/usr/share/openscap/scap-rhel6-xccdf.xml is in libopenscap8 1.0.2-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128 2129 2130 2131 2132 2133 2134 2135 2136 2137 2138 2139 2140 2141 2142 2143 2144 2145 2146 2147 2148 2149 2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262 2263 2264 2265 2266 2267 2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293 2294 2295 2296 2297 2298 2299 2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338 2339 2340 2341 2342 2343 2344 2345 2346 2347 2348 2349 2350 2351 2352 2353 2354 2355 2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 2390 2391 2392 2393 2394 2395 2396 2397 2398 2399 2400 2401 2402 2403 2404 2405 2406 2407 2408 2409 2410 2411 2412 2413 2414 2415 2416 2417 2418 2419 2420 2421 2422 2423 2424 2425 2426 2427 2428 2429 2430 2431 2432 2433 2434 2435 2436 2437 2438 2439 2440 2441 2442 2443 2444 2445 2446 2447 2448 2449 2450 2451 2452 2453 2454 2455 2456 2457 2458 2459 2460 2461 2462 2463 2464 2465 2466 2467 2468 2469 2470 2471 2472 2473 2474 2475 2476 2477 2478 2479 2480 2481 2482 2483 2484 2485 2486 2487 2488 2489 2490 2491 2492 2493 2494 2495 2496 2497 2498 2499 2500 2501 2502 2503 2504 2505 2506 2507 2508 2509 2510 2511 2512 2513 2514 2515 2516 2517 2518 2519 2520 2521 2522 2523 2524 2525 2526 2527 2528 2529 2530 2531 2532 2533 2534 2535 2536 2537 2538 2539 2540 2541 2542 2543 2544 2545 2546 2547 2548 2549 2550 2551 2552 2553 2554 2555 2556 2557 2558 2559 2560 2561 2562 2563 2564 2565 2566 2567 2568 2569 2570 2571 2572 2573 2574 2575 2576 2577 2578 2579 2580 2581 2582 2583 2584 2585 2586 2587 2588 2589 2590 2591 2592 2593 2594 2595 2596 2597 2598 2599 2600 2601 2602 2603 2604 2605 2606 2607 2608 2609 2610 2611 2612 2613 2614 2615 2616 2617 2618 2619 2620 2621 2622 2623 2624 2625 2626 2627 2628 2629 2630 2631 2632 2633 2634 2635 2636 2637 2638 2639 2640 2641 2642 2643 2644 2645 2646 2647 2648 2649 2650 2651 2652 2653 2654 2655 2656 2657 2658 2659 2660 2661 2662 2663 2664 2665 2666 2667 2668 2669 2670 2671 2672 2673 2674 2675 2676 2677 2678 2679 2680 2681 2682 2683 2684 2685 2686 2687 2688 2689 2690 2691 2692 2693 2694 2695 2696 2697 2698 2699 2700 2701 2702 2703 2704 2705 2706 2707 2708 2709 2710 2711 2712 2713 2714 2715 2716 2717 2718 2719 2720 2721 2722 2723 2724 2725 2726 2727 2728 2729 2730 2731 2732 2733 2734 2735 2736 2737 2738 2739 2740 2741 2742 2743 2744 2745 2746 2747 2748 2749 2750 2751 2752 2753 2754 2755 2756 2757 2758 2759 2760 2761 2762 2763 2764 2765 2766 2767 2768 2769 2770 2771 2772 2773 2774 2775 2776 2777 2778 2779 2780 2781 2782 2783 2784 2785 2786 2787 2788 2789 2790 2791 2792 2793 2794 2795 2796 2797 2798 2799 2800 2801 2802 2803 2804 2805 2806 2807 2808 2809 2810 2811 2812 2813 2814 2815 2816 2817 2818 2819 2820 2821 2822 2823 2824 2825 2826 2827 2828 2829 2830 2831 2832 2833 2834 2835 2836 2837 2838 2839 2840 2841 2842 2843 2844 2845 2846 2847 2848 2849 2850 2851 2852 2853 2854 2855 2856 2857 2858 2859 2860 2861 2862 2863 2864 2865 2866 2867 2868 2869 2870 2871 2872 2873 2874 2875 2876 2877 2878 2879 2880 2881 2882 2883 2884 2885 2886 2887 2888 2889 2890 2891 2892 2893 2894 2895 2896 2897 2898 2899 2900 2901 2902 2903 2904 2905 2906 2907 2908 2909 2910 2911 2912 2913 2914 2915 2916 2917 2918 2919 2920 2921 2922 2923 2924 2925 2926 2927 2928 2929 2930 2931 2932 2933 2934 2935 2936 2937 2938 2939 2940 2941 2942 2943 2944 2945 2946 2947 2948 2949 2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 2963 2964 2965 2966 2967 2968 2969 2970 2971 2972 2973 2974 2975 2976 2977 2978 2979 2980 2981 2982 2983 2984 2985 2986 2987 2988 2989 2990 2991 2992 2993 2994 2995 2996 2997 2998 2999 3000 3001 3002 3003 3004 3005 3006 3007 3008 3009 3010 3011 3012 3013 3014 3015 3016 3017 3018 3019 3020 3021 3022 3023 3024 3025 3026 3027 3028 3029 3030 3031 3032 3033 3034 3035 3036 3037 3038 3039 3040 3041 3042 3043 3044 3045 3046 3047 3048 3049 3050 3051 3052 3053 3054 3055 3056 3057 3058 3059 3060 3061 3062 3063 3064 3065 3066 3067 3068 3069 3070 3071 3072 3073 3074 3075 3076 3077 3078 3079 3080 3081 3082 3083 3084 3085 3086 3087 3088 3089 3090 3091 3092 3093 3094 3095 3096 3097 3098 3099 3100 3101 3102 3103 3104 3105 3106 3107 3108 3109 3110 3111 3112 3113 3114 3115 3116 3117 3118 3119 3120 3121 3122 3123 3124 3125 3126 3127 3128 3129 3130 3131 3132 3133 3134 3135 3136 3137 3138 3139 3140 3141 3142 3143 3144 3145 3146 3147 3148 3149 3150 3151 3152 3153 3154 3155 3156 3157 3158 3159 3160 3161 3162 3163 3164 3165 3166 3167 3168 3169 3170 3171 3172 3173 3174 3175 3176 3177 3178 3179 3180 3181 3182 3183 3184 3185 3186 3187 3188 3189 3190 3191 3192 3193 3194 3195 3196 3197 3198 3199 3200 3201 3202 3203 3204 3205 3206 3207 3208 3209 3210 3211 3212 3213 3214 3215 3216 3217 3218 3219 3220 3221 3222 3223 3224 3225 3226 3227 3228 3229 3230 3231 3232 3233 3234 3235 3236 3237 3238 3239 3240 3241 3242 3243 3244 3245 3246 3247 3248 3249 3250 3251 3252 3253 3254 3255 3256 3257 3258 3259 3260 3261 3262 3263 3264 3265 3266 3267 3268 3269 3270 3271 3272 3273 3274 3275 3276 3277 3278 3279 3280 3281 3282 3283 3284 3285 3286 3287 3288 3289 3290 3291 3292 3293 3294 3295 3296 3297 3298 3299 3300 3301 3302 3303 3304 3305 3306 3307 3308 3309 3310 3311 3312 3313 3314 3315 3316 3317 3318 3319 3320 3321 3322 3323 3324 3325 3326 3327 3328 3329 3330 3331 3332 3333 3334 3335 3336 3337 3338 3339 3340 3341 3342 3343 3344 3345 3346 3347 3348 3349 3350 3351 3352 3353 3354 3355 3356 3357 3358 3359 3360 3361 3362 3363 3364 3365 3366 3367 3368 3369 3370 3371 3372 3373 3374 3375 3376 3377 3378 3379 3380 3381 3382 3383 3384 3385 3386 3387 3388 3389 3390 3391 3392 3393 3394 3395 3396 3397 3398 3399 3400 3401 3402 3403 3404 3405 3406 3407 3408 3409 3410 3411 3412 3413 3414 3415 3416 3417 3418 3419 3420 3421 3422 3423 3424 3425 3426 3427 3428 3429 3430 3431 3432 3433 3434 3435 3436 3437 3438 3439 3440 3441 3442 3443 3444 3445 3446 3447 3448 3449 3450 3451 3452 3453 3454 3455 