELinux's application
					support continues to improve. In other cases, SELinux may reveal unusual or
					insecure program behavior by design. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The directive SELINUXTYPE=targeted configures SELinux to use the
					default targeted policy.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The SELinux boot mode specified in /etc/selinux/config can be
					overridden by command-line arguments passed to the kernel. It is necessary to
					check grub.conf to ensure that this has not been done and to protect the
					bootloader against unauthorized configuration change.</description>
        <Value id="var-1080" operator="equals" type="string">
          <title xml:lang="en-US">SELinux state</title>
          <description xml:lang="en-US"> enforcing - SELinux security policy is enforced.
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> permissive - SELinux prints warnings instead of
						enforcing.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> disabled - SELinux is fully disabled. </description>
          <value>enforcing</value>
          <value selector="enforcing">enforcing</value>
          <value selector="permissive">permissive</value>
          <value selector="disabled">disabled</value>
        </Value>
        <Value id="var-1081" operator="equals" type="string">
          <title xml:lang="en-US">SELinux policy</title>
          <description xml:lang="en-US"> Type of policy in use. Possible values
						are:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> targeted - Only targeted network daemons are
						protected.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> strict - Full SELinux protection.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> mls -
						Multi-level security</description>
          <value>targeted</value>
          <value selector="targeted">targeted</value>
          <value selector="strict">strict</value>
          <value selector="mls">mls</value>
        </Value>
        <Group id="gr-selinux-enable.1" hidden="false">
          <title xml:lang="en-US">Ensure SELinux is Properly Enabled</title>
          <description xml:lang="en-US"> Run the command:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ /usr/sbin/sestatus<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If the system is properly configured, the output should indicate:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>SELinux status: enabled</xhtml:li>
							<xhtml:li>Current mode: enforcing</xhtml:li>
							<xhtml:li>Mode from config file: enforcing</xhtml:li>
							<xhtml:li>Policy from config file: targeted</xhtml:li>
						</xhtml:ul>
					</description>
        </Group>
        <Rule id="rule-1079" selected="false" weight="10.000000" severity="medium">
          <status date="2010-07-01">accepted</status>
          <title xml:lang="en-US">SELinux should NOT be disabled in /boot/grub/grub.conf.</title>
          <description xml:lang="en-US">SELinux should NOT be disabled in /boot/grub/grub.conf. Check that
						selinux=0 is not found</description>
          <ident system="http://cce.mitre.org">CCE-3977-6</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:org.open-scap.rhel6:def:1079" href="scap-rhel6-oval.xml"/>
          </check>
        </Rule>
        <Rule id="rule-1080" selected="false" weight="10.000000" severity="medium">
          <status date="2010-07-01">draft</status>
          <title xml:lang="en-US">Proper SELinux state</title>
          <description xml:lang="en-US">The SELinux state should be set appropriately</description>
          <ident system="http://cce.mitre.org">CCE-3999-0</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-export export-name="oval:org.open-scap.rhel6:var:1080" value-id="var-1080"/>
            <check-content-ref name="oval:org.open-scap.rhel6:def:1080" href="scap-rhel6-oval.xml"/>
          </check>
        </Rule>
        <Rule id="rule-1081" selected="false" weight="10.000000" severity="medium">
          <status date="2010-07-01">accepted</status>
          <title xml:lang="en-US">Proper SELinux policy</title>
          <description xml:lang="en-US">The SELinux policy should be set appropriately.</description>
          <ident system="http://cce.mitre.org">CCE-3624-4</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-export export-name="oval:org.open-scap.rhel6:var:1081" value-id="var-1081"/>
            <check-content-ref name="oval:org.open-scap.rhel6:def:1081" href="scap-rhel6-oval.xml"/>
          </check>
        </Rule>
      </Group>
      <Group id="gr-selinux-daemons" hidden="false">
        <title xml:lang="en-US">Disable Unnecessary SELinux Daemons</title>
        <description xml:lang="en-US"> Several daemons are installed by default as part of
					the RHEL6 SELinux support mechanism. These daemons may improve the system's
					ability to enforce SELinux policy in a useful fashion, but may also represent
					unnecessary code running on the machine, increasing system risk. If these
					daemons are available in your RHEL6 installation and are not needed on your system, 
					they should be disabled.</description>
        <Group id="gr-selinux-daemons.1" hidden="false">
          <title xml:lang="en-US">Remove SETroubleshoot if Possible</title>
          <description xml:lang="en-US"> Is there a mission-critical reason to allow users
						to view SELinux denial information using the sealert GUI? If not, 
						remove the setroubleshoot packages:
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ yum remove setroubleshoot-\*<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The setroubleshoot, 
						which is newly D-Bus system service, is a facility for notifying the
						desktop user of SELinux denials in a user-friendly fashion. SELinux errors
						may provide important information about intrusion attempts in progress, or
						may give information about SELinux configuration problems which are
						preventing correct system operation. In order to maintain a secure and
						usable SELinux installation, error logging and notification is necessary. 
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> However, 
						setroubleshoot is a service which has complex
						functionality, which runs a daemon and uses D-Bus to distribute information
						which may be sensitive, or even to allow users to modify SELinux settings. 
						This guide recommends removing setroubleshoot and using the kernel audit functionality
						to monitor SELinux's behavior.</description>

          <Rule id="rule-1082" selected="false" weight="10.000000" severity="low">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Remove SETroubleshoot</title>
            <description xml:lang="en-US">The setroubleshoot-server package should not be installed.</description>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1082" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-selinux-daemons.2" hidden="false">
          <title xml:lang="en-US">Disable MCS Translation Service (mcstrans) if Possible</title>
          <description xml:lang="en-US"> Unless there is some overriding need for the
						convenience of category label translation, disable the MCS translation
						service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig mcstrans off <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The mcstransd daemon provides the category label translation
						information defined in /etc/selinux/targeted/setrans.conf to client
						processes which request this information.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Category labelling is unlikely to be used except in sites with
						special requirements. Therefore, it should be disabled in order to reduce
						the amount of potentially vulnerable code running on the system.</description>
          <Rule id="rule-1083" selected="false" weight="10.000000" severity="low">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Disable MCS Translation Service (mcstrans) if Possible</title>
            <description xml:lang="en-US">The mcstrans service should be disabled.</description>
            <ident system="http://cce.mitre.org">CCE-3668-1</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1083" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-selinux-daemons.3" hidden="false">
          <title xml:lang="en-US">Restorecon Service (restorecond)</title>
          <description xml:lang="en-US"> The restorecond daemon monitors a list of files
						which are frequently created or modified on running systems, and whose
						SELinux contexts are not set correctly. It looks for creation events related
						to files listed either in /etc/selinux/restorecond.conf or restorecond_user.conf , 
						and sets the contexts ofthose files when they are discovered.
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The restorecond program is fairly 						 simple, so it brings low risk,
						but, in its default configuration, does not add much value to a system. An
						automated program such as restorecond may be used to monitor problematic
						files for context problems, or system administrators may be trained to check
						file contexts of newly-created files using the command ls -lZ, and to repair
						contexts manually using the restorecon command. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This guide makes no recommendation either for or against the use
						of restorecond.</description>
        </Group>
      </Group>
      <Group id="gr-selinux-unconfined" hidden="false">
        <title xml:lang="en-US">Check for Unconfined Daemons</title>
        <description xml:lang="en-US"> Daemons that SELinux policy does not know about will
					inherit the context of the parent process. Because daemons are launched during
					startup and descend from the init process, they inherit the initrc_t context.
					This is a problem because it may cause AVC denials, or it could allow privileges
					that the daemon does not require. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To check for unconfined daemons, run the following command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
					# ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
					<xhtml:br/>
					</xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It should produce no output in a well-configured
					system.</description>
      </Group>
      <Group id="gr-selinux-unlabeled" hidden="false">
        <title xml:lang="en-US">Check for Unlabeled Device Files</title>
        <description xml:lang="en-US"> Device files are used for communication with important
					system resources. SELinux contexts should exist for these. If a device file is
					not labeled, then misconfiguration is likely.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To check for unlabeled device files, run the following command:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -Z /dev | grep unlabeled_t<xhtml:br/>
					</xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It should produce no output in a well-configured
					system.</description>
      </Group>
      <Group id="gr-selinux-debugging" hidden="false">
        <title xml:lang="en-US">Debugging SELinux Policy Errors</title>
        <description xml:lang="en-US"> SELinux's default policies have improved
					significantly over time, and most systems should have few problems using the
					targeted SELinux policy. However, policy problems may still occasionally prevent
					accesses which should be allowed. This is especially true if your site runs any
					custom or heavily modified applications. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This section gives some brief guidance on discovering and repairing
					SELinux-related access problems. Guidance given here is necessarily draft, but
					should provide a starting point for debugging. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If you suspect that a permission error or other failure may be
					caused by SELinux (and are certain that misconfiguration of the traditional Unix
					permissions are not the cause of the problem), search the audit logs for AVC
					events: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ausearch -m AVC,USER_AVC -sv no <xhtml:br/>
					</xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The output of this command will be a set of events. The timestamp,
					along with the comm and pid fields, should indicate which line describes the
					problem. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Look up the context under which the process is running. Assuming the
					process ID is PID , find the context by running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ps -p PID -Z <xhtml:br/>
					</xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The AVC denial message should identify the offending file or
					directory. The name field should contain the filename (not the full pathname by
					default), and the ino field can be used to search by inode, if necessary.
					Assuming the file is FILE , find its SELinux context: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -Z FILE <xhtml:br/>
					</xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> An administrator should suspect an SELinux misconfiguration whenever
					a program gets a 'permission denied' error but the standard Unix permissions
					appear to be correct, or a program fails mysteriously on a task which seems to
					involve file access or network communication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> As described earlier, SELinux augments each process with a
					context providing detailed type information about that process. The contexts
					under which processes run may be referred to as subject contexts. Similarly,
					each filesystem object is given a context. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The targeted policy consists of a set of rules, each of which allows
					a subject type to perform some operation on a given object type. The kernel
					stores information about these access decisions in an structure known as an
					Access Vector Cache (AVC), so authorization decisions made by the system are
					audited with the type AVC. It is also possible for userspace modules to
					implement their own policies based on SELinux, and these decisions are audited
					with the type USER_AVC. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> AVC denials are logged by the kernel audit facility (see Section
					2.6.2 for configuration guidance on this subsystem) and may also be visible via
					setroubleshoot. This guide recommends the use of the audit userspace utilities
					to find AVC errors. It is possible to manually locate these errors by looking in
					the file /var/log/audit/audit.log or in /var/log/messages (depending on the
					syslog configuration in effect), but the ausearch tool allows finegrained
					searching on audit event types, which may be necessary if system call auditing
					is enabled as well. The command line above tells ausearch to look for kernel or
					userspace AVC messages (-m AVC,USER AVC) where the access attempt did not
					succeed (-sv no). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If an AVC denial occurs when it should not have, the problem is
					generally one of the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
						<xhtml:li>The program is running with the wrong subject context. This could
							happen as a result of an incorrect context on the program's executable
							file, which could happen if 3rd party software is installed and not
							given appropriate SELinux file contexts. </xhtml:li>
						<xhtml:li>The file has the wrong object context because the current file's
							context does not match the specification. This can occur when files are
							created or modified in certain ways. It is not atypical for
							configuration files to get the wrong contexts after a system
							configuration change performed by an administrator. To repair the file,
							use the command: <xhtml:br/>
							<xhtml:br/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
							# restorecon -v FILE
							</xhtml:code>
							<xhtml:br/>This should produce output indicating that the file's
							context has been changed. The /usr/bin/chcon program can be used to
							manually change a file's context, but this is problematic because the
							change will not persist if it does not agree with the policy-defined
							contexts applied by restorecon.</xhtml:li>
						<xhtml:li>The file has the wrong object context because the specification is
							either incorrect or does not match the way the file is being used on
							this system. In this case, it will be necessary to change the system
							file contexts. <xhtml:br/>
							<xhtml:br/> Run the system-config-selinux tool, and go to the 'File
							Labeling' menu. This will give a list of files and wildcards
							corresponding to file labelling rules on the system. Add a rule which
							maps the file in question to the desired context. As an alternative,
							file contexts can be modified from the command line using the
							semanage(8) tool.</xhtml:li>
						<xhtml:li>The program and file have the correct contexts, but the policy
							should allow some operation between those two contexts which is
							currently not allowed. In this case, it will be necessary to modify the
							SELinux policy. <xhtml:br/>
							<xhtml:br/> Run the system-config-selinux tool, and go to the 'Boolean'
							menu. If your configuration is supported, but is not the Red Hat
							default, then there will be a boolean allowing real-time modification of
							the SELinux policy to fix the problem. Browse through the items in this
							menu, looking for one which is related to the service which is not
							working. As an alternative, SELinux booleans can be modified from the
							command line using the getsebool(8) and setsebool(8) tools. <xhtml:br/>
							<xhtml:br/> If there is no boolean, it will be necessary to create and
							load a policy module. A simple way to build a policy module is to use
							the audit2allow tool. This tool can take input in the format of AVC
							denial messages, and generate syntactically correct Type Enforcement
							rules which would be sufficient to prevent those denials. For example,
							to generate and display rules which would allow all kernel denials seen
							in the past fitfteen minutes, run: <xhtml:br/>
							<xhtml:br/>
							<xhtml:code># ausearch -m AVC -sv no -ts recent | audit2allow
								<xhtml:br/>
							</xhtml:code>
							<xhtml:br/> It is possible to use audit2allow to directly create a
							module package suitable for loading into the kernel policy. To do this,
							invoke audit2allow with the -M flag: <xhtml:br/>
							<xhtml:br/>
							<xhtml:code># ausearch -m AVC -sv no -ts recent | audit2allow -M
								localmodule <xhtml:br/>
							</xhtml:code>
							<xhtml:br/> If this is successful, several lines of output should
							appear. Review the generated TE rules in the file localmodule .te and
							ensure that they express what you wish to allow. <xhtml:br/>
							<xhtml:br/> The file localmodule .pp should also have been created. This
							file is a policy module package that can be loaded into the kernel. To
							do so, use system-config-selinux, go to the 'Policy Module' menu and use
							the 'Add' button to enable your module package in SELinux, or load it
							from the command line using semodule(8): <xhtml:br/>
							<xhtml:br/>
							<xhtml:code># semodule -i localmodule .pp <xhtml:br/>
							</xhtml:code>
							<xhtml:br/>In RHEL5, if you created a local policy, you needed to 
							switch to permissive mode globally to better debugging sometimes. 