3456 3457 3458 3459 3460 3461 3462 3463 3464 3465 3466 3467 3468 3469 3470 3471 3472 3473 3474 3475 3476 3477 3478 3479 3480 3481 3482 3483 3484 3485 3486 3487 3488 3489 3490 3491 3492 3493 3494 3495 3496 3497 3498 3499 3500 3501 3502 3503 3504 3505 3506 3507 3508 3509 3510 3511 3512 3513 3514 3515 3516 3517 3518 3519 3520 3521 3522 3523 3524 3525 3526 3527 3528 3529 3530 3531 3532 3533 3534 3535 3536 3537 3538 3539 3540 3541 3542 3543 3544 3545 3546 3547 3548 3549 3550 3551 3552 3553 3554 3555 3556 3557 3558 3559 3560 3561 3562 3563 3564 3565 3566 3567 3568 3569 3570 3571 3572 3573 3574 3575 3576 3577 3578 3579 3580 3581 3582 3583 3584 3585 3586 3587 3588 3589 3590 3591 3592 3593 3594 3595 3596 3597 3598 3599 3600 3601 3602 3603 3604 3605 3606 3607 3608 3609 3610 3611 3612 3613 3614 3615 3616 3617 3618 3619 3620 3621 3622 3623 3624 3625 3626 3627 3628 3629 3630 3631 3632 3633 3634 3635 3636 3637 3638 3639 3640 3641 3642 3643 3644 3645 3646 3647 3648 3649 3650 3651 3652 3653 3654 3655 3656 3657 3658 3659 3660 3661 3662 3663 3664 3665 3666 3667 3668 3669 3670 3671 3672 3673 3674 3675 3676 3677 3678 3679 3680 3681 3682 3683 3684 3685 3686 3687 3688 3689 3690 3691 3692 3693 3694 3695 3696 3697 3698 3699 3700 3701 3702 3703 3704 3705 3706 3707 3708 3709 3710 3711 3712 3713 3714 3715 3716 3717 3718 3719 3720 3721 3722 3723 3724 3725 3726 3727 3728 3729 3730 3731 3732 3733 3734 3735 3736 3737 3738 3739 3740 3741 3742 3743 3744 3745 3746 3747 3748 3749 3750 3751 3752 3753 3754 3755 3756 3757 3758 3759 3760 3761 3762 3763 3764 3765 3766 3767 3768 3769 3770 3771 3772 3773 3774 3775 3776 3777 3778 3779 3780 3781 3782 3783 3784 3785 3786 3787 3788 3789 3790 3791 3792 3793 3794 3795 3796 3797 3798 3799 3800 3801 3802 3803 3804 3805 3806 3807 3808 3809 3810 3811 3812 3813 3814 3815 3816 3817 3818 3819 3820 3821 3822 3823 3824 3825 3826 3827 3828 3829 3830 3831 3832 3833 3834 3835 3836 3837 3838 3839 3840 3841 3842 3843 3844 3845 3846 3847 3848 3849 3850 3851 3852 3853 3854 3855 3856 3857 3858 3859 3860 3861 3862 3863 3864 3865 3866 3867 3868 3869 3870 3871 3872 3873 3874 3875 3876 3877 3878 3879 3880 3881 3882 3883 3884 3885 3886 3887 3888 3889 3890 3891 3892 3893 3894 3895 3896 3897 3898 3899 3900 3901 3902 3903 3904 3905 3906 3907 3908 3909 3910 3911 3912 3913 3914 3915 3916 3917 3918 3919 3920 3921 3922 3923 3924 3925 3926 3927 3928 3929 3930 3931 3932 3933 3934 3935 3936 3937 3938 3939 3940 3941 3942 3943 3944 3945 3946 3947 3948 3949 3950 3951 3952 3953 3954 3955 3956 3957 3958 3959 3960 3961 3962 3963 3964 3965 3966 3967 3968 3969 3970 3971 3972 3973 3974 3975 3976 3977 3978 3979 3980 3981 3982 3983 3984 3985 3986 3987 3988 3989 3990 3991 3992 3993 3994 3995 3996 3997 3998 3999 4000 4001 4002 4003 4004 4005 4006 4007 4008 4009 4010 4011 4012 4013 4014 4015 4016 4017 4018 4019 4020 4021 4022 4023 4024 4025 4026 4027 4028 4029 4030 4031 4032 4033 4034 4035 4036 4037 4038 4039 4040 4041 4042 4043 4044 4045 4046 4047 4048 4049 4050 4051 4052 4053 4054 4055 4056 4057 4058 4059 4060 4061 4062 4063 4064 4065 4066 4067 4068 4069 4070 4071 4072 4073 4074 4075 4076 4077 4078 4079 4080 4081 4082 4083 4084 4085 4086 4087 4088 4089 4090 4091 4092 4093 4094 4095 4096 4097 4098 4099 4100 4101 4102 4103 4104 4105 4106 4107 4108 4109 4110 4111 4112 4113 4114 4115 4116 4117 4118 4119 4120 4121 4122 4123 4124 4125 4126 4127 4128 4129 4130 4131 4132 4133 4134 4135 4136 4137 4138 4139 4140 4141 4142 4143 4144 4145 4146 4147 4148 4149 4150 4151 4152 4153 4154 4155 4156 4157 4158 4159 4160 4161 4162 4163 4164 4165 4166 4167 4168 4169 4170 4171 4172 4173 4174 4175 4176 4177 4178 4179 4180 4181 4182 4183 4184 4185 4186 4187 4188 4189 4190 4191 4192 4193 4194 4195 4196 4197 4198 4199 4200 4201 4202 4203 4204 4205 4206 4207 4208 4209 4210 4211 4212 4213 4214 4215 4216 4217 4218 4219 4220 4221 4222 4223 4224 4225 4226 4227 4228 4229 4230 4231 4232 4233 4234 4235 4236 4237 4238 4239 4240 4241 4242 4243 4244 4245 4246 4247 4248 4249 4250 4251 4252 4253 4254 4255 4256 4257 4258 4259 4260 4261 4262 4263 4264 4265 4266 4267 4268 4269 4270 4271 4272 4273 4274 4275 4276 4277 4278 4279 4280 4281 4282 4283 4284 4285 4286 4287 4288 4289 4290 4291 4292 4293 4294 4295 4296 4297 4298 4299 4300 4301 4302 4303 4304 4305 4306 4307 4308 4309 4310 4311 4312 4313 4314 4315 4316 4317 4318 4319 4320 4321 4322 4323 4324 4325 4326 4327 4328 4329 4330 4331 4332 4333 4334 4335 4336 4337 4338 4339 4340 4341 4342 4343 4344 4345 4346 4347 4348 4349 4350 4351 4352 4353 4354 4355 4356 4357 4358 4359 4360 4361 4362 4363 4364 4365 4366 4367 4368 4369 4370 4371 4372 4373 4374 4375 4376 4377 4378 4379 4380 4381 4382 4383 4384 4385 4386 4387 4388 4389 4390 4391 4392 4393 4394 4395 4396 4397 4398 4399 4400 4401 4402 4403 4404 4405 4406 4407 4408 4409 4410 4411 4412 4413 4414 4415 4416 4417 4418 4419 4420 4421 4422 4423 4424 4425 4426 4427 4428 4429 4430 4431 4432 4433 4434 4435 4436 4437 4438 4439 4440 4441 4442 4443 4444 4445 4446 4447 4448 4449 4450 4451 4452 4453 4454 4455 4456 4457 4458 4459 4460 4461 4462 4463 4464 4465 4466 4467 4468 4469 4470 4471 4472 4473 4474 4475 4476 4477 4478 4479 4480 4481 4482 4483 4484 4485 4486 4487 4488 4489 4490 4491 4492 4493 4494 4495 4496 4497 4498 4499 4500 4501 4502 4503 4504 4505 4506 4507 4508 4509 4510 4511 4512 4513 4514 4515 4516 4517 4518 4519 4520 4521 4522 4523 4524 4525 4526 4527 4528 4529 4530 4531 4532 4533 4534 4535 4536 4537 4538 4539 4540 4541 4542 4543 4544 4545 4546 4547 4548 4549 4550 4551 4552 4553 4554 4555 4556 4557 4558 4559 4560 4561 4562 4563 4564 4565 4566 4567 4568 4569 4570 4571 4572 4573 4574 4575 4576 4577 4578 4579 4580 4581 4582 4583 4584 4585 4586 4587 4588 4589 4590 4591 4592 4593 4594 4595 4596 4597 4598 4599 4600 4601 4602 4603 4604 4605 4606 4607 4608 4609 4610 4611 4612 4613 4614 4615 4616 4617 4618 4619 4620 4621 4622 4623 4624 4625 4626 4627 4628 4629 4630 4631 4632 4633 4634 4635 4636 4637 4638 4639 