							This is no longer needed in RHEL6. The permissive domains was 
							implemented which means only a domain can become permissive. <xhtml:br/>
							<xhtml:br/>
							<xhtml:code>semanage -a permissive DOMAIN<xhtml:br/>
							</xhtml:code>
							<xhtml:br/> Section 45.2 of [9] covers this procedure in
							detail.</xhtml:li>
					</xhtml:ul>
				</description>
      </Group>
      <Group id="gr-selinux-strengthening" hidden="false">
        <title xml:lang="en-US">Further Strengthening</title>
        <description xml:lang="en-US"> The recommendations up to this point have discussed
					how to configure and maintain a system under the default configuration of the
					targeted policy, which constrains only the actions of daemons and system
					software. This guide strongly recommends that any site which is not currently
					using SELinux at all transition to the targeted policy, to gain the substantial
					security benefits provided by that policy.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> However, the default policy provides only a subset of the full
					security gains available from using SELinux. In particular, the SELinux policy
					is also capable of constraining the actions of interactive users, of providing
					compartmented access by sensitivity level (MLS) and/or category (MCS), and of
					restricting certain types of system actions using booleans beyond the RHEL6
					defaults. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This section introduces other uses of SELinux which may be possible,
					and provides links to some outside resources about their use. Detailed
					description of how to implement these steps is beyond the scope of this
					guide.</description>
        <Group id="gr-selinux-strengthening.1" hidden="false">
          <title xml:lang="en-US">Strengthen the Default SELinux Boolean Configuration</title>
          <description xml:lang="en-US"> SELinux booleans are used to enable or disable
						segments of policy to comply with site policy. Booleans may apply to the
						entire system or to an individual daemon. For instance, the boolean allow
						execstack, if enabled, allows programs to make part of their stack memory
						region executable. The boolean ftp home dir allows ftpd processes to 
						access user home directories,
						and applies only to daemons which implement FTP. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The command <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ getsebool -a
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ semanage boolean -l <xhtml:br/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> lists the values of all SELinux booleans on the system. Section
						2.4.5 discussed loosening boolean values in order to debug functionality
						problems which occur under more restrictive defaults. It is also useful to
						examine and strengthen the boolean settings, to disable functionality which
						is not required by legitimate programs on your system, but which might be
						symptomatic of an attack. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> See the manpages booleans(8), 
						getsebool(8), setsebool(8) and semanage(8) for
						general information about booleans. There are also manual pages for several
						subsystems which discuss the use of SELinux with those systems. Examples
						include ftpd selinux(8), httpd selinux(8), and nfs_selinux(8). Another good
						reference is the html documentation distributed with the selinux-policy RPM.
						This documentation is stored under <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> /usr/share/doc/selinux-policy-version/html/ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The pages global tunables.html and global booleans.html may be
						useful when examining booleans.</description>
        </Group>
        <Group id="gr-selinux-strengthening.2" hidden="false">
          <title xml:lang="en-US">Use a Stronger Policy</title>
          <description xml:lang="en-US"> Using a stronger policy can greatly enhance
						security, but will generally require customization to be compatible with the
						particular system's purpose, and this may be costly or time consuming. Under
						the targeted policy, interactive processes are given the type unconfined t,
						so interactive users are not constrained by SELinux even if they attempt to
						take strange or malicious actions.
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 
						Previously, in RHEL5, we had strict policy 
						which could be installed using selinux-policy-strict package. In RHEL6, we combine 
						strict and targeted policy together. There exist two SELinux policy modules - 
						unconfined.pp and unconfineduser.pp policy modules.  These two modules are optional,  
						and removing it gives you the equivalent of strict policy.
						Firstly, you can just remove unconfined.pp policy module. You will be closer to strict 
						policy but this leaves only user domains unconfined, along with some domains
						that do not make sense to confine (anaconda, firstboot, kernel,rpm) and also 
						unconfined_t user will be exist.

						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semodule -d unconfined</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>

						Then you can disable all unconfined domains by disabling unconfineduser 
						module which is equal strict policy. In this case, you need to setup all 
						your users as confined users, before removing the unconfineduser module 
						using semanage tool

						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage login -m -s staff_u root</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage login -m -s staff_u __default__</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage user -d unconfined_u</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage user -m -R "staff_r system_r sysadm_r" staff_u</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semodule -d unconfineduser</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						Note: One of the RHEL6 features are Confined Users. This means, 
						unconfined.pp and unconfineduser.pp policy modules can be used  
						and an user can be confined even so. All this magic lie in adding login 
						mappings between linux users and SELinux confined users.
						
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage login -a -s user_u -r s0-s0:c0.c1023 USERNAME1</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage login -a -s staff_u -r s0-s0:c0.c1023 USERNAME2</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>The mls policy type can be used to enforce sensitivity or category labelling, 
						and requires site-specific configuration of these labels in order to be useful. 
						To use this policy, install the appropriate policy module:
						
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install selinux-policy-mls</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						Then edit /etc/selinux/config and correct the line:
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>	
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
						SELINUXTYPE=mls</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>	
						Configure the system to boot into run level 3 by default: 
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
						sed -i "s/^id:5:initdefault:/id:3:initdefault:/g" /etc/inittab
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						Note: Switching between policies typically requires the entire disk to be 
						relabelled, so that files get the appropriate SELinux contexts under 
						the new policy. Add autorelabel flag

						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">touch /.autorelabel; reboot</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						and boot with the additional grub command-line options
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
						enforcing=0</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 
						to relabel the disk, then reboot normally. 
						</description>
						
        </Group>
      </Group>
      <Group id="gr-selinux-references" hidden="false">
        <title xml:lang="en-US">SELinux References</title>
        <description xml:lang="en-US">
					<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
						<xhtml:li>NSA SELinux resources:<xhtml:br/>
							<xhtml:ul>
								<xhtml:li>Web page: http://www.nsa.gov/selinux/</xhtml:li>
								<xhtml:li>Mailing list: selinux@tycho.nsa.gov <xhtml:br/> List
									information at:
									http://www.nsa.gov/selinux/info/list.cfm</xhtml:li>
							</xhtml:ul>
						</xhtml:li>
						<xhtml:li>Fedora SELinux resources:<xhtml:br/>
							<xhtml:ul>
								<xhtml:li>FAQ: http://docs.fedoraproject.org/selinux-faq/</xhtml:li>
								<xhtml:li>Wiki: http://fedoraproject.org/wiki/SELinux/</xhtml:li>
								<xhtml:li>Mailing list: fedora-selinux-list@redhat.com <xhtml:br/>
									List information at:
									https://www.redhat.com/mailman/listinfo/fedora-selinux-list</xhtml:li>
							</xhtml:ul>
						</xhtml:li>
						<xhtml:li>Chapters 43–45 of Red Hat Enterprise Linux 5: Deployment Guide
							[9]</xhtml:li>
						<xhtml:li>The book SELinux by Example: Using Security Enhanced Linux
							[13]</xhtml:li>
					</xhtml:ul>
				</description>
      </Group>
    </Group>
    <Group id="gr-networking" hidden="false">
      <title xml:lang="en-US">Network Configuration and Firewalls</title>
      <description xml:lang="en-US"> Most machines must be connected to a network of some
				sort, and this brings with it the substantial risk of network attack. This section
				discusses the security impact of decisions about networking which must be made when
				configuring a system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
				<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This section also discusses firewalls, network access controls, and
				other network security frameworks, which allow system-level rules to be written that
				can limit attackers' ability to connect to your system. These rules can specify that
				network traffic should be allowed or denied from certain IP addresses, hosts, and
				networks. The rules can also specify which of the system's network services are
				available to particular hosts or networks.</description>
      <Group id="gr-networking-sysctl" hidden="false">
        <title xml:lang="en-US">Kernel Parameters which Affect Networking</title>
        <description xml:lang="en-US"> The sysctl utility is used to set a number of
					parameters which affect the operation of the Linux kernel. Several of these
					parameters are specific to networking, and the configuration options in this
					section are recommended.</description>
        <Group id="gr-networking-sysctl.1" hidden="false">
          <title xml:lang="en-US">Network Parameters for Hosts Only</title>
          <description xml:lang="en-US"> Is this system going to be used as a firewall or
						gateway to pass IP traffic between different networks? <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If not,
						edit the file /etc/sysctl.conf and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv4.ip forward = 0</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.send_redirects = 0</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv4.conf.default.send_redirects = 0</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These settings disable hosts from performing network
						functionality which is only appropriate for routers.</description>
          <Rule id="rule-1084" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Default setting for sending ICMP redirects is configured to be disabled (runtime)</title>
            <description xml:lang="en-US">The default setting for sending ICMP redirects should be
							disabled for network interfaces.</description>
            <ident system="http://cce.mitre.org">CCE-4151-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1084" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1085" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Sending ICMP redirects for all interfaces is configured to be disabled</title>
            <description xml:lang="en-US">Sending ICMP redirects should be disabled for all
							interfaces.</description>
            <ident system="http://cce.mitre.org">CCE-4155-8</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1085" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1086" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">IP forwarding is configured to be disabled</title>
            <description xml:lang="en-US">IP forwarding should be disabled.</description>
            <ident system="http://cce.mitre.org">CCE-3561-8</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1086" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-networking-sysctl.2" hidden="false">
          <title xml:lang="en-US">Network Parameters for Hosts and Routers</title>
          <description xml:lang="en-US"> Edit the file /etc/sysctl.conf and add or correct
						the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> net.ipv4.conf.all.accept_source_route = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.conf.all.accept_redirects = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.conf.all.secure_redirects = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.conf.all.log_martians = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.conf.default.accept_source_route = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.conf.default.accept_redirects = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.conf.default.secure_redirects = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.conf.default.log_martians = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.icmp_echo_ignore_broadcasts = 1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.icmp_ignore_bogus_error_responses = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						net.ipv4.tcp_syncookies = 1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> net.ipv4.conf.all.rp_filter = 1
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> net.ipv4.conf.default.rp_filter = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These options improve Linux's ability to defend against certain
						types of IPv4 protocol attacks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The accept source route, accept redirects, and secure redirects
						options are turned off to disable IPv4 protocol features which are
						considered to have few legitimate uses and to be easy to abuse. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The net.ipv4.conf.all.log martians option logs several types of
						suspicious packets, such as spoofed packets, source-routed packets, and
						redirects. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The icmp echo ignore broadcasts icmp ignore bogus error messages
						options protect against ICMP attacks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The tcp syncookies option uses a cryptographic feature called
						SYN cookies to allow machines to continue to accept legitimate connections
						when faced with a SYN flood attack. See [12] for further information on this
						option. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The rp filter option enables RFC-recommended source validation.