4640 4641 4642 4643 4644 4645 4646 4647 4648 4649 4650 4651 4652 4653 4654 4655 4656 4657 4658 4659 4660 4661 4662 4663 4664 4665 4666 4667 4668 4669 4670 4671 4672 4673 4674 4675 4676 4677 4678 4679 4680 4681 4682 4683 4684 4685 4686 4687 4688 4689 4690 4691 4692 4693 4694 4695 4696 4697 4698 4699 4700 4701 4702 4703 4704 4705 4706 4707 4708 4709 4710 4711 4712 4713 4714 4715 4716 4717 4718 4719 4720 4721 4722 4723 4724 4725 4726 4727 4728 4729 4730 4731 4732 4733 4734 4735 4736 4737 4738 4739 4740 4741 4742 4743 4744 4745 4746 4747 4748 4749 4750 4751 4752 4753 4754 4755 4756 4757 4758 4759 4760 4761 4762 4763 4764 4765 4766 4767 4768 4769 4770 4771 4772 4773 4774 4775 4776 4777 4778 4779 4780 4781 4782 4783 4784 4785 4786 4787 4788 4789 4790 4791 4792 4793 4794 4795 4796 4797 4798 4799 4800 4801 4802 4803 4804 4805 4806 4807 4808 4809 4810 4811 4812 4813 4814 4815 4816 4817 4818 4819 4820 4821 4822 4823 4824 4825 4826 4827 4828 4829 4830 4831 4832 4833 4834 4835 4836 4837 4838 4839 4840 4841 4842 4843 4844 4845 4846 4847 4848 4849 4850 4851 4852 4853 4854 4855 4856 4857 4858 4859 4860 4861 4862 4863 4864 4865 4866 4867 4868 4869 4870 4871 4872 4873 4874 4875 4876 4877 4878 4879 4880 4881 4882 4883 4884 4885 4886 4887 4888 4889 4890 4891 4892 4893 4894 4895 4896 4897 4898 4899 4900 4901 4902 4903 4904 4905 4906 4907 4908 4909 4910 4911 4912 4913 4914 4915 4916 4917 4918 4919 4920 4921 4922 4923 4924 4925 4926 4927 4928 4929 4930 4931 4932 4933 4934 4935 4936 4937 4938 4939 4940 4941 4942 4943 4944 4945 4946 4947 4948 4949 4950 4951 4952 4953 4954 4955 4956 4957 4958 4959 4960 4961 4962 4963 4964 4965 4966 4967 4968 4969 4970 4971 4972 4973 4974 4975 4976 4977 4978 4979 4980 4981 4982 4983 4984 4985 4986 4987 4988 4989 4990 4991 4992 4993 4994 4995 4996 4997 4998 4999 5000 5001 5002 5003 5004 5005 5006 5007 5008 5009 5010 5011 5012 5013 5014 5015 5016 5017 5018 5019 5020 5021 5022 5023 5024 5025 5026 5027 5028 5029 5030 5031 5032 5033 5034 5035 5036 5037 5038 5039 5040 5041 5042 5043 5044 5045 5046 5047 5048 5049 5050 5051 5052 5053 5054 5055 5056 5057 5058 5059 5060 5061 5062 5063 5064 5065 5066 5067 5068 5069 5070 5071 5072 5073 5074 5075 5076 5077 5078 5079 5080 5081 5082 5083 5084 5085 5086 5087 5088 5089 5090 5091 5092 5093 5094 5095 5096 5097 5098 5099 5100 5101 5102 5103 5104 5105 5106 5107 5108 5109 5110 5111 5112 5113 5114 5115 5116 5117 5118 5119 5120 5121 5122 5123 5124 5125 5126 5127 5128 5129 5130 5131 5132 5133 5134 5135 5136 5137 5138 5139 5140 5141 5142 5143 5144 5145 5146 5147 5148 5149 5150 5151 5152 5153 5154 5155 5156 5157 5158 5159 5160 5161 5162 5163 5164 5165 5166 5167 5168 5169 5170 5171 5172 5173 5174 5175 5176 5177 5178 5179 5180 5181 5182 5183 5184 5185 5186 5187 5188 5189 5190 5191 5192 5193 5194 5195 5196 5197 5198 5199 5200 5201 5202 5203 5204 5205 5206 5207 5208 5209 5210 5211 5212 5213 5214 5215 5216 5217 5218 5219 5220 5221 5222 5223 5224 5225 5226 5227 5228 5229 5230 5231 5232 5233 5234 5235 5236 5237 5238 5239 5240 5241 5242 5243 5244 5245 5246 5247 5248 5249 5250 5251 5252 5253 5254 5255 5256 5257 5258 5259 5260 5261 5262 5263 5264 5265 5266 5267 5268 5269 5270 5271 5272 5273 5274 5275 5276 5277 5278 5279 5280 5281 5282 5283 5284 5285 5286 5287 5288 5289 5290 5291 5292 5293 5294 5295 5296 5297 5298 5299 5300 5301 5302 5303 5304 5305 5306 5307 5308 5309 5310 5311 5312 5313 5314 5315 5316 5317 5318 5319 5320 5321 5322 5323 5324 5325 5326 5327 5328 5329 5330 5331 5332 5333 5334 5335 5336 5337 5338 5339 5340 5341 5342 5343 5344 5345 5346 5347 5348 5349 5350 5351 5352 5353 5354 5355 5356 5357 5358 5359 5360 5361 5362 5363 5364 5365 5366 5367 5368 5369 5370 5371 5372 5373 5374 5375 5376 5377 5378 5379 5380 5381 5382 5383 5384 5385 5386 5387 5388 5389 5390 5391 5392 5393 5394 5395 5396 5397 5398 5399 5400 5401 5402 5403 5404 5405 5406 5407 5408 5409 5410 5411 5412 5413 5414 5415 5416 5417 5418 5419 5420 5421 5422 5423 5424 5425 5426 5427 5428 5429 5430 5431 5432 5433 5434 5435 5436 5437 5438 5439 5440 5441 5442 5443 5444 5445 5446 5447 5448 5449 5450 5451 5452 5453 5454 5455 5456 5457 5458 5459 5460 5461 5462 5463 5464 5465 5466 5467 5468 5469 5470 5471 5472 5473 5474 5475 5476 5477 5478 5479 5480 5481 5482 5483 5484 5485 5486 5487 5488 5489 5490 5491 5492 5493 5494 5495 5496 5497 5498 5499 5500 5501 5502 5503 5504 5505 5506 5507 5508 5509 5510 5511 5512 5513 5514 5515 5516 5517 5518 5519 5520 5521 5522 5523 5524 5525 5526 5527 5528 5529 5530 5531 5532 5533 5534 5535 5536 5537 5538 5539 5540 5541 5542 5543 5544 5545 5546 5547 5548 5549 5550 5551 5552 5553 5554 5555 5556 5557 5558 5559 5560 5561 5562 5563 5564 5565 5566 5567 5568 5569 5570 5571 5572 5573 5574 5575 5576 5577 5578 5579 5580 5581 5582 5583 5584 5585 5586 5587 5588 5589 5590 5591 5592 5593 5594 5595 5596 5597 5598 5599 5600 5601 5602 5603 5604 5605 5606 5607 5608 5609 5610 5611 5612 5613 5614 5615 5616 5617 5618 5619 5620 5621 5622 5623 5624 5625 5626 5627 5628 5629 | <?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-6" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="0" xml:lang="en-US">
<status date="2011-10-12">draft</status>
<title xml:lang="en-US">Example of SCAP Security Guidance</title>
<description xml:lang="en-US">This example security guidance has been created to demonstrate SCAP functionality
on Linux.</description>
<platform idref="cpe:/o:redhat:enterprise_linux:6"/>
<version>0.2</version>
<model system="urn:xccdf:scoring:default"/>
<model system="urn:xccdf:scoring:flat"/>
<Profile id="RHEL6-Default">
<title xml:lang="en-US">Default install settings</title>
<description xml:lang="en-US">This profile is an example policy that simply checks if some of RHEL6 default
install settings have been modified. It is not comprehensive nor checks security hardening. It is just for testing
purposes.</description>
<select idref="rule-1005" selected="true"/>
<select idref="rule-1007" selected="true"/>
<select idref="rule-1008" selected="true"/>
<select idref="rule-1010" selected="true"/>
<select idref="rule-1011" selected="true"/>
<select idref="rule-1012" selected="true"/>
<select idref="rule-1013" selected="true"/>
<select idref="rule-1014" selected="true"/>
<select idref="rule-1015" selected="true"/>
<select idref="rule-1016" selected="true"/>
<select idref="rule-1017" selected="true"/>
<select idref="rule-1018" selected="true"/>
<select idref="rule-1019" selected="true"/>
<select idref="rule-1020" selected="true"/>
<select idref="rule-1021" selected="true"/>
<select idref="rule-1022" selected="true"/>
<select idref="rule-1023" selected="true"/>
<select idref="rule-1024" selected="true"/>
<select idref="rule-1025" selected="true"/>
<select idref="rule-1026" selected="true"/>
<select idref="rule-1027" selected="true"/>
<select idref="rule-1028" selected="true"/>
<refine-value idref="var-1029" selector="022"/>
<select idref="rule-1029" selected="true"/>
<select idref="rule-1031" selected="true"/>
<select idref="rule-1032" selected="true"/>
<select idref="rule-1033" selected="true"/>
<select idref="rule-1035" selected="true"/>
<select idref="rule-1036" selected="true"/>
<select idref="rule-1039" selected="true"/>
<select idref="rule-1040" selected="true"/>
<select idref="rule-1041" selected="true"/>
<refine-value idref="var-1042" selector="0_days"/>
<select idref="rule-1042" selected="true"/>
<refine-value idref="var-1043" selector="99999_days"/>
<select idref="rule-1043" selected="true"/>
<select idref="rule-1044" selected="true"/>
<select idref="rule-1045" selected="true"/>
<select idref="rule-1055" selected="true"/>
<select idref="rule-1056" selected="true"/>
<refine-value idref="var-1059" selector="002"/>
<select idref="rule-1059" selected="true"/>
<select idref="rule-1060" selected="true"/>
<select idref="rule-1061" selected="true"/>
<select idref="rule-1063" selected="true"/>
<select idref="rule-1064" selected="true"/>
<select idref="rule-1065" selected="true"/>
<select idref="rule-1066" selected="true"/>
<select idref="rule-1079" selected="true"/>
<select idref="rule-1080" selected="true"/>
<select idref="rule-1081" selected="true"/>
<select idref="rule-1083" selected="true"/>
<select idref="rule-1087" selected="true"/>
<refine-value idref="var-1089" selector="enabled"/>
<select idref="rule-1089" selected="true"/>
<select idref="rule-1090" selected="true"/>
<select idref="rule-1091" selected="true"/>
<refine-value idref="var-1088" selector="enabled"/>
<select idref="rule-1092" selected="true"/>
<select idref="rule-1093" selected="true"/>
<select idref="rule-1094" selected="true"/>
<select idref="rule-1095" selected="true"/>
<select idref="rule-1096" selected="true"/>
<select idref="rule-1097" selected="true"/>
<select idref="rule-1099" selected="true"/>
<refine-value idref="var-1103" selector="3"/>
<select idref="rule-1103" selected="true"/>
<refine-value idref="var-1104" selector="yes"/>
<select idref="rule-1104" selected="true"/>
<refine-value idref="var-1105" selector="yes"/>
<select idref="rule-1105" selected="true"/>
<refine-value idref="var-1106" selector="yes"/>
<select idref="rule-1106" selected="true"/>
<refine-value idref="var-1107" selector="yes"/>
<select idref="rule-1107" selected="true"/>
<refine-value idref="var-1108" selector="1"/>
<select idref="rule-1108" selected="true"/>
<refine-value idref="var-1109" selector="16"/>
<select idref="rule-1109" selected="true"/>
<select idref="rule-1111" selected="true"/>
<select idref="rule-1112" selected="true"/>
<select idref="rule-1120" selected="true"/>
<select idref="rule-1121" selected="true"/>
<select idref="rule-1122" selected="true"/>
<select idref="rule-1125" selected="true"/>
<select idref="rule-1126" selected="true"/>
<select idref="rule-1127" selected="true"/>
</Profile>
<Group id="gr-intro" hidden="false">
<title xml:lang="en-US">Introduction</title>
<description xml:lang="en-US"> The purpose of this guide is to provide security
configuration recommendations for the Red Hat Enterprise Linux (RHEL) 6 operating
system. The guidance provided here is applicable to desktop systems. Recommended
settings for the basic operating system are provided, as well as for many commonly-used
services that the system can host in a network environment.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The guide is intended for system administrators. Readers are assumed to
possess basic system administration skills for Unix-like systems, as well as some
familiarity with Red Hat's documentation and administration conventions. Some
instructions within this guide are complex. All directions should be followed completely
and with understanding of their effects in order to avoid serious adverse effects on the
system and its security. </description>
</Group>
<Group id="gr-principles" hidden="false">
<title xml:lang="en-US">General Principles</title>
<description xml:lang="en-US"> The following general principles motivate much of the
advice in this guide and should also influence any configuration decisions that are
not explicitly covered.</description>
<Group id="gr-principles-1" hidden="false" weight="10.000000">
<title xml:lang="en-US">Encrypt Transmitted Data Whenever Possible</title>
<description xml:lang="en-US"> Data transmitted over a network, whether wired or
wireless, is susceptible to passive monitoring. Whenever practical solutions for
encrypting such data exist, they should be applied. Even if data is expected to
be transmitted only over a local network, it should still be encrypted.
Encrypting authentication data, such as passwords, is particularly important.
Networks of RHEL machines can and should be configured so that no unencrypted
authentication data is ever transmitted between machines.</description>
</Group>
<Group id="gr-principles-2" hidden="false">
<title xml:lang="en-US">Minimize Software to Minimize Vulnerability</title>