						It should not be used on machines which are routers for very complicated
						networks, but is helpful for end hosts and routers serving small networks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For more information on any of these, see the kernel source
						documentation file /Documentation/networking/ip-sysctl.txt.</description>
          <Value id="var-1087" operator="equals" type="string">
            <title xml:lang="en-US">net.ipv4.conf.*.accept_source_route</title>
            <description xml:lang="en-US">Accept source routing?</description>
            <value>0</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="var-1088" operator="equals" type="string">
            <title xml:lang="en-US">net.ipv4.conf.*.accept_redirects</title>
            <description xml:lang="en-US">Accept ICMP Redirects?</description>
            <value>0</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="var-1089" operator="equals" type="string">
            <title xml:lang="en-US">net.ipv4.conf.*.secure_redirects</title>
            <description xml:lang="en-US">Accept redirects from gateways known in routing table?</description>
            <value>0</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="var-1090" operator="equals" type="string">
            <title xml:lang="en-US">net.ipv4.conf.*.log_martians</title>
            <description xml:lang="en-US">Log Spoofed Packets, Source Routed Packets, Redirect Packets?</description>
            <value>0</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="var-1095" operator="equals" type="string">
            <title xml:lang="en-US">net.ipv4.icmp_echo_ignore_broadcast</title>
            <description xml:lang="en-US">Ignore all ICMP ECHO and TIMESTAMP requests
                                                        sent to it via broadcast/multicast</description>
            <value>1</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="var-1096" operator="equals" type="string">
            <title xml:lang="en-US">net.ipv4.icmp_ignore_bogus_error_messages</title>
            <description xml:lang="en-US">Enable to prevent certain types of
                                                        attacks</description>
            <value>1</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="var-1097" operator="equals" type="string">
            <title xml:lang="en-US">net.ipv4.tcp_syncookie</title>
            <description xml:lang="en-US">Enable to turn on TCP SYN Cookie
                                                        Protection</description>
            <value>1</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="var-1098" operator="equals" type="string">
            <title xml:lang="en-US">net.ipv4.conf.*.rp_filter</title>
            <description xml:lang="en-US">Enable to enforce sanity checking, also called
                                                        ingress filtering or egress filtering. The point is to drop a packet if
                                                        the source and destination IP addresses in the IP header do not make
                                                        sense when considered in light of the physical interface on which it
                                                        arrived. </description>
            <value>1</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Rule id="rule-1087" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Accepting source routed packets for all interfaces is configured (runtime)</title>
            <description xml:lang="en-US">Accepting source routed packets should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1087"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-4236-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1087" value-id="var-1087"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1087" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1088" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Accepting ICMP redirects for all interfaces is configured (runtime)</title>
            <description xml:lang="en-US">Accepting ICMP redirects should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1088"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-4217-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1088" value-id="var-1088"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1088" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1089" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Accepting "secure" ICMP redirects for all interfaces is configured (runtime)</title>
            <description xml:lang="en-US">Accepting "secure" ICMP redirects (those from gateways listed
							in the default gateways list) should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1089"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-3472-8</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1089" value-id="var-1089"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1089" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1090" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Logging of "martian" packets for all interfaces is configured (runtime)</title>
            <description xml:lang="en-US">Logging of "martian" packets (those with impossible addresses)
							should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1090"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-4320-8</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1090" value-id="var-1090"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1090" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1091" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Default accepting of source routed packets is configured (runtime)</title>
            <description xml:lang="en-US">The default setting for accepting source routed packets should
							be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1087"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-4091-5</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1087" value-id="var-1087"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1091" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1092" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Default accepting ICMP redirects is configured (runtime)</title>
            <description xml:lang="en-US">The default setting for accepting ICMP redirects should be:
								<sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1088"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-4186-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1088" value-id="var-1088"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1092" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1093" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Default accepting of "secure" ICMP redirects is configured (runtime)</title>
            <description xml:lang="en-US">The default setting for accepting "secure" ICMP redirects
							(those from gateways listed in the default gateways list) should be:
								<sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1089"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-3339-9</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1089" value-id="var-1089"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1093" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1094" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Default logging of "martian" packets for all interfaces is configured (runtime)</title>
            <description xml:lang="en-US">Logging of "martian" packets (those with impossible addresses)
							should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1090"/> for all interfaces as
							appropriate.</description>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1090" value-id="var-1090"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1094" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1095" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Ignoring ICMP echo requests is configured (runtime)</title>
            <description xml:lang="en-US">Ignoring ICMP echo requests (pings) sent to broadcast /
							multicast addresses should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1095"/>
							for all interfaces as appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-3644-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1095" value-id="var-1095"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1095" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1096" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Ignoring bogus ICMP responses is configured (runtime)</title>
            <description xml:lang="en-US">Ignoring bogus ICMP responses to broadcasts should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1096"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-4133-5</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1096" value-id="var-1096"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1096" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1097" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Sending TCP syncookies is configured (runtime)</title>
            <description xml:lang="en-US">Sending TCP syncookies should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1097"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-4265-5</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1097" value-id="var-1097"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1097" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1098" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Performing source validation by reverse path is configured (runtime)</title>
            <description xml:lang="en-US">Performing source validation by reverse path should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1098"/> for all interfaces as
							appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-4080-8</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1098" value-id="var-1098"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1098" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1099" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">The default setting for performing source validation by reverse path is configured (runtime)</title>
            <description xml:lang="en-US">The default setting for performing source validation by reverse
							path should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1098"/> for all
							interfaces as appropriate.</description>
            <ident system="http://cce.mitre.org">CCE-3840-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1098" value-id="var-1098"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1099" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="gr-networking-wifi" hidden="false">
        <title xml:lang="en-US">Wireless Networking</title>
        <description xml:lang="en-US"><xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml">Wireless networking (sometimes referred to as 802.11
					or Wi-Fi) presents a serious security risk to sensitive or classified systems
					and networks. Wireless networking hardware is much more likely to be included in
					laptop or portable systems than desktops or servers. Bluetooth serves a different purpose
					and possesses a much shorter range, but it still presents serious security
					risks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Removal of hardware is the only way to absolutely ensure that the
					wireless capability remains disabled. If it is completely impractical to remove
					the wireless hardware, and site policy still allows the device to enter
					sensitive spaces, every effort to disable the capability via software should be
					made. In general, acquisition policy should include provisions to prevent the
					purchase of equipment that will be used in sensitive spaces and includes
					wireless capabilities.</xhtml:p>

					<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml">
					If it is impossible to remove the wireless
					hardware from the device in question, disable as much of it as possible
					through software. Note that software methods do not prevent malicious
					software or careless system administrators from re-activating the devices with absolute certainty.
					</xhtml:p></description>
        <Group id="gr-networking-wifi.1" hidden="false">
          <title xml:lang="en-US">Remove Wireless Hardware if Possible</title>
          <description xml:lang="en-US"> Identifying the wireless hardware is the first
						step in removing it. The system's hardware manual should contain information
						on its wireless capabilities. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Wireless hardware included with a laptop typically takes the
						form of a mini-PCI card or PC card. Other forms include devices which plug
						into USB or Ethernet ports, but these should be readily apparent and easy to
						remove from the base system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A PC Card (originally called a PCMCIA card) is designed to be
						easy to remove, though it may be hidden when inserted into the system.
						Frequently, there will be one or more buttons near the card slot that, when
						pressed, eject the card from the system. If no card is ejected, the slot is
						empty. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A mini-PCI card is approximately credit-card sized and typically
						accessible via a removable panel on the underside of the laptop. Removing
						the panel may require simple tools. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> In addition to manually inspecting the hardware, it is also
						possible to query the system for its installed hardware devices. The
						commands /sbin/lspci and /sbin/lsusb will show a list of all recognized
						devices on their respective buses, and this may indicate the presence of a
						wireless device.</description>
        </Group>
	<Group id="gr-networking-wifi.2" hidden="false">
	  <title xml:lang="en-US">Disable Wireless in BIOS</title>
	  <description xml:lang="en-US"> Some laptops that include built-in wireless
						      support offer the ability to disable the device through the BIOS. This
						      is system-specific; consult your hardware manual or explore the BIOS
						      setup during boot.</description>
	</Group>
	<Group id="gr-networking-wifi.3" hidden="false">
	  <title xml:lang="en-US">Deactivate Wireless Interfaces</title>
	  <description xml:lang="en-US"> Deactivating the wireless interfaces should
						      prevent normal usage of the wireless capability. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> First, identify the interfaces available with the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ip link ls <xhtml:br/>
						      </xhtml:code>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Additionally,the following command may also be used to
						      determine whether wireless support ('extensions') is included for a
						      particular interface, though this may not always be a clear indicator: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># iwconfig <xhtml:br/>
						      </xhtml:code>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> After identifying any wireless interfaces (which may have
						      names like wlan0, ath0, wifi0, or eth0), deactivate the interface with
						      the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ip link set interface down <xhtml:br/>
						      </xhtml:code>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These changes will only last until the next reboot. To
						      disable the interface for future boots, locate its configuration file /etc/sysconfig/network-scripts/ifcfg-interface and add or replace configuration directives to match the following:
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ONBOOT=no</xhtml:code>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">USERCTL=no</xhtml:code>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						      <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">NM_CONTROLLED=no</xhtml:code>
						      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					      </description>
	  <Rule id="rule-1100" selected="false" weight="10.000000" severity="medium">
	    <status date="2010-07-01">accepted</status>
	    <title xml:lang="en-US">Deactivate Wireless Interfaces</title>
	    <description xml:lang="en-US">All wireless interfaces should be disabled.</description>
	    <ident system="http://cce.mitre.org">CCE-4276-2</ident>
	    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
	      <check-content-ref name="oval:org.open-scap.rhel6:def:1100" href="scap-rhel6-oval.xml"/>
	    </check>
	  </Rule>
	</Group>
      </Group>
      <Group id="gr-networking-ipv6" hidden="false">
        <title xml:lang="en-US">IPv6</title>
        <description xml:lang="en-US"> The system includes support for Internet Protocol
					version 6. A major and often-mentioned improvement over IPv4 is its enormous
					increase in the number of available addresses. Another important feature is its
					support for automatic configuration of many network settings.</description>
        <Group id="gr-networking-ipv6.1" hidden="false">
          <title xml:lang="en-US">Disable Support for IPv6 unless Needed</title>
          <description xml:lang="en-US"> Because the IPv6 networking code is relatively
						new and complex, it is particularly important that it be disabled unless
						needed. Despite configuration that suggests support for IPv6 has been
						disabled, link-local IPv6 address autoconfiguration occurs even when only an
						IPv4 address is assigned. The only way to effectively prevent execution of
						the IPv6 networking stack is to prevent the kernel from loading the IPv6
						kernel module.</description>
          <Group id="gr-networking-ipv6.1.1" hidden="false">
            <title xml:lang="en-US">Disable Automatic Loading of IPv6 Kernel Module</title>
            <description xml:lang="en-US"> To prevent the IPv6 kernel module (ipv6) from
							being loaded, create /etc/modprobe.d/ipv6.conf with the following content: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> install ipv6 /bin/true <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> When the kernel requests the ipv6 module, this line will
							direct the system to run the program /bin/true instead.</description>
            <Rule id="rule-1101" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Disable Automatic Loading of IPv6 Kernel Module</title>
              <description xml:lang="en-US">Automatic loading of the IPv6 kernel module should be
								disabled.</description>
              <ident system="http://cce.mitre.org">CCE-3562-6</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1101" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-networking-ipv6.1.2" hidden="false">
            <title xml:lang="en-US">Disable Interface Usage of IPv6</title>
            <description xml:lang="en-US"> To prevent configuration of IPv6 for all
							interfaces, add or correct the following line in
							/etc/sysconfig/network: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6INIT=no<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For each network interface IFACE , add or correct the
							following lines in /etc/sysconfig/network-scripts/ifcfg-IFACE as an
							additional prevention mechanism:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6INIT=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If it becomes necessary later to configure IPv6, only the
							interfaces requiring it should be enabled.</description>
          </Group>
        </Group>
        <Group id="gr-networking-ipv6.2" hidden="false">
          <title xml:lang="en-US">Configure IPv6 Settings if Necessary</title>
          <description xml:lang="en-US"> A major feature of IPv6 is the extent to which
						systems implementing it can automatically configure their networking devices
						using information from the network. From a security perspective, manually
						configuring important configuration information is always preferable to
						accepting it from the network in an unauthenticated fashion.</description>
          <Group id="gr-networking-ipv6.2.1" hidden="false">
            <title xml:lang="en-US">Disable Automatic Configuration</title>
            <description xml:lang="en-US"> Disable the system's acceptance of router
							advertisements and redirects by adding or correcting the following line
							in /etc/sysconfig/network (note that this does not disable sending
							router solicitations): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6_AUTOCONF=no</description>
            <Value id="var-1102" operator="equals" type="string">
              <title xml:lang="en-US">IPV6_AUTOCONF</title>
              <description xml:lang="en-US">Default setting for IPv6 autoconfiguration</description>
              <value>no</value>
              <value selector="enabled">yes</value>
              <value selector="disabled">no</value>
            </Value>
            <Rule id="rule-1102" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure IPv6 autoconfiguration</title>
              <description xml:lang="en-US">The default setting for IPv6 autoconfiguration should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1102"/>.</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1102" value-id="var-1102"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1102" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-networking-ipv6.2.2" hidden="false">
            <title xml:lang="en-US">Manually Assign Global IPv6 Address</title>
            <description xml:lang="en-US"> To manually assign an IP address for an
							interface IFACE, edit the file /etc/sysconfig/network-scripts/
							ifcfg-IFACE. Add or correct the following line (substituting the correct
							IPv6 address): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6ADDR=2001:0DB8::ABCD/64 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Manually assigning an IP address is preferable to accepting
							one from routers or from the network otherwise. The example address here
							is an IPv6 address reserved for documentation purposes, as defined by
							RFC3849.</description>
          </Group>
          <Group id="gr-networking-ipv6.2.3" hidden="false">
            <title xml:lang="en-US">Use Privacy Extensions for Address if Necessary</title>
            <description xml:lang="en-US"> To introduce randomness into the automatic
							generation of IPv6 addresses, add or correct the following line in
							/etc/sysconfig/network-scripts/ifcfg-IFACE: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6_PRIVACY=rfc3041<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Automatically-generated IPv6 addresses are based on the
							underlying hardware (e.g. Ethernet) address, and so it becomes possible
							to track a piece of hardware over its lifetime using its traffic. If it
							is important for a system's IP address to not trivially reveal its
							hardware address, this setting should be applied.</description>
          </Group>
          <Group id="gr-networking-ipv6.2.4" hidden="false">
            <title xml:lang="en-US">Manually Assign IPv6 Router Address</title>
            <description xml:lang="en-US"> Edit the file
							/etc/sysconfig/network-scripts/ifcfg-IFACE , and add or correct the
							following line (substituting your gateway IP as appropriate):<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6_DEFAULTGW=2001:0DB8::0001 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Router addresses should be manually set and not accepted via
							any autoconfiguration or router advertisement.</description>
          </Group>
          <Group id="gr-networking-ipv6.2.5" hidden="false">
            <title xml:lang="en-US">Limit Network-Transmitted Configuration</title>
            <description xml:lang="en-US"> Add the following lines to /etc/sysctl.conf
							to limit the configuration information requested from other systems, and
							accepted from the network:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> net.ipv6.conf.default.router_solicitations = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							net.ipv6.conf.default.accept_ra_rtr_pref = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							net.ipv6.conf.default.accept_ra_pinfo = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							net.ipv6.conf.default.accept_ra_defrtr = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							net.ipv6.conf.default.autoconf = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							net.ipv6.conf.default.dad_transmits = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							net.ipv6.conf.default.max_addresses = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The router solicitations setting determines how many router
							solicitations are sent when bringing up the interface. If addresses are
							statically assigned, there is no need to send any solicitations. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The accept_ra_pinfo setting controls whether the system will
							accept prefix info from the router. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The accept_ra_defrtr setting controls whether the system
							will accept Hop Limit settings from a router advertisement. Setting it
							to 0 prevents a router from changing your default IPv6 Hop Limit for
							outgoing packets. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The autoconf setting controls whether router advertisements
							can cause the system to assign a global unicast address to an interface. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The dad_transmits setting determines how many neighbor
							solicitations to send out per address (global and link-local) when
							bringing up an interface to ensure the desired address is unique on the
							network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The max_addresses setting determines how many global unicast
							IPv6 addresses can be assigned to each interface. The default is 16, but
							it should be set to exactly the number of statically configured global
							addresses required.</description>
	    <Value id="var-1103" operator="equals" type="number">
              <title xml:lang="en-US">net.ipv6.conf.default.router_solicitations</title>
              <description xml:lang="en-US">Number of router solicitations to send</description>
              <value>0</value>
              <value selector="0">0</value>
              <value selector="3">3</value>
            </Value>
	    <Value id="var-1104" operator="equals" type="number">
              <title xml:lang="en-US">net.ipv6.conf.default.accept_ra_rtr_pref</title>
              <description xml:lang="en-US">Whether to accept router preference from router advertisements</description>
              <value>0</value>
              <value selector="no">0</value>
              <value selector="yes">1</value>
            </Value>
	    <Value id="var-1105" operator="equals" type="number">
              <title xml:lang="en-US">net.ipv6.conf.default.accept_ra_pinfo</title>
              <description xml:lang="en-US">Whether to accept prefix information from router advertisements</description>
              <value>0</value>
              <value selector="no">0</value>
              <value selector="yes">1</value>
            </Value>
	    <Value id="var-1106" operator="equals" type="number">
              <title xml:lang="en-US">net.ipv6.conf.default.accept_ra_defrtr</title>
              <description xml:lang="en-US">Whether to accept default router information from router advertisements</description>
              <value>0</value>
              <value selector="no">0</value>
              <value selector="yes">1</value>
            </Value>
	    <Value id="var-1107" operator="equals" type="number">
              <title xml:lang="en-US">net.ipv6.conf.default.autoconf</title>
              <description xml:lang="en-US">Whether to autoconfigure addresses from router advertisements</description>
              <value>0</value>
              <value selector="no">0</value>
              <value selector="yes">1</value>
            </Value>
	    <Value id="var-1108" operator="equals" type="number">
              <title xml:lang="en-US">net.ipv6.conf.default.dad_transmits</title>
              <description xml:lang="en-US">Number of duplicate address detection probes to send</description>
              <value>0</value>
              <value selector="0">0</value>
              <value selector="1">1</value>
            </Value>
	    <Value id="var-1109" operator="equals" type="number">
              <title xml:lang="en-US">net.ipv6.conf.default.max_addresses</title>
              <description xml:lang="en-US">Maximum number of autoconfigured addresses</description>
              <value>1</value>
              <value selector="1">1</value>
              <value selector="16">16</value>
            </Value>
            <Rule id="rule-1103" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure number of sent router solicitations</title>
              <description xml:lang="en-US">The default number of sent router solicitations should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1103"/> for
								all interfaces.</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1103" value-id="var-1103"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1103" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1104" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure whether to accept router preference</title>
              <description xml:lang="en-US">Router preference should be accepted by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1104"/></description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1104" value-id="var-1104"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1104" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1105" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure whether to accept path information</title>
              <description xml:lang="en-US">Path information should be accepted by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1105"/></description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1105" value-id="var-1105"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1105" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1106" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure whether to accept default router information</title>
              <description xml:lang="en-US">Default router information should be accepted by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1106"/></description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1106" value-id="var-1106"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1106" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1107" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure whether to autoconfigure addresses</title>
              <description xml:lang="en-US">Addresses should be autoconfigured by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1107"/></description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1107" value-id="var-1107"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1107" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1108" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure number of duplicate address detection probes</title>
              <description xml:lang="en-US">Number of duplicate address detection probes should be by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1108"/></description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1108" value-id="var-1108"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1108" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1109" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Configure maximum number of autoconfigured addresses</title>
              <description xml:lang="en-US">Maximum number of autoconfigured addresses be by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1109"/></description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:org.open-scap.rhel6:var:1109" value-id="var-1109"/>
                <check-content-ref name="oval:org.open-scap.rhel6:def:1109" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
        </Group>
      </Group>
      <Group id="gr-networking-libwrap" hidden="false">
        <title xml:lang="en-US">TCP Wrapper</title>
        <description xml:lang="en-US"> TCP Wrapper is a library which provides simple access
					control and standardized logging for supported applications which accept
					connections over a network. Historically, TCP Wrapper was used to support inetd
					services. Now that inetd is deprecated, TCP Wrapper supports
					only services which were built to make use of the libwrap library. To determine
					whether a given executable daemon /path/to/daemon supports TCP Wrapper, check
					the documentation, or run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ ldd /path/to/daemon | grep libwrap.so <xhtml:br/>
					</xhtml:code>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If this command returns any output, then the daemon probably
					supports TCP Wrapper. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> An alternative to TCP Wrapper support is packet filtering using
					iptables. Note that iptables works at the network level, while TCP Wrapper works
					at the application level. This means that iptables filtering is more efficient
					and more resistant to flaws in the software being protected, but TCP Wrapper
					provides support for logging, banners, and other application-level tricks which
					iptables cannot provide.</description>
        <Group id="gr-networking-libwrap.1" hidden="false">
          <title xml:lang="en-US">How TCP Wrapper Protects Services</title>
          <description xml:lang="en-US"> TCP Wrapper provides access control for the
						system's network services using two configuration files. When a connection
						is attempted: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>The file /etc/hosts.allow is searched for a rule matching the
								connection. If one is found, the connection is allowed. </xhtml:li>
							<xhtml:li>Otherwise, the file /etc/hosts.deny is searched for a rule
								matching the connection. If one is found, the connection is
								rejected. </xhtml:li>
							<xhtml:li>If no matching rules are found in either file, then the
								connection is allowed. By default, TCP Wrapper does not block access
								to any services. </xhtml:li>
						</xhtml:ol>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> In the simplest case, each rule in /etc/hosts.allow and
						/etc/hosts.deny takes the form: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> daemon : client <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> where daemon is the name of the server process for which the
						connection is destined, and client is the partial or full hostname or IP
						address of the client. It is valid for daemon and client to contain one
						item, a comma-separated list of items, or a special keyword like ALL, which
						matches any service or client. (See the hosts_access(5) manpage for a list
						of other keywords.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Note: Partial hostnames start at the root domain and are
						delimited by the . character. So the client machine host03.dev.example.com,
						with IP address 10.7.2.3, could be matched by any of the specifications: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> .example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> .dev.example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						10.7.2.</description>
        </Group>
        <Group id="gr-networking-libwrap.2" hidden="false">
          <title xml:lang="en-US">Reject All Connections From Other Hosts if Appropriate</title>
          <description xml:lang="en-US"> Restrict all connections to non-public services
						to localhost only. Suppose pubsrv1 and pubsrv2 are the names of daemons
						which must be accessed remotely. Configure TCP Wrapper as follows. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit /etc/hosts.allow. Add the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> pubsrv1 ,pubsrv2 : ALL<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> ALL: localhost <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit /etc/hosts.deny. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> ALL: ALL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These rules deny connections to all TCP Wrapper enabled services
						from any host other than localhost, but allow connections from anywhere to
						the services which must be publicly accessible. (If no public services
						exist, the first line in /etc/hosts.allow may be omitted.)</description>
            <Rule id="rule-1110" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Reject Connections in TCP Wrapper by Default</title>
              <description xml:lang="en-US">TCP wrapper should be configured to reject connections that were not explicitly allowed</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1110" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
        </Group>
        <Group id="gr-networking-libwrap.3" hidden="false">
          <title xml:lang="en-US">Allow Connections Only From Hosts in This Domain if Appropriate</title>
          <description xml:lang="en-US"> For each daemon, domainsrv , which only needs to
						be contacted from inside the local domain, example.com , configure TCP
						Wrapper to deny remote connections. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit /etc/hosts.allow. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> domainsrv : .example.com<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit /etc/hosts.deny. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> domainsrv : ALL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> There are many possible examples of services which need to
						communicate only within the local domain. If a machine is a local compute
						server, it may be necessary for users to connect via SSH from their desktop
						workstations, but not from outside the domain. In that case, you should
						protect the daemon sshd using this method. As another example, RPC-based
						services such as NFS might be enabled within the domain only, in which case
						the daemon portmap should be protected. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					</description>
          <warning xml:lang="en-US">Note: This example protects only the service domainsrv
						. No filtering is done on other services unless a line is entered into
						/etc/hosts.deny which refers to those services by name, or which restricts
						the special service ALL.</warning>
        </Group>
        <Group id="gr-networking-libwrap.4" hidden="false">
          <title xml:lang="en-US">Monitor Syslog for Relevant Connections and Failures</title>
          <description xml:lang="en-US"> Ensure that the following line exists in
						/etc/rsyslog.conf. (This is the default, so it is likely to be correct if the
						configuration has not been modified): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> authpriv.* /var/log/secure <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Configure logwatch or other log monitoring tools to periodically
						summarize failed connections reported by TCP Wrapper at the facility
						authpriv.info. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By default, TCP Wrapper audits all rejected connections at the
						facility authpriv, level info. In the log file, TCP Wrapper rejections will
						contain the substring: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> daemon [pid ]: refused connect from ipaddr <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These lines can be used to detect malicious scans, and to debug
						failures resulting from an incorrect TCP Wrapper configuration. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If appropriate, it is possible to change the syslog facility and
						level used by a given TCP Wrapper rule by adding the severity option to each
						desired configuration line in /etc/hosts.deny: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> daemon : client : severity facility.level <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By default, successful connections are not logged by TCP
						Wrapper.</description>
        </Group>
        <Group id="gr-networking-libwrap.5" hidden="false">
          <title xml:lang="en-US">Further Resources</title>
          <description xml:lang="en-US"> For more information about TCP Wrapper, see the
						tcpd(8) and hosts_access(5) manpages and the documentation directory
						/usr/share/doc/tcp_wrappers-version. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Some information may be available from the Tools section of the
						author's website, http://www.porcupine.org, and from the RHEL6 Security
						Guide.</description>
        </Group>
      </Group>
      <Group id="gr-networking-iptables" hidden="false">
        <title xml:lang="en-US">Iptables and Ip6tables</title>
        <description xml:lang="en-US"> A host-based firewall called Netfilter is included as
					part of the Linux kernel distributed with the system. It is activated by
					default. This firewall is controlled by the program iptables, and the entire
					capability is frequently referred to by this name. An analogous program called
					ip6tables handles filtering for IPv6. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Unlike TCP Wrappers, which depends on the network server program to
					support and respect the rules written, Netfilter filtering occurs at the kernel
					level, before a program can even process the data from the network packet. As
					such, any program on the system is affected by the rules written. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This section provides basic information about strengthening the
					iptables and ip6tables configurations included with the system. For more
					complete information that may allow the construction of a sophisticated ruleset
					tailored to your environment, please consult the references at the end of this
					section.</description>
        <Group id="gr-networking-iptables.1" hidden="false">
          <title xml:lang="en-US">Inspect and Activate Default Rules</title>
          <description xml:lang="en-US"> View the currently-enforced iptables rules by
						running the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># iptables -nL --line-numbers <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The command is analogous for the ip6tables program. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If the firewall does not appear to be active (i.e., no rules
						appear), activate it and ensure that it starts at boot by issuing the
						following commands (and analogously for ip6tables): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># service iptables restart</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig iptables on</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default iptables rules are: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">Chain INPUT (policy ACCEPT)</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">num  target     prot opt source               destination</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">Chain FORWARD (policy ACCEPT)</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">num  target     prot opt source               destination</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">Chain OUTPUT (policy ACCEPT)</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">num  target     prot opt source               destination</xhtml:code>


						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The ip6tables default
						rules are similar, with its input rules 2 and 5 and forward rule 1
						reflecting protocol naming and addressing differences.</description>
          <Rule id="rule-1111" selected="false" weight="10.000000" severity="high">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">ip6tables service is enabled</title>
            <description xml:lang="en-US">The ip6tables service should be enabled.</description>
            <ident system="http://cce.mitre.org">CCE-4167-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1111" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1112" selected="false" weight="10.000000" severity="high">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">iptables service is enabled</title>
            <description xml:lang="en-US">The iptables service should be enabled.</description>
            <ident system="http://cce.mitre.org">CCE-4189-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1112" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-networking-iptables.2" hidden="false">
          <title xml:lang="en-US">Understand the Default Ruleset</title>
          <description xml:lang="en-US"> Understanding and creating firewall rules can be
						a challenging activity, filled with corner cases and difficult-to debug
						problems. Because of this, administrators should develop a thorough
						understanding of the default ruleset before carefully modifying it. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default ruleset is divided into three sections, each of which
						is called a chain: INPUT, FORWARD and OUTPUT. Each of these chains
						is built-in. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>The INPUT chain is activated on packets destined for (i.e.,
								addressed to) the system. </xhtml:li>
							<xhtml:li>The OUTPUT chain is activated on packets which are originating
								from the system. </xhtml:li>
							<xhtml:li>The FORWARD chain is activated for packets that the system
								will process and send through another interface, if so configured. </xhtml:li>
						</xhtml:ul>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A packet starts at the first rule in the appropriate chain and
						proceeds until it matches a rule. If a match occurs, then control will jump
						to the specified target. The default ruleset uses the built-in targets
						ACCEPT and REJECT. Jumping to the target ACCEPT means to allow the packet
						through, while REJECT means to drop the packet and send an error message to
						the sending host. A related target called DROP means to drop the packet
						without even sending an error message. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default policy for all of the built-in chains (shown after
						their names in the rule output above) is set to ACCEPT. This means that if
						no rules in the chain match the packets, they are allowed through. Because
						no rules at all are written for the OUTPUT chain, this means that iptables
						does not stop any packets originating from the system.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>The INPUT chain tries to match, in order, the following
						rules for both iptables and ip6tables: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Rule 1, allows inbound packets that are
								part of a session initiated by the system.</xhtml:li>
							<xhtml:li>Rule 2 explicitly allows all icmp packet types.</xhtml:li>
							<xhtml:li>Rule 3 appears to accept all packets. However, this appears
								true only because the rules are not presented in verbose mode.