<description xml:lang="en-US"> The simplest way to avoid vulnerabilities in software
is to avoid installing that software. On RHEL, the RPM Package Manager
(originally Red Hat Package Manager, abbreviated RPM) allows detailed
management of the set of software packages installed on a system. Installed
software contributes to system vulnerability in several ways. Packages that
include setuid programs may provide local attackers a potential path to
privilege escalation. Packages that include network services may give this
opportunity to network-based attackers. Packages that include programs which are
predictably executed by local users (e.g. after graphical login) may provide
opportunities for trojan horses or other attack code to be run undetected. The
number of software packages installed on a system can almost always be
significantly pruned to include only the software for which there is an
environmental or operational need.</description>
</Group>
<Group id="gr-principles-3" hidden="false">
<title xml:lang="en-US">Run Different Network Services on Separate Systems</title>
<description xml:lang="en-US"> Whenever possible, a server should be dedicated to
serving exactly one network service. This limits the number of other services
that can be compromised in the event that an attacker is able to successfully
exploit a software flaw in one network service.</description>
</Group>
<Group id="gr-principles-4" hidden="false">
<title xml:lang="en-US">Configure Security Tools to Improve System Robustness</title>
<description xml:lang="en-US"> Several tools exist which can be effectively used to
improve a system's resistance to and detection of unknown attacks. These tools
can improve robustness against attack at the cost of relatively little
configuration effort. In particular, this guide recommends and discusses the use
of Iptables for host-based firewalling, SELinux for protection against
vulnerable services, and a logging and auditing infrastructure for detection of
problems.</description>
</Group>
<Group id="gr-principles-5" hidden="false">
<title xml:lang="en-US">Least Privilege</title>
<description xml:lang="en-US"> Grant the least privilege necessary for user accounts
and software to perform tasks. For example, do not allow users except those that
need administrator access to use sudo. Another example is to limit logins on
server systems to only those administrators who need to log into them in order
to perform administration tasks. Using SELinux also follows the principle of
least privilege: SELinux policy can confine software to perform only actions on
the system that are specifically allowed. This can be far more restrictive than
the actions permissible by the traditional Unix permissions model.</description>
</Group>
</Group>
<Group id="gr-configuration" hidden="false">
<title xml:lang="en-US">System-wide Configuration</title>
<Group id="gr-software" hidden="false">
<title xml:lang="en-US">Installing and Maintaining Software</title>
<description xml:lang="en-US"> The following sections contain information on
security-relevant choices during the initial operating system installation process
and the setup of software updates.</description>
<Group id="gr-installation" hidden="false">
<title xml:lang="en-US">Initial Installation Recommendations</title>
<description xml:lang="en-US"> The recommendations here apply to a clean
installation of the system, where any previous installations are wiped out. The
sections presented here are in the same order that the installer presents, but
only installation choices with security implications are covered. Many of the
configuration choices presented here can also be applied after the system is
installed. The choices can also be automatically applied via Kickstart
files.</description>
<Group id="gr-installation-1" hidden="false">
<title xml:lang="en-US">Disk Partitioning</title>
<description xml:lang="en-US"> Some system directories should be placed on their
own partitions (or logical volumes). This allows for better separation and
protection of data. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The installer’s default partitioning scheme
creates separate partitions (or logical volumes) for /, /boot, and swap.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>If starting with any of the default layouts, check the box to
“Review and modify partitioning.” This allows for the easy creation
of additional logical volumes inside the volume group already
created, though it may require making /’s logical volume smaller to
create space. In general, using logical volumes is preferable to
using partitions because they can be more easily adjusted
later.</xhtml:li>
<xhtml:li>If creating a custom layout, create the partitions mentioned
in the previous paragraph (which the installer will require anyway),
as well as separate ones described in the following
sections.</xhtml:li>
</xhtml:ul>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If a system has already been installed, and the default
partitioning scheme was used, it is possible but nontrivial to modify it to
create separate logical volumes for the directories listed above. The
Logical Volume Manager (LVM) makes this possible. See the LVM HOWTO at
http://tldp.org/HOWTO/LVM-HOWTO/ for more detailed information on LVM. </description>
<Group id="gr-installation-1.1" hidden="false">
<title xml:lang="en-US">Create Separate Partition or Logical Volume for /tmp</title>
<description xml:lang="en-US"> The /tmp directory is a world-writable
directory used for temporary file storage. Ensure that it has its own
partition or logical volume.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Because software may need to use /tmp to temporarily store
large files, ensure that it is of adequate size. For a modern,
general-purpose system, 10GB should be adequate. Smaller or larger sizes
could be used, depending on the availability of space on the drive and
the system’s operating requirements </description>
<Rule id="rule-1000" selected="false" weight="10.000000">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Ensure that /tmp has its own partition or logical volume</title>
<description xml:lang="en-US">The /tmp directory is a world-writable
directory used for temporary file storage. Ensure that it has its own
partition or logical volume.</description>
<ident system="http://cce.mitre.org">CCE-14161-4</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1000" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-installation-1.2" hidden="false">
<title xml:lang="en-US">Create Separate Partition or Logical Volume for /var</title>
<description xml:lang="en-US"> The /var directory is used by daemons and
other system services to store frequently-changing data. It is not
uncommon for the /var directory to contain world-writable directories,
installed by other software packages. Ensure that /var has its own
partition or logical volume.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Because the yum package manager and other software uses /var
to temporarily store large files, ensure that it is of adequate size. For
a modern, general-purpose system, 10GB should be adequate. </description>
<Rule id="rule-1001" selected="false" weight="10.000000" severity="low">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Ensure that /var has its own partition or logical volume</title>
<description xml:lang="en-US">The /var directory is used by daemons and
other system services to store frequently-changing data. It is not
uncommon for the /var directory to contain world-writable
directories, installed by other software packages. Ensure that /var
has its own partition or logical volume.</description>
<ident system="http://cce.mitre.org">CCE-14777-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1001" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-installation-1.3" hidden="false">
<title xml:lang="en-US">Create Separate Partition or Logical Volume for /var/log</title>
<description xml:lang="en-US"> System logs are stored in the /var/log
directory. Ensure that it has its own partition or logical volume.
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> See 2.6 for more information about logging and
auditing.</description>
<Rule id="rule-1002" selected="false" weight="10.000000">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Ensure that /var/log has its own partition or logical volume</title>
<description xml:lang="en-US"> System logs are stored in the /var/log
directory. Ensure that it has its own partition or logical
volume.</description>
<ident system="http://cce.mitre.org">CCE-14011-1</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1002" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-installation-1.4" hidden="false">
<title xml:lang="en-US">Create Separate Partition or Logical Volume for /var/log/audit</title>
<description xml:lang="en-US"> Audit logs are stored in the /var/log/audit
directory. Ensure that it has its own partition or logical volume. Make
absolutely certain that it is large enough to store all audit logs that
will be created by the auditing daemon.</description>
<Rule id="rule-1003" selected="false" weight="10.000000">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Ensure that /var/log/audit has its own partition or logical volume</title>
<description xml:lang="en-US"> Audit logs are stored in the
/var/log/audit directory. Ensure that it has its own partition or
logical volume. Make absolutely certain that it is large enough to
store all audit logs that will be created by the auditing
daemon.</description>
<ident system="http://cce.mitre.org">CCE-14171-3</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1003" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-installation-1.5" hidden="false">
<title xml:lang="en-US">Create Separate Partition or Logical Volume for /home if Using Local Home Directories</title>
<description xml:lang="en-US"> If user home directories will be stored
locally, create a separate partition for /home. If /home will be mounted
from another system such as an NFS server, then creating a separate
partition is not necessary at this time, and the mountpoint can instead
be configured later.</description>
<Rule id="rule-1004" selected="false" weight="10.000000" severity="low">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Ensure that /home has its own partition or logical volume</title>
<description xml:lang="en-US"> If user home directories will be stored
locally, create a separate partition for /home. If /home will be
mounted from another system such as an NFS server, then creating a
separate partition is not necessary at this time, and the mountpoint
can instead be configured later.</description>
<ident system="http://cce.mitre.org">CCE-14559-9</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1004" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
<Group id="gr-installation-2" hidden="false">
<title xml:lang="en-US">Boot Loader Configuration</title>
<description xml:lang="en-US"> Check the box to "Use a boot loader password" and
create a password. Once this password is set, anyone who wishes to change
the boot loader configuration will need to enter it. Assigning a boot loader password
prevents a local user with physical access from altering the boot loader configuration
at system startup. </description>
</Group>
<Group id="gr-installation-3" hidden="false">
<title xml:lang="en-US">First-boot Configuration</title>
<description xml:lang="en-US"> The system presents more configuration options
during the first boot after installation. For the screens listed, implement
the security-related recommendations:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li> Set Up Software Updates - If the system is
connected to the Internet now, click 'Yes, I'd like to register now.'