								Executing the command <xhtml:br/>
								<xhtml:br/>
								<xhtml:code># iptables -vnL --line-numbers <xhtml:br/>
								</xhtml:code>
								<xhtml:br/> reveals that this rule applies only to the loopback (lo)
								interface (see column in), while all other rules apply to all
								interfaces. Thus, packets not coming from the loopback interface do
								not match and proceed to the next rule. </xhtml:li>
							<xhtml:li>Rule 4 allows inbound connections in tcp
								port 22, which is the SSH protocol. </xhtml:li>
							<xhtml:li>Rule 5 rejects all other packets and
								sends an error message to the sender. Because this is the last rule
								and matches any packet, it effectively prevents any packet from
								reaching the chain's default ACCEPT target. Preventing the
								acceptance of any packet that is not explicitly allowed is proper
								design for a firewall.</xhtml:li>
						</xhtml:ul>
					</description>
        </Group>
        <Group id="gr-networking-iptables.3" hidden="false">
          <title xml:lang="en-US">Strengthen the Default Ruleset</title>
          <description xml:lang="en-US"> The default rules can be strengthened. The system
						scripts that activate the firewall rules expect them to be defined in the
						configuration files iptables and ip6tables in the directory /etc/sysconfig.
						Many of the lines in these files are similar to the command line arguments
						that would be provided to the programs /sbin/iptables or /sbin/ip6tables –
						but some are quite different. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The following recommendations describe how to strengthen the
						default ruleset configuration file. An alternative to editing this
						configuration file is to create a shell script that makes calls to the
						iptables program to load in rules, and then invokes
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">service iptables save</xhtml:code> to
						write those loaded rules to /etc/sysconfig/iptables.  If the construction of the default ruleset meets
						your requirements, system-config-firewall-tui may be used to customize it, to the extent the tool allows it.
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The following alterations can be made directly to
						/etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Instructions apply to
						both unless otherwise noted. Language and address conventions for regular
						iptables are used throughout this section; configuration for ip6tables will
						be either analogous or explicitly covered.</description>
          <warning xml:lang="en-US">The program system-config-firewall-tui automatically adjusts /etc/sysconfig/iptables . This program is only
						useful if the construction of the default ruleset meets your security requirements. Otherwise,
						this program should not be used to make changes to the firewall
						configuration because it re-writes the saved configuration file. </warning>
          <Group id="gr-networking-iptables.3.1" hidden="false">
            <title xml:lang="en-US">Change the Default Policies</title>
            <description xml:lang="en-US"> Change the default policy to DROP (from
							ACCEPT) for the INPUT and FORWARD built-in chains: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> *filter <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> :INPUT DROP [0:0] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> :FORWARD
							DROP [0:0] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Changing the default policy in this way implements proper
							design for a firewall, i.e. any packets which are not explicitly
							permitted should not be accepted.</description>
            <Rule id="rule-1113" selected="false" weight="10.000000" severity="high">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">The default policy for ip*tables INPUT table should be set appropriately</title>
              <description xml:lang="en-US">Change the default policy to DROP (from ACCEPT) for the
								INPUT built-in chain.</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1113" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
            <Rule id="rule-1114" selected="false" weight="10.000000" severity="high">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">The default policy for ip*tables FORWARD table should be set appropriately</title>
              <description xml:lang="en-US">Change the default policy to DROP (from ACCEPT) for the
								FORWARD built-in chain.</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1114" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-networking-iptables.3.2" hidden="false">
            <title xml:lang="en-US">Restrict ICMP Message Types</title>
            <description xml:lang="en-US"> In /etc/sysconfig/iptables, the accepted ICMP
							messages types can be restricted. To accept only ICMP echo reply,
							destination unreachable, and time exceeded messages, remove the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmp -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and insert the lines:
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To allow the system to respond to pings, also insert the
							following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Ping responses can also be limited to certain networks or
							hosts by using the -s option in the previous rule. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Because IPv6 depends so heavily on ICMPv6, it is preferable
							to deny the ICMPv6 packets you know you don't need (e.g. ping requests)
							in /etc/sysconfig/ip6tables, while letting everything else through: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If you are going to statically configure the
							machine's address, it should ignore Router Advertisements which could
							add another IPv6 address to the interface or alter important network
							settings: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Restricting other ICMPv6 message types in
							/etc/sysconfig/ip6tables is not recommended because the operation of
							IPv6 depends heavily on ICMPv6. Thus, more care must be taken when
							blocking ICMPv6 types.</description>
            <Rule id="rule-1115" selected="false" weight="10.000000" severity="high">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Restrict ICMP message types</title>
              <description xml:lang="en-US">Accept only some ICMP messages in the INPUT built-in chain.</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1115" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-networking-iptables.3.3" hidden="false">
            <title xml:lang="en-US">Log and Drop Packets with Suspicious Source Addresses</title>
            <description xml:lang="en-US"> Packets with non-routable source addresses
							should be rejected, as they may indicate spoofing. Because the modified
							policy will reject non-matching packets, you only need to add these
							rules if you are interested in also logging these spoofing or suspicious
							attempts before they are dropped. If you do choose to log various
							suspicious traffic, add identical rules with a target of DROP after each
							LOG. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To log and then drop these IPv4 packets, insert the
							following rules in /etc/sysconfig/iptables (excepting any that are
							intentionally used): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP
							SPOOF A: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG
							--log-prefix "IP DROP SPOOF B: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -s
							192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A
							INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: "
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP
							SPOOF E: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG
							--log-prefix "IP DROP LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Similarly, you might wish to log packets containing some
							IPv6 reserved addresses if they are not expected on your network: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -s ::1 -j LOG --log-prefix "IPv6 DROP
							LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002:E000::/20 -j LOG --log-prefix
							"IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002:7F00::/24 -j LOG
							--log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s
							2002:0000::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A
							INPUT -s 2002:FF00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002:0A00::/24 -j LOG --log-prefix "IPv6 6to4
							TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002:AC10::/28 -j LOG --log-prefix
							"IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002:C0A8::/32 -j LOG
							--log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If you are not expecting to see site-local multicast or
							auto-tunneled traffic, you can log those: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s FF05::/16 -j LOG --log-prefix "IPv6 SITE-LOCAL
							MULTICAST: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s ::0.0.0.0/96 -j LOG --log-prefix
							"IPv4 COMPATIBLE IPv6 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If you wish to block multicasts to all link-local nodes
							(e.g. if you are not using router autoconfiguration and do not plan to
							have any services that multicast to the entire local network), you can
							block the link-local all-nodes multicast address (before accepting
							incoming ICMPv6): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -d FF02::1 -j LOG --log-prefix "Link-local
							All-Nodes Multicast: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> However, if you're going to allow IPv4 compatible IPv6
							addresses (of the form ::0.0.0.0/96), you should then consider logging
							the non-routable IPv4-compatible addresses: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s ::0.0.0.0/104 -j LOG --log-prefix "IP
							NON-ROUTABLE ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s ::127.0.0.0/104 -j LOG
							--log-prefix "IP DROP LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s
							::224.0.0.0.0/100 -j LOG --log-prefix "IP DROP MULTICAST D: "
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s ::255.0.0.0/104 -j LOG --log-prefix "IP
							BROADCAST: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If you are not expecting to see any IPv4 (or
							IPv4-compatible) traffic on your network, consider logging it before it
							gets dropped: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s ::FFFF:0.0.0.0/96 -j LOG --log-prefix "IPv4
							MAPPED IPv6 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002::/16 -j LOG
							--log-prefix "IPv6 6to4 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The following rule will log all traffic originating from a
							site-local address, which is deprecated address space: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s FEC0::/10 -j LOG --log-prefix "SITE-LOCAL
							ADDRESS TRAFFIC: "</description>
          </Group>
          <Group id="gr-networking-iptables.3.4" hidden="false">
            <title xml:lang="en-US">Log and Drop All Other Packets</title>
            <description xml:lang="en-US"> To log before dropping all packets that are
							not explicitly accepted by previous rules, change the final lines from <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -j REJECT --reject-with icmp-host-prohibited
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> COMMIT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> to <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -j LOG
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -j DROP
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> COMMIT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The rule to log all dropped packets must be used with care.
							Chatty but otherwise non-malicious network protocols (e.g. NetBIOS) may
							result in voluminous logs; insertion of earlier rules to explicitly drop
							their packets without logging may be appropriate.</description>
            <Rule id="rule-1116" selected="false" weight="10.000000" severity="high">
              <status date="2010-07-01">accepted</status>
              <title xml:lang="en-US">Log and Drop All Other Packets</title>
              <description xml:lang="en-US">Log and drop packets that were not explicitly drop in the INPUT built-in chain.</description>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1116" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
        </Group>
        <Group id="gr-networking-iptables.4" hidden="false">
          <title xml:lang="en-US">Further Strengthening</title>
          <description xml:lang="en-US"> Further strengthening, particularly as a result
						of customization to a particular environment, is possible for the iptables
						rules. Consider the following options, though their practicality depends on
						the network environment and usage scenario: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Restrict outgoing traffic. As shown above, the OUTPUT chain's
								default policy can be changed to DROP, and rules can be written to
								specifically allow only certain types of outbound traffic. Such a
								policy could prevent casual usage of insecure protocols such as ftp
								and telnet, or even disrupt spyware. However, it would still not
								prevent a sophisticated user or program from using a proxy to
								circumvent the intended effects, and many client programs even try
								to automatically tunnel through port 80 to avoid such
								restrictions.</xhtml:li>
							<xhtml:li>SYN flood protection. SYN flood protection can be provided by
								iptables, but might run into limiting issues for servers. For
								example, the iplimit match can be used to limit simultaneous
								connections from a given host or class. Similarly, the recent match
								allows the firewall to deny additional connections from any host
								within a given period of time (e.g. more than 3 –state NEW
								connections on port 22 within a minute to prevent dictionary login
								attacks). <xhtml:br/>
								<xhtml:br/> A more precise option for DoS protection is using TCP
								SYN cookies.</xhtml:li>
						</xhtml:ul>
					</description>
        </Group>
        <Group id="gr-networking-iptables.5" hidden="false">
          <title xml:lang="en-US">Further Resources</title>
          <description xml:lang="en-US"> More complex, restrictive, and powerful rulesets
						can be created, but this requires careful customization that relies on
						knowledge of the particular environment. The following resources provide
						more detailed information: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>The iptables(8) man page </xhtml:li>
							<xhtml:li>The Netfilter Project's documentation at
								http://www.netfilter.org</xhtml:li>
							<xhtml:li>The Red Hat Enterprise Linux 6 Security Guide</xhtml:li>
						</xhtml:ul>
					</description>
        </Group>
      </Group>
      <Group id="gr-networking-tls" hidden="false">
        <title xml:lang="en-US">Transport Layer Security Support</title>
        <description xml:lang="en-US"> The Transport Layer Security (TLS) protocol provides
					encrypted and authenticated network communications, and many network services
					include support for it. Using TLS is recommended, especially to avoid any
					plaintext transmission of sensitive data, even over a local network. The three primary TLS
					implementations included with the system are GnuTLS, NSS and OpenSSL. Older
					versions of TLS were called Secure Sockets Layer (SSL).<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> TLS uses public key cryptography to provide authentication and
					encryption. Public key cryptography involves two keys, one called the public key
					and the other called the private key. These keys are mathematically related such
					that data encrypted with one key can only be decrypted by the other, and vice
					versa. As their names suggest, public keys can be distributed to anyone while a
					private key must remain known only to its owner. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> TLS uses certificates, which are files that hold cryptographic data:
					a public key, and a signature of that public key. In TLS authentication, a
					server presents a client with its certificate as a means of demonstrating that
					it is who it claims it is. If everything goes correctly, the client can verify
					the server's certificate by determining that the signature inside the
					certificate could only have been generated by a third party whom the client
					trusts. This third party is called a Certificate Authority (CA). Each client
					system should also have certificates from trusted CAs, and the client uses these
					CA certificates to verify the authenticity of the server's certificate. After
					authenticating a server using its certificate and a CA certificate, TLS provides
					encryption by using the server certificate to securely negotiate a shared secret
					key. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If your server must communicate using TLS with systems that might
					not be able to securely accept a new CA certificate prior to any TLS
					communication, then paying an established CA (whose certificates your clients
					already have) to sign your server certificates is recommended. The steps for
					doing this vary by vendor. Once the signed certificates have been obtained,
					configuration of the services is the same whether they were purchased from a
					vendor or signed by your own CA.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For setting up an internal network and encrypting local traffic,
					creating your own CA to sign X.509 certificates can be appropriate. The major
					steps in this process are: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
						<xhtml:li>Create a CA to sign certificates </xhtml:li>
						<xhtml:li>Create X.509 certificates for servers using that CA</xhtml:li>
						<xhtml:li>Enable client support by distributing the CA's
							certificate</xhtml:li>
					</xhtml:ol>
				</description>
        <Group id="gr-networking-tls.1" hidden="false">
          <title xml:lang="en-US">Create a CA to Sign Certificates</title>
          <description xml:lang="en-US"> The following instructions apply to OpenSSL. The security of certificates depends on the
						security of the CA that signed them, so performing these steps on a secure
						machine is critical. The system used as a CA should be physically secure and
						not connected to any network. It should receive any certificate signing
						requests (CSRs) via removable media and output certificates onto removable
						media. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The script /etc/pki/tls/misc/CA is included to assist in the
						process of setting up a CA. This script uses many settings in
						/etc/pki/tls/openssl.cnf. The settings in this file can be changed to suit
						your needs and allow easier selection of default settings, particularly in
						the [req distinguished name] section. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To create the CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/misc</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ./CA -newca</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>When prompted, press enter to create a new CA key with the
								default name cakey.pem.</xhtml:li>
							<xhtml:li>When prompted, enter a password that will protect the private
								key, then enter the same password again to verify it.</xhtml:li>
							<xhtml:li>At the prompts, fill out as much of the CA information as is
								relevant for your site. You must specify a common name, or
								generation of the CA certificate will fail. </xhtml:li>
							<xhtml:li>Next, you will be prompted for the password, so that the
								script can re-open the private key in order to write the
								certificate.</xhtml:li>
						</xhtml:ul>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This step performs the following actions: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>creates the directory /etc/pki/CA (by default), which contains
								files necessary for the operation of a certificate authority. These
								are:</xhtml:li>
							<xhtml:ul>
								<xhtml:li>serial, which contains the current serial number for
									certificates signed by the CA</xhtml:li>
								<xhtml:li>index.txt, which is a text database file that contains
									information about certificates signed</xhtml:li>
								<xhtml:li>crl, which is a directory for holding revoked
									certificates</xhtml:li>
								<xhtml:li>private, a directory which stores the CA's private
									key</xhtml:li>
							</xhtml:ul>
							<xhtml:li>creates a public-private key pair for the CA in the file
								/etc/pki/CA/private/cakey.pem. The private key must be kept private
								in order to ensure the security of the certificates the CA will
								later sign.</xhtml:li>
							<xhtml:li>signs the public key (using the corresponding private key, in
								a process called self-signing) to create the CA certificate, which
								is then stored in /etc/pki/CA/cacert.pem. </xhtml:li>
							<xhtml:li/>
						</xhtml:ul>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> When the CA later signs a server certificate using its private
						key, it means that it is vouching for the authenticity of that server. A
						client can then use the CA's certificate (which contains its public key) to
						verify the authenticity of the server certificate. To accomplish this, it is
						necessary to distribute the CA certificate to any clients.</description>
        </Group>
        <Group id="gr-networking-tls.2" hidden="false">
          <title xml:lang="en-US">Create X.509 Certificates for Servers</title>
          <description xml:lang="en-US"> Creating an X.509 certificate for a server involves
						the following steps: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>A public-private key pair for the server must be
								generated.</xhtml:li>
							<xhtml:li>A certificate signing request (CSR) must be created from the
								key pair.</xhtml:li>
							<xhtml:li>The CSR must be signed by a certificate authority (CA) to
								create the server certificate.</xhtml:li>
							<xhtml:li>The server certificate and keys must be installed on the
								server. </xhtml:li>
						</xhtml:ol>
					</description>
        </Group>
        <Group id="gr-networking-tls.3" hidden="false">
          <title xml:lang="en-US">Enable Client Support</title>
          <description xml:lang="en-US"> The system ships with certificates from
						well-known commercial CAs. If your server certificates were signed by one of
						these established CAs, then this step is not necessary since the clients
						should include the CA certificate already. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If your servers use certificates signed by your own CA, some
						user applications will warn that the server's certificate cannot be verified
						because the CA is not recognized. Other applications may simply fail to
						accept the certificate and refuse to operate, or continue operating without
						ever having properly verified the server certificate. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To avoid this warning, and properly authenticate the servers,
						your CA certificate must be exported to every application on every client
						system that will be connecting to an TLS-enabled server.</description>
          <Group id="gr-networking-tls.3.1" hidden="false">
            <title xml:lang="en-US">Adding a Trusted CA for Firefox</title>
            <description xml:lang="en-US"> Firefox needs to have a certificate from the
							CA that signed the web server's certificate, so that it can authenticate
							the web server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To import a new CA certificate into Firefox 3.6:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
								<xhtml:li>Launch Firefox and choose Preferences from the Edit menu. </xhtml:li>
								<xhtml:li>Click the Advanced button.</xhtml:li>
								<xhtml:li>Select the Encryption pane.</xhtml:li>
								<xhtml:li>Click the View Certificates button.</xhtml:li>
								<xhtml:li>Click the Authorities tab. </xhtml:li>
								<xhtml:li>Click the Import button at the bottom of the
									screen.</xhtml:li>
								<xhtml:li>Navigate to the CA certificate and import it.</xhtml:li>
							</xhtml:ol>
						</description>
          </Group>
          <Group id="gr-networking-tls.3.2" hidden="false">
            <title xml:lang="en-US">Adding a Trusted CA for Thunderbird</title>
            <description xml:lang="en-US"> Thunderbird needs to have a certificate from
							the CA that signed the mail server's certificates, so that it can
							authenticate the mail server(s).<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To import a new CA certificate into Thunderbird 3: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
								<xhtml:li>Launch Thunderbird and choose Preferences from the
									Edit menu.</xhtml:li>
								<xhtml:li>Click the Advanced button.</xhtml:li>
								<xhtml:li>Select the Certificates tab</xhtml:li>
								<xhtml:li>Click the View Certificates button.</xhtml:li>
								<xhtml:li>Select the Authorities tab.</xhtml:li>
								<xhtml:li>Click the Import button at the bottom of the
									screen.</xhtml:li>
								<xhtml:li>Navigate to the CA certificate and import it. Determine
									whether the CA should be used to identify web sites, e-mail
									users, and software developers and trust it for each
									accordingly.</xhtml:li>
							</xhtml:ol>
						</description>
          </Group>
          <Group id="gr-networking-tls.3.3" hidden="false">
            <title xml:lang="en-US">Adding a Trusted CA for Evolution</title>
            <description xml:lang="en-US"> The Evolution e-mail client needs to have a
							certificate from the CA that signed the mail server's certificates, so
							that it can authenticate the mail server(s). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To import a new CA certificate into Evolution: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
								<xhtml:li>Launch Evolution and choose Preferences from the Edit
									menu.</xhtml:li>
								<xhtml:li>Select Certificates from the icon list on the
									left.</xhtml:li>
								<xhtml:li>Select the Authorities tab.</xhtml:li>
								<xhtml:li>Click the Import button.</xhtml:li>
								<xhtml:li>Navigate to the CA certificate and import it.</xhtml:li>
							</xhtml:ol>
						</description>
          </Group>
        </Group>
        <Group id="gr-networking-tls.4" hidden="false">
          <title xml:lang="en-US">Further Resources</title>
          <description xml:lang="en-US">
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>The OpenSSL Project home page at
								http://www.openssl.org</xhtml:li>
							<xhtml:li>The openssl(1) man page</xhtml:li>
						</xhtml:ul>
					</description>
        </Group>
      </Group>
      <Group id="gr-networking.7" hidden="false">
        <title xml:lang="en-US">Uncommon Network Protocols</title>
        <description xml:lang="en-US"> The system includes support for several network
					protocols which are not commonly used. Although security vulnerabilities in
					kernel networking code are not frequently discovered, the consequences can be
					dramatic. Ensuring uncommon network protocols are disabled reduces the system’s
					risk to attacks targeted at its implementation of those protocols.</description>
        <Group id="gr-networking.7.1" hidden="false">
          <title xml:lang="en-US">Disable Support for DCCP</title>
          <description xml:lang="en-US"> To prevent the DCCP kernel module from being
						loaded, create /etc/modprobe.d/dccp.conf with the following content:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install dccp /bin/true<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The Datagram Congestion Control Protocol (DCCP) is a relatively
						new transport layer protocol, designed to support streaming media and
						telephony.</description>
          <Rule id="rule-1117" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">Disable Support for DCCP</title>
            <description xml:lang="en-US">Support for DCCP should be disabled.</description>
            <ident system="http://cce.mitre.org">CCE-14268-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1117" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-networking.7.2" hidden="false">
          <title xml:lang="en-US">Disable Support for SCTP</title>
          <description xml:lang="en-US"> To prevent the SCTP kernel module from being
						loaded, create /etc/modprobe.d/sctp.conf with the following content:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install sctp /bin/true<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The Stream Control Transmission Protocol (SCTP) is a transport
						layer protocol, designed to support the idea of message-oriented
						communication, with several streams of messages within one
						connection.</description>
          <Rule id="rule-1118" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">Disable Support for SCTP</title>
            <description xml:lang="en-US">Support for SCTP should be disabled.</description>
            <ident system="http://cce.mitre.org">CCE-14132-5</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1118" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-networking.7.3" hidden="false">
          <title xml:lang="en-US">Disable Support for RDS</title>
          <description xml:lang="en-US"> To prevent the RDS kernel module from being
						loaded, create /etc/modprobe.d/rds.conf with the following content:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install rds /bin/true<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The Reliable Datagram Sockets (RDS) protocol is a transport
						layer protocol designed to provide reliable high-bandwidth, low-latency
						communications between nodes in a cluster.</description>
          <Rule id="rule-1119" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">Disable Support for RDS</title>
            <description xml:lang="en-US">Support for RDS should be disabled.</description>
            <ident system="http://cce.mitre.org">CCE-14027-7</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1119" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
    </Group>
    <Group id="gr-logs" hidden="false">
      <title xml:lang="en-US">Logging and Auditing</title>
      <description xml:lang="en-US"> Successful local or network attacks on systems do not
				necessarily leave clear evidence of what happened. It is necessary to build a
				configuration in advance that collects this evidence, both in order to determine
				that something anomalous has occurred, and in order to respond appropriately. In
				addition, a well-configured logging and audit infrastructure will show evidence of
				any misconfiguration which might leave the system vulnerable to attack. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
				<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Logging and auditing take different approaches to collecting data. A
				logging infrastructure provides a framework for individual programs running on the
				system to report whatever events are considered interesting: the sshd program may
				report each successful or failed login attempt, while the sendmail program may
				report each time it sends an e-mail on behalf of a local or remote user. An auditing
				infrastructure, on the other hand, reports each instance of certain low-level
				events, such as entry to the setuid system call, regardless of which program caused
				the event to occur. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
				<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Auditing has the advantage of being more comprehensive, but the
				disadvantage of reporting a large amount of information, most of which is
				uninteresting. Logging (particularly using a standard framework like syslog) has the
				advantage of being compatible with a wide variety of client applications, and of
				reporting only information considered important by each application, but the
				disadvantage that the information reported is not consistent between applications. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
				<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A robust infrastructure will perform both logging and auditing, and will
				use configurable automated methods of summarizing the reported data, so that system
				administrators can remove or compress reports of events known to be uninteresting in
				favor of alert monitoring for events known to be interesting. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
				<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This section discusses how to configure logging, log monitoring, and
				auditing, using tools included with RHEL6. It is recommended that rsyslog be used for
				logging, with logwatch providing summarization, and that auditd be used for
				auditing, with aureport providing summarization.</description>
      <Group id="gr-logs-syslog" hidden="false">
        <title xml:lang="en-US">Configure Rsyslog</title>
        <description xml:lang="en-US"> Rsyslog is an enhanced, multi-threaded syslog daemon.