This will require a connection to either the Red Hat Network servers or
their proxies or satellites.</xhtml:li>
<xhtml:li> Create User - If the system
will require a local user account, it can be created here. Even if the
system will be using a network-wide authentication system,
do not click on the 'Use Network Login...' button.
Manually applying configuration later is preferable.</xhtml:li>
<xhtml:li> Kdump - Leave Kdump
off unless the feature is required, such as for kernel development and
testing.</xhtml:li>
<xhtml:li> Firewall - Leave set to 'Enabled.' Only check the 'Trusted
Services' that this system needs to serve. Uncheck the default selection
of SSH if the system does not need to serve SSH.</xhtml:li>
<xhtml:li> SELinux - Leave SELinux set to 'Enforcing' mode.</xhtml:li>
</xhtml:ul>
</description>
</Group>
</Group>
<Group id="gr-updating" hidden="false">
<title xml:lang="en-US">Updating Software</title>
<description xml:lang="en-US"> The yum command line tool is used to install and
update software packages. Yum replaces the up2date utility used in previous
system releases. The system also provides PackageKit, which is a graphical package manager.
It consists of several graphical interfaces that can be opened from the GNOME panel menu,
or from the Notification Area when PackageKit alerts you that updates are available.
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It is recommended that these tools be used to keep systems up to
date with the latest security patches. </description>
<Group id="gr-updating-1" hidden="false">
<title xml:lang="en-US">Ensure Red Hat GPG Keys are Installed</title>
<description xml:lang="en-US"> To ensure that the system can
cryptographically verify update packages (and also connect to the Red
Hat Network to receive them if desired) run the following command to
ensure that the system has the Red Hat GPG keys properly installed:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ rpm -q gpg-pubkey</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The command should return the strings:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpg-pubkey-fd431d51-4ae0493b</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpg-pubkey-2fa658e0-45700c69</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
corresponding to these keys:
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpg(Red Hat, Inc. (release key 2) <security@redhat.com>)</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpg(Red Hat, Inc. (auxiliary key) <security@redhat.com>)</xhtml:code></description>
<Rule id="rule-1005" selected="false" weight="10.000000">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Red Hat GPG Keys are Installed</title>
<description xml:lang="en-US">The GPG keys should be installed.</description>
<ident system="http://cce.mitre.org">CCE-14440-2</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1005" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-updating-2" hidden="false">
<title xml:lang="en-US">Configure Connection to the RHN RPM Repositories</title>
<description xml:lang="en-US">
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml" class="block"> The first step in configuring a system for updates
is to register with the Red Hat Network (RHN). For most systems, this is
done during the initial installation. Successfully registered systems
will appear on the RHN web site. If the system is not listed, run the
Red Hat Subscription Manager tool, which can be found in the
<xhtml:b>System => Administration</xhtml:b> menu in the top management bar.
or on the command line: </xhtml:p>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># subscription-manager register --username admin-example --password secret
</xhtml:code>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> Follow the prompts on the screen. If successful, the system
will appear on the RHN web site and be subscribed to one or more
software update channels. Additionally, a new daemon, rhnsd, will be
enabled.</xhtml:p>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml" class="block"> If the system will not have access to the Internet, it will not
be able to directly subscribe to the RHN update repository. Updates will
have to be downloaded from the RHN web site manually. The command line tool
yum and the graphical front-end PackageKit can be configured to handle
this situation. </xhtml:p> </description>
</Group>
<Group id="gr-updating-3" hidden="false">
<title xml:lang="en-US">Disable the rhnsd Daemon</title>
<description xml:lang="en-US"> The rhnsd daemon polls the Red Hat Network web
site for scheduled actions. Unless it is actually necessary to schedule
updates remotely through the RHN website, it is recommended that the service
be disabled.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The rhnsd daemon is enabled by default, but until the system has
been registered with the Red Hat Network, it will not run. However, once the
registration process is complete, the rhnsd daemon will run in the
background and periodically call the rhn check utility. It is the rhn check
utility that communicates with the Red Hat Network web site.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This utility is not required for the system to be able to access
and install system updates. Once the system has been registered, either use
the provided yum-updatesd service or create a cron job to automatically
apply updates. </description>
<Rule id="rule-1006" selected="false" weight="10.000000" severity="low">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Disable the rhnsd Daemon</title>
<description xml:lang="en-US">The rhnsd service should be disabled.</description>
<ident system="http://cce.mitre.org">CCE-3416-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1006" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-updating-4" hidden="false">
<title xml:lang="en-US">Obtain Software Package Updates with yum</title>
<description xml:lang="en-US"> The yum update utility can be run by hand from
the command line, called through one of the provided front-end tools, or
configured to run automatically at specified intervals.</description>
<Group id="gr-updating-4.1" hidden="false">
<title xml:lang="en-US">Manually Update Packages Where Appropriate</title>
<description xml:lang="en-US"> The following command prints a list of
packages that need to be updated:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum check-update</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To actually install these updates, run:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum update</xhtml:code>
</description>
</Group>
<Group id="gr-updating-4.2" hidden="false">
<title xml:lang="en-US">Configure Automatic Update Retrieval and Installation with Cron</title>
<description xml:lang="en-US"> Create the file yum.cron, make it executable, and place it
in /etc/cron.daily:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
#!/bin/sh <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
/usr/bin/yum -R 120 -e 0 -d 0 -y update yum <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
/usr/bin/yum -R 10 -e 0 -d 0 -y update <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This particular script instructs yum to update any packages
it finds. Placing the script in /etc/cron.daily ensures its daily
execution. To only apply updates once a week, place the script in
/etc/cron.weekly instead. </description>
</Group>
<Group id="gr-updating-4.3" hidden="false">
<title xml:lang="en-US">Ensure Package Signature Checking is Globally Activated</title>
<description xml:lang="en-US"> The gpgcheck option should be used to ensure
that checking of an RPM package’s signature always occurs prior to its installation.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To force yum to check package signatures before installing
them, ensure that the following line appears in /etc/yum.conf in the
[main] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> gpgcheck=1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
</description>
<Rule id="rule-1007" selected="false" weight="10.000000">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">gpgcheck is Globally Activated</title>
<description xml:lang="en-US"> The gpgcheck option should be used to ensure that checking
of an RPM package’s signature always occurs prior to its installation.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>To force yum to check package signatures before
installing them, ensure that the following line appears in
/etc/yum.conf in the [main] section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> gpgcheck=1</description>
<ident system="http://cce.mitre.org">CCE-14914-6</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1007" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-updating-4.4" hidden="false">
<title xml:lang="en-US">Ensure Package Signature Checking is Not Disabled For Any Repos</title>
<description xml:lang="en-US"> To ensure that signature checking is not
disabled for any repos, ensure that the following line DOES NOT appear
in any repo configuration files in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> gpgcheck=0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
</description>
<Rule id="rule-1008" selected="false" weight="10.000000">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Package Signature Checking is Not Disabled For Any Repos</title>
<description xml:lang="en-US"> To ensure that signature checking is not disabled for any