		This section discusses how to configure rsyslog for best
		effect, and how to use tools provided with the system to maintain and monitor
		your logs.</description>
        <Rule id="rule-1120" selected="false" weight="10.000000" severity="medium">
          <status date="2010-07-01">accepted</status>
          <title xml:lang="en-US">Rsyslog service is enabled</title>
          <description xml:lang="en-US">The rsyslog service should be enabled.</description>
          <ident system="http://cce.mitre.org">CCE-3679-8</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:org.open-scap.rhel6:def:1120" href="scap-rhel6-oval.xml"/>
          </check>
        </Rule>
        <Group id="gr-logs-syslog.1" hidden="false">
          <title xml:lang="en-US">Ensure All Important Messages are Captured</title>
          <description xml:lang="en-US">
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default RHEL6 rsyslog configuration stores the facilities
						authpriv, cron, and mail in named logs. This guide describes the
						implementation of the following configuration, but any configuration which
						stores the important facilities and is usable by the administrators will suffice:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Store each of the facilities kern, daemon, and syslog in its
								own log, so that it will be easy to access information about
								messages from those facilities. </xhtml:li>
							<xhtml:li>Restrict the information stored in /var/log/messages to only
								the facilities auth and user, and store all messages from those
								facilities. Messages can easily become cluttered otherwise. </xhtml:li>
							<xhtml:li>Store information about all facilities which should not be in
								use at this site in a file called /var/log/unused.log. If any
								messages are logged to this file at some future point, this may be
								an indication that an unknown service is running, and should be
								investigated. In addition, if news and uucp are not in use at this
								site, remove the directive from the default syslog.conf which stores
								those facilities. </xhtml:li>
						</xhtml:ul>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Making use of the local facilities is also recommended. Specific
						configuration is beyond the scope of this guide, but applications such as
						SSH can easily be configured to log to a local facility which is not being
						used for anything else. If this is done, reconfigure /etc/syslog.conf to
						store this facility in an appropriate named log or in /var/log/messages,
						rather than in /var/log/unused.log.</description>
        </Group>
        <Group id="gr-logs-syslog.2" hidden="false">
          <title xml:lang="en-US">Confirm Existence and Permissions of System Log	Files</title>
          <description xml:lang="en-US"> For each log file LOGFILE referenced in
						/etc/rsyslog.conf, run the commands: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># touch LOGFILE</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root LOGFILE</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod 0600 LOGFILE</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Some logs may contain
						sensitive information, so it is better to restrict permissions so that only
						administrative users can read or write logfiles.</description>
          <Value id="var-1121" operator="equals" type="string">
            <title xml:lang="en-US">User that owns log files</title>
            <description xml:lang="en-US">Specify user owner of all logfiles specified
							in /etc/rsyslog.conf.</description>
            <value>0</value>
            <value selector="root">0</value>
          </Value>
          <Value id="var-1122" operator="equals" type="string">
            <title xml:lang="en-US">Group that owns log files</title>
            <description xml:lang="en-US">Specify group owner of all logfiles specified
							in /etc/rsyslog.conf.</description>
            <value>0</value>
            <value selector="root">0</value>
          </Value>
          <Rule id="rule-1121" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">User ownership of System Log Files</title>
            <description xml:lang="en-US">All syslog log files should be owned by user <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1121"/>.</description>
            <ident system="http://cce.mitre.org">CCE-4366-1</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1121" value-id="var-1121"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1121" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1122" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Group ownership of System Log Files</title>
            <description xml:lang="en-US">All syslog log files should be group owned group <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1122"/>.</description>
            <ident system="http://cce.mitre.org">CCE-3701-0</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:org.open-scap.rhel6:var:1122" value-id="var-1122"/>
              <check-content-ref name="oval:org.open-scap.rhel6:def:1122" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
          <Rule id="rule-1123" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Permissions on System Log Files</title>
            <description xml:lang="en-US">File permissions for all syslog log files should be set
							correctly.</description>
            <ident system="http://cce.mitre.org">CCE-4233-3</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1123" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-logs-syslog.3" hidden="false">
          <title xml:lang="en-US">Syslog logs should be sent to a remote loghost</title>
          <description xml:lang="en-US">
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If system logs are to be useful in detecting malicious
						activities, it is necessary to send logs to a remote server. An intruder who
						has compromised the root account on a machine may delete the log entries
						which indicate that the system was attacked before they are seen by an
						administrator. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
          </description>
          <Rule id="rule-1124" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Send Logs to a Remote Loghost</title>
            <description xml:lang="en-US">Syslog logs should be sent to a remote loghost</description>
            <ident system="http://cce.mitre.org">CCE-4260-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1124" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-logs-syslog.4" hidden="false">
          <title xml:lang="en-US">Rsyslog shouldn't be run in a compatibility mode</title>
          <description xml:lang="en-US">Rsyslog can be run in a compatibility mode which simulates the behavior of its older versions.
		The version to be compatible with is specified with a command line option. It is advisable to run the daemon in a mode
		that matches its current version. Using an older mode may alter your configuration in an unexpected way.
		The mode can be configured by changing the value of the SYSLOGD_OPTIONS variable in /etc/sysconfig/rsyslog.
		</description>
          <Rule id="rule-1125" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Rsyslog shouldn't be run in a compatibility mode</title>
            <description xml:lang="en-US">An appropriate compatibility mode, that matches the daemons current version should be specified
		using the SYSLOGD_OPTION variable in /etc/sysconfig/rsyslog.
		</description>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1125" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-logs-syslog.5" hidden="false">
          <title xml:lang="en-US">Ensure All Logs are Rotated by logrotate</title>
          <description xml:lang="en-US"> Edit the file /etc/logrotate.d/syslog. Find the
						first line, which should look like this: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> /var/log/messages /var/log/secure /var/log/maillog
						/var/log/spooler /var/log/boot.log /var/log/cron { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit this line so that it contains a one-space-separated listing
						of each log file referenced in /etc/rsyslog.conf. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> All logs in use
						on a system must be rotated regularly, or the log files will consume disk
						space over time, eventually interfering with system operation. The file
						/etc/logrotate.d/syslog is the configuration file used by the logrotate
						program to maintain all log files written by syslog. By default, it rotates
						logs weekly and stores four archival copies of each log. These settings can
						be modified by editing /etc/logrotate.conf, but the defaults are sufficient
						for purposes of this guide. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Note that logrotate is run nightly by the cron job
						/etc/cron.daily/logrotate. If particularly active logs need to be rotated
						more often than once a day, some other mechanism must be used.</description>
          <Rule id="rule-1126" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">All Logs are Rotated by logrotate</title>
            <description xml:lang="en-US">The logrotate (syslog rotater) service should be
							enabled.</description>
            <ident system="http://cce.mitre.org">CCE-4182-2</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1126" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-logs-syslog.6" hidden="false">
          <title xml:lang="en-US">Monitor Suspicious Log Messages using Logwatch</title>
          <description xml:lang="en-US"> The system includes an extensible program called
						Logwatch for reporting on unusual items in syslog. Logwatch is valuable
						because it provides a parser for the syslog entry format and a number of
						signatures for types of lines which are considered to be mundane or
						noteworthy. Logwatch has a number of downsides: the signatures can be
						inaccurate and are not always categorized consistently, and you must be able
						to program in Perl in order to customize the signature database. However, it
						is recommended that all Linux sites which do not have time to deploy a
						third-party log monitoring application run Logwatch in its default
						configuration. This provides some useful information about system activity
						in exchange for very little administrator effort. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This guide recommends that Logwatch be run only on the central
						logserver, if your site has one, in order to focus administrator attention
						by sending all daily logs in a single e-mail.</description>
          <Group id="gr-logs-syslog.6.1" hidden="false">
            <title xml:lang="en-US">Configure Logwatch on the Central Log Server</title>
            <description xml:lang="en-US"> Is this machine the central log server? If
							so, edit the file /etc/logwatch/conf/logwatch.conf. Add or correct the
							following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">HostLimit = no</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SplitHosts = yes</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">MultiEmail = no</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">Service = -zz-disk_space</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> On a central logserver, you want Logwatch to summarize all
							syslog entries, including those which did not originate on the logserver
							itself. The HostLimit setting tells Logwatch to report on all hosts, not
							just the one on which it is running. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If SplitHosts is set, Logwatch will separate entries by
							hostname. This makes the report longer but significantly more usable. If
							it is not set, then Logwatch will not report which host generated a
							given log entry, and that information is almost always necessary. If
							MultiEmail is set, then each host's information will be sent in a
							separate e-mail message. This is a matter of preference.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The Service directive -zz-disk space tells Logwatch not to
							run the zz-disk space report, which reports on free disk space. Since
							all log monitoring is being done on the central logserver, the disk
							space listing will always be that of the logserver, regardless of which
							host is being monitored. This is confusing, so disable that service.
							Note that this does mean that Logwatch will not monitor disk usage
							information. Many workarounds are possible, such as running df on each
							host daily via cron and sending the output to syslog so that it will be
							reported to the logserver.</description>
          </Group>
          <Group id="gr-logs-syslog.6.2" hidden="false">
            <title xml:lang="en-US">Remove Logwatch on Clients if a Logserver Exists</title>
            <description xml:lang="en-US"> Does your site have a central logserver which
							has been configured to report on logs received from all systems? If so: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum remove logwatch<xhtml:br/>
							</xhtml:code>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If no logserver exists, it will be necessary for each
							machine to run Logwatch individually. Using a central logserver provides
							the security and reliability benefits discussed earlier, and also makes
							monitoring logs easier and less time-intensive for
							administrators.</description>
          </Group>
        </Group>
      </Group>
      <Group id="gr-logs-audit" hidden="false">
        <title xml:lang="en-US">System Accounting with auditd</title>
        <description xml:lang="en-US"> The audit service is the current Linux recommendation
					for kernel-level auditing. By default, the service records SELinux AVC
					denials and certain types of security-relevant events such as system logins,
					account modifications, and authentication events performed by programs such as
					sudo. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Under its default configuration, auditd has modest disk space
					requirements, and should not noticeably impact system performance. The audit
					service, in its default configuration, is strongly recommended for all sites,
					regardless of whether they are running SELinux. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> DoD or federal networks often have substantial auditing requirements
					and auditd can be configured to meet these requirements.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Typical DoD requirements include:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
					<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
						<xhtml:li>Ensure Auditing is Configured to Collect Certain System Events <xhtml:ul>
								<xhtml:li>Information on the Use of Print Command (unsuccessful and
									successful)</xhtml:li>
								<xhtml:li>Startup and Shutdown Events (unsuccessful and
									successful)</xhtml:li>
							</xhtml:ul>
						</xhtml:li>
						<xhtml:li>Ensure the auditing software can record the following for each
							audit event: <xhtml:ul>
								<xhtml:li>Date and time of the event</xhtml:li>
								<xhtml:li>Userid that initiated the event</xhtml:li>
								<xhtml:li>Type of event</xhtml:li>
								<xhtml:li>Success or failure of the event</xhtml:li>
								<xhtml:li>For I&amp;A events, the origin of the request (e.g.,
									terminal ID)</xhtml:li>
								<xhtml:li>For events that introduce an object into a user’s address
									space, and for object deletion events, the name of the object,
									and in MLS systems, the objects security level.</xhtml:li>
							</xhtml:ul>
						</xhtml:li>
						<xhtml:li>Ensure files are backed up no less than weekly onto a different
							system than the system being audited or backup media.</xhtml:li>
						<xhtml:li>Ensure old logs are closed out and new audit logs are started
							daily</xhtml:li>
						<xhtml:li>Ensure the configuration is immutable. With the -e 2 setting a
							reboot will be required to change any audit rules.</xhtml:li>
						<xhtml:li>Ensure that the audit data files have permissions of 640, or more
							restrictive.</xhtml:li>
					</xhtml:ul>
				</description>
        <Group id="gr-logs-audit.1" hidden="false">
          <title xml:lang="en-US">Enable the auditd Service</title>
          <description xml:lang="en-US"> Ensure that the auditd service is enabled (this
						is the default): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig auditd on <xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By default, auditd logs only SELinux denials, which are helpful
						for debugging SELinux and discovering intrusion attempts, and certain types
						of security events, such as modifications to user accounts (useradd, passwd,
						etc), login events, and calls to sudo. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Data is stored in /var/log/audit/audit.log. By default, auditd
						rotates 4 logs by size (5MB), retaining a maximum of 20MB of data in total,
						and refuses to write entries when the disk is too full. This minimizes the
						risk of audit data filling its partition and impacting other services.
						However, it is possible to lose audit data if the system is
						busy.</description>
          <Rule id="rule-1127" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">accepted</status>
            <title xml:lang="en-US">Auditd service is enabled</title>
            <description xml:lang="en-US">The auditd service should be enabled.</description>
            <ident system="http://cce.mitre.org">CCE-4292-9</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1127" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-logs-audit.2" hidden="false">
          <title xml:lang="en-US">Configure auditd Data Retention</title>
          <description xml:lang="en-US">
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Determine STOREMB , the amount of audit data (in megabytes)
								which should be retained in each log file. Edit the file
								/etc/audit/auditd.conf. Add or modify the following line:<xhtml:br/>
								<xhtml:br/> max_log_file = STOREMB</xhtml:li>
							<xhtml:li>Use a dedicated partition (or logical volume) for log files. It
								is straightforward to create such a partition or logical volume
								during system installation time. The partition should be larger than
								the maximum space which auditd will ever use, which is the maximum
								size of each log file (max log file) multiplied by the number of log
								files (num logs). Ensure the partition is mounted on
								/var/log/audit.</xhtml:li>
							<xhtml:li>If your site requires that the machine be disabled when
								auditing cannot be performed, configure auditd to halt the system
								when disk space for auditing runs low. Edit /etc/audit/auditd.conf,
								and add or correct the following lines:<xhtml:br/>
								<xhtml:br/> space_left_action = email<xhtml:br/> action_mail_acct =
								root<xhtml:br/> admin_space_left_action = halt<xhtml:br/>
							</xhtml:li>
						</xhtml:ul> The default action to take when the logs reach their maximum
						size is to rotate the log files, discarding the oldest one. If it is more
						important to retain all possible auditing information, even if that opens
						the possibility of running out of space and taking the action defined by
						admin space left action, add or correct the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> max_log_file_action = keep_logs<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By default, auditd retains 4 log files of size 5Mb apiece. For a
						busy system or a system which is thoroughly auditing system activity, this
						is likely to be insufficient.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The log file size needed will depend heavily on what types of
						events are being audited. First configure auditing to log all the events of
						interest. Then monitor the log size manually for a while to determine what
						file size will allow you to keep the required data for the correct time period.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Using a dedicated partition for /var/log/audit prevents the
						auditd logs from disrupting system functionality if they fill the partition, and, more
						importantly, prevents other activity in /var from filling the partition and
						stopping the audit trail. (The audit logs are size-limited and therefore
						unlikely to grow without bound unless configured to do so.) Some machines may
						have requirements that no actions occur which cannot be audited. If this is
						the case, then auditd can be configured to halt the machine if it runs out of space.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Note: Since older logs are rotated, configuring auditd this way
						does not prevent older logs from being rotated away before they can be
						viewed. </description>
          <warning xml:lang="en-US">If your system is configured to halt when logging
						cannot be performed, make sure this can never happen under normal
						circumstances! Ensure that /var/log/audit is on its own partition, and
						that this partition is larger than the maximum amount of data auditd will
						retain normally.</warning>
        </Group>
        <Group id="gr-logs-audit.3" hidden="false">
          <title xml:lang="en-US">Enable Auditing for Processes Which Start Prior to the Audit Daemon</title>
          <description xml:lang="en-US"> To ensure that all processes can be audited, even
						those which start prior to the audit daemon, add the argument audit=1 to the
						kernel line in /boot/grub/grub.conf, in the manner below:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00
						rhgb quiet audit=1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Each process on the system carries an ”auditable” flag which
						indicates whether its activities can be audited. Although auditd takes care
						of enabling this for all processes which launch after it does, adding the
						kernel argument ensures that it is set for every process during boot. </description>
          <Rule id="rule-1128" selected="false" weight="10.000000" severity="medium">
            <status date="2010-07-01">draft</status>
            <title xml:lang="en-US">Enable Auditing for Processes Which Start Prior to the Audit Daemon</title>
            <description xml:lang="en-US"> To ensure that all processes can be audited, even those which
							start prior to the audit daemon, add the argument audit=1 to the kernel
							line in /boot/grub/grub.conf</description>
            <ident system="http://cce.mitre.org">CCE-15026-8</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:org.open-scap.rhel6:def:1128" href="scap-rhel6-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="gr-logs-audit.4" hidden="false">
          <title xml:lang="en-US">Configure auditd Rules for Comprehensive Auditing</title>
          <description xml:lang="en-US"> The auditd program can perform comprehensive
						monitoring of system activity. This section describes recommended
						configuration settings for comprehensive auditing, but a full description of
						the auditing system’s capabilities is beyond the scope of this guide. The
						mailing list linux-audit@redhat.com may be a good source of further information.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The audit subsystem supports extensive collection of events, including:
						<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
							<xhtml:li>Tracing of arbitrary system calls (identified by name or
								number) on entry or exit.</xhtml:li>
							<xhtml:li>Filtering by PID, UID, call success, system call argument
								(with some limitations), etc.</xhtml:li>
							<xhtml:li>Monitoring of specific files for modifications to the file’s
								contents or metadata.</xhtml:li>
						</xhtml:ul>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Auditing rules are controlled in the file /etc/audit/audit.rules.
						Add rules to it to meet the auditing requirements for your organization.
						Each line in /etc/audit/audit.rules represents a series of arguments that
						can be passed to auditctl and can be individually tested as such. See
						documentation in /usr/share/doc/audit-<xhtml:i xmlns:xhtml="http://www.w3.org/1999/xhtml">version</xhtml:i> and in the related man pages
						for more details.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Recommended audit rules are provided in
						/usr/share/doc/audit-<xhtml:i xmlns:xhtml="http://www.w3.org/1999/xhtml">version</xhtml:i>/stig.rules. In order to activate those rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cp /usr/share/doc/audit-<xhtml:i xmlns:xhtml="http://www.w3.org/1999/xhtml">version</xhtml:i>/stig.rules
							/etc/audit/audit.rules<xhtml:br/>
						</xhtml:code>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and then edit /etc/audit/audit.rules and comment out the lines
						containing arch= which are not appropriate for your system’s architecture.
						Then review and understand the following rules, ensuring rules are activated
						as needed for the appropriate architecture.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> After reviewing all the rules, reading the following sections,
						and editing as needed, activate the new rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># service auditd restart</xhtml:code>
					</description>
          <Group id="gr-logs-audit.4.1" hidden="false">
            <title xml:lang="en-US">Records Events that Modify Date and Time Information</title>
            <description xml:lang="en-US"> Add the following to /etc/audit/audit.rules,
							setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S adjtimex -S settimeofday -S
							stime -k time-change<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S
							clock_settime -k time-change<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/localtime -p wa -k
							time-change </description>
            <Rule id="rule-1129" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Records Events that Modify Date and Time Information</title>
              <description xml:lang="en-US">Audit rules about time</description>
              <ident system="http://cce.mitre.org">CCE-14051-7</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1129" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.2" hidden="false">
            <title xml:lang="en-US">Record Events that Modify User/Group Information</title>
            <description xml:lang="en-US"> Add the following to /etc/audit/audit.rules,
							in order to capture events that modify account changes:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/group -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/passwd -p
							wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/gshadow -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							-w /etc/shadow -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/security/opasswd -p
							wa -k identity </description>
            <Rule id="rule-1130" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Record Events that Modify User/Group Information</title>
              <description xml:lang="en-US">Audit rules about User/Group Information</description>
              <ident system="http://cce.mitre.org">CCE-14829-6</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1130" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.3" hidden="false">
            <title xml:lang="en-US">Record Events that Modify the System’s Network Environment</title>
            <description xml:lang="en-US"> Add the following to /etc/audit/audit.rules,
							setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a exit,always -F arch=ARCH -S sethostname -S setdomainname
							-k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/issue -p wa -k
							system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/issue.net -p wa -k
							system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/hosts -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							-w /etc/sysconfig/network -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						</description>
            <Rule id="rule-1131" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Record Events that Modify the System’s Network Environment</title>
              <description xml:lang="en-US">Audit rules about the System’s Network
								Environment</description>
              <ident system="http://cce.mitre.org">CCE-14816-3</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1131" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.4" hidden="false">
            <title xml:lang="en-US">Record Events that Modify the System’s Mandatory Access Controls</title>
            <description xml:lang="en-US"> Add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/selinux/ -p wa -k MAC-policy </description>
            <Rule id="rule-1132" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Record Events that Modify the System’s Mandatory Access Controls</title>
              <description xml:lang="en-US">Audit rules about the System’s Mandatory Access
								Controls</description>
              <ident system="http://cce.mitre.org">CCE-14821-3</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1132" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.5" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects Logon and Logout	Events</title>
            <description xml:lang="en-US"> At a minimum the audit system should collect
							login info for all users and root. Add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /var/log/tallylog -p wa -k logins
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /var/log/faillock/ -p wa -k logins
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /var/log/lastlog -p wa -k logins </description>
            <Rule id="rule-1133" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Auditd Collects Logon and Logout Events</title>
              <description xml:lang="en-US">Audit rules about the Logon and Logout Events</description>
              <ident system="http://cce.mitre.org">CCE-14904-7</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1133" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.6" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects Process and Session Initiation Information</title>
            <description xml:lang="en-US"> At a minimum the audit system should collect
							process information for all users and root. Add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /var/run/utmp -p wa -k session<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w
							/var/log/btmp -p wa -k session<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /var/log/wtmp -p wa -k
							session </description>
            <Rule id="rule-1134" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure auditd Collects Process and Session Initiation Information</title>
              <description xml:lang="en-US">Audit rules about the Process and Session Initiation
								Information</description>
              <ident system="http://cce.mitre.org">CCE-14679-5</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1134" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.7" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects Discretionary Access Control Permission Modification Events</title>
            <description xml:lang="en-US"> At a minimum the audit system should collect
							file permission changes for all users and root. Add the following to
							/etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate
							for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat
							-F auid&gt;=500 -F auid!=4294967295 -k perm_mod<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a
							always,exit -F arch=ARCH -S chown -S fchown -S fchownat -S lchown -F
							auid&gt;=500 -F auid!=4294967295 -k perm_mod<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a
							always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S
							removexattr -S lremovexattr -S fremovexattr -F auid&gt;=500 -F
							auid!=4294967295 -k perm_mod </description>
            <Rule id="rule-1135" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure auditd Collects Discretionary Access Control Permission Modification Events</title>
              <description xml:lang="en-US">Audit rules about the Discretionary Access Control
								Permission Modification Events</description>
              <ident system="http://cce.mitre.org">CCE-14058-2</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1135" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.8" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</title>
            <description xml:lang="en-US"> At a minimum the audit system should collect
							unauthorized file accesses for all users and root. Add the following to
							/etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate
							for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S creat -S open -S openat -S
							truncate -S ftruncate -F exit=-EACCES -F auid&gt;=500 -F
							auid!=4294967295 -k access<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S
							creat -S open -S openat -S truncate -S ftruncate -F
							exit=-EPERM -F auid&gt;=500 -F auid!=4294967295 -k access </description>
            <Rule id="rule-1136" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</title>
              <description xml:lang="en-US">Audit rules about the Unauthorized Access Attempts to Files
								(unsuccessful)</description>
              <ident system="http://cce.mitre.org">CCE-14917-9</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1136" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.9" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects Information on the Use of Privileged Commands</title>
            <description xml:lang="en-US"> At a minimum the audit system should collect
							the execution of privileged commands for all users and root. Find all set-uid programs by running
							<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">find /bin -type f -perm -04000 2>/dev/null</xhtml:code>
							and for each such program, add a rule similar to the
							following to /etc/audit/audit.rules, replacing /bin/ping by path to the program in question:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F path=/bin/ping -F perm=x -F auid&gt;=500 -F
							auid!=4294967295 -k privileged </description>
            <Rule id="rule-1137" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure auditd Collects Information on the Use of Privileged Commands</title>
              <description xml:lang="en-US">Audit rules about the Information on the Use of Privileged
								Commands</description>
              <ident system="http://cce.mitre.org">CCE-14296-8</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1137" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.10" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects Information on Exporting to Media (successful)</title>
            <description xml:lang="en-US"> At a minimum the audit system should collect
							media exportation events for all users and root. Add the following to
							/etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate
							for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S mount -F auid&gt;=500 -F
							auid!=4294967295 -k export </description>
            <Rule id="rule-1138" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure auditd Collects Information on Exporting to Media	(successful)</title>
              <description xml:lang="en-US">Audit rules about the Information on Exporting to Media
								(successful)</description>
              <ident system="http://cce.mitre.org">CCE-14569-8</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1138" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.11" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects Files Deletion Events by User (successful and unsuccessful)</title>
            <description xml:lang="en-US"> At a minimum the audit system should collect
							file deletion events for all users and root. Add the following to
							/etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate
							for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename
							-S renameat -F auid&gt;=500 -F auid!=4294967295 -k delete </description>
            <Rule id="rule-1139" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure auditd Collects Files Deletion Events by User (successful	and unsuccessful)</title>
              <description xml:lang="en-US">Audit rules about the Files Deletion Events by User
								(successful and unsuccessful)</description>
              <ident system="http://cce.mitre.org">CCE-14820-5</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1139" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.12" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects System Administrator Actions</title>
            <description xml:lang="en-US"> At a minimum the audit system should collect
							administrator actions for all users and root.  Append the following line to /etc/pam.d/system-auth and /etc/pam.d/password-auth:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							session   required pam_tty_audit.so disable=* enable=root
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and the following line to /etc/pam.d/sudo and /etc/pam.d/sudo-i:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							session required pam_tty_audit.so open_only enable=root
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>Also add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/sudoers -p wa -k actions</description>
            <Rule id="rule-1140" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure auditd Collects System Administrator Actions</title>
              <description xml:lang="en-US">Audit rules about the System Administrator
								Actions</description>
              <ident system="http://cce.mitre.org">CCE-14824-7</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1140" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.13" hidden="false">
            <title xml:lang="en-US">Ensure auditd Collects Information on Kernel Module Loading and Unloading</title>
            <description xml:lang="en-US"> Add the following to /etc/audit/audit.rules
							in order to capture kernel module loading and unloading events:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /sbin/insmod -p x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /sbin/rmmod -p
							x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /sbin/modprobe -p x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a
							always,exit -F arch=ARCH -S init_module -S delete_module -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
						</description>
            <Rule id="rule-1141" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Ensure auditd Collects Information on Kernel Module Loading and Unloading</title>
              <description xml:lang="en-US">Audit rules about the Information on Kernel Module Loading
								and Unloading</description>
              <ident system="http://cce.mitre.org">CCE-14688-6</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1141" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
          <Group id="gr-logs-audit.4.14" hidden="false">
            <title xml:lang="en-US">Make the auditd Configuration Immutable</title>
            <description xml:lang="en-US"> Add the following to /etc/audit/audit.rules
							in order to make the configuration immutable:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -e 2<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
							<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> With this setting, a reboot will be required to change any
							audit rules. </description>
            <Rule id="rule-1142" selected="false" weight="10.000000" severity="medium">
              <status date="2010-07-01">draft</status>
              <title xml:lang="en-US">Make the auditd Configuration Immutable</title>
              <description xml:lang="en-US">Force a reboot to change audit rules</description>
              <ident system="http://cce.mitre.org">CCE-14692-8</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:org.open-scap.rhel6:def:1142" href="scap-rhel6-oval.xml"/>
              </check>
            </Rule>
          </Group>
        </Group>
      </Group>
    </Group>
  </Group>
</Benchmark>