repos, ensure that the following line DOES NOT appear in any repo
configuration files in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>gpgcheck=0</description>
<ident system="http://cce.mitre.org">CCE-14813-0</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1008" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-updating-4.5" hidden="false">
<title xml:lang="en-US">Ensure Repodata Signature Checking is Globally Activated</title>
<description xml:lang="en-US"> The repo_gpgcheck option should be used to
ensure that checking of a signature on repodata is performed prior to
using it.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To force yum to check the signature on repodata sent by a
repository prior to using it, ensure that the following line appears in
/etc/yum.conf in the [main] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> repo_gpgcheck=1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
</description>
</Group>
<Group id="gr-updating-4.6" hidden="false">
<title xml:lang="en-US">Ensure Repodata Signature Checking is Not Disabled For Any Repos</title>
<description xml:lang="en-US"> To ensure that signature checking is not
disabled for any repos, ensure that the following line DOES NOT appear
in any repo configuration files in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> repo_gpgcheck=0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Note: Red Hat’s repositories support signatures on repodata,
but some public repositories do not. If a repository does not support
signature checking on repodata, then this risk must be weighed against
the value of using the repository. </description>
</Group>
</Group>
</Group>
<Group id="gr-integrity" hidden="false">
<title xml:lang="en-US">Software Integrity Checking</title>
<description xml:lang="en-US"> Integrity checking cannot prevent intrusions into your
system, but can detect that they have occurred. Any integrity checking software
should be configured before the system is deployed and able to provides services
to users. Ideally, the integrity checking database would be built before the system
is connected to any network, though this may prove impractical due to registration
and software updates. </description>
<Group id="gr-integrity-1" hidden="false">
<title xml:lang="en-US">Verify Package Integrity Using RPM</title>
<description xml:lang="en-US"> The RPM package management system includes the
ability to verify the integrity of installed packages by comparing the
installed files with information about the files taken from the package
metadata stored in the RPM database. Although an attacker could corrupt the
RPM database (analogous to attacking the AIDE database as described above),
this check can still reveal modification of important files.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To determine which files on the system differ from what is
expected by the RPM database:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -Va<xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A “c” in the second column indicates that a file is a
configuration file (and may be expected to change). In order to exclude
configuration files from this list, run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -Va | awk '$2!="c" {print $0}'<xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The man page rpm(8) describes the format of the output. Any files
that do not match the expected output demand further investigation if the
system is being seriously examined. This check could also be run as a cron
job. </description>
<Rule id="rule-1009" selected="false" weight="10.000000">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Package Integrity is correct according to package management system</title>
<description xml:lang="en-US">Verify the integrity of installed packages by comparing the
installed files with information about the files taken from the package
metadata stored in the RPM database.</description>
<ident system="http://cce.mitre.org">CCE-14931-0</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:tst:1009" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
</Group>
<Group id="gr-permissions" hidden="false">
<title xml:lang="en-US">File Permissions and Masks</title>
<description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> Traditional Unix security relies heavily on file and
directory permissions to prevent unauthorized users from reading or modifying files
to which they should not have access. Adhere to the principle of least privilege —
configure each file, directory, and filesystem to allow only the access needed in
order for that file to serve its purpose. </xhtml:p>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> However, Linux systems contain a large number of files, so it is often
prohibitively time-consuming to ensure that every file on a machine has exactly the
permissions needed. This section introduces several permission restrictions which
are almost always appropriate for system security, and which are easy to test and
correct. </xhtml:p>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> Note: Several of the commands in this section search filesystems for
files or directories with certain characteristics, and are intended to be run on
every local ext2, ext3 or ext4 partition on a given machine. When the variable
<xhtml:em xmlns:xhtml="http://www.w3.org/1999/xhtml">PART</xhtml:em> appears in one of the commands below, it means that
the command is intended to be run repeatedly, with the name of each local partition
substituted for <xhtml:em xmlns:xhtml="http://www.w3.org/1999/xhtml">PART</xhtml:em> in turn. </xhtml:p>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The following command prints a list of ext2, ext3 and ext4 partitions on a
given machine: </xhtml:p>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ mount -t ext2,ext3,ext4 | awk '{print $3}'</xhtml:code>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If your site uses a local filesystem type other than those, you
will need to modify this command. </xhtml:p> </description>
<Group id="gr-verify-files" hidden="false">
<title xml:lang="en-US">Verify Permissions on Important Files and Directories</title>
<description xml:lang="en-US"> Permissions for many files on a system should be set
to conform to system policy. This section discusses important permission
restrictions which should be checked on a regular basis to ensure that
no harmful discrepancies have arisen.</description>
<Group id="gr-verify-shadow" hidden="false">
<title xml:lang="en-US">Verify Permissions on passwd, shadow, group and gshadow Files</title>
<description xml:lang="en-US"> Many utilities need read access to the passwd file in order to
function properly, but read access to the shadow file allows malicious
attacks against system passwords, and should never be enabled.</description>
<Rule id="rule-1010" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">User ownership of 'shadow' file</title>
<description xml:lang="en-US">The /etc/shadow file should be owned by root.</description>
<ident system="http://cce.mitre.org">CCE-3918-0</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1010" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1011" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Group ownership of 'shadow' file</title>
<description xml:lang="en-US">The /etc/shadow file should be owned by root.</description>
<ident system="http://cce.mitre.org">CCE-3988-3</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1011" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1012" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">User ownership of 'group' file</title>
<description xml:lang="en-US">The /etc/group file should be owned by root.</description>
<ident system="http://cce.mitre.org">CCE-3276-3</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1012" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1013" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Group ownership of 'group' file</title>
<description xml:lang="en-US">The /etc/group file should be owned by root.</description>
<ident system="http://cce.mitre.org">CCE-3883-6</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1013" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1014" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">User ownership of 'gshadow' file</title>
<description xml:lang="en-US">The /etc/gshadow file should be owned by root.</description>
<ident system="http://cce.mitre.org">CCE-4210-1</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1014" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1015" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Group ownership of 'gshadow' file</title>
<description xml:lang="en-US">The /etc/gshadow file should be owned by root.</description>
<ident system="http://cce.mitre.org">CCE-4064-2</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1015" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1016" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">User ownership of 'passwd' file</title>
<description xml:lang="en-US">The /etc/passwd file should be owned by root.</description>
<ident system="http://cce.mitre.org">CCE-3958-6</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1016" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1017" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Group ownership of 'passwd' file</title>
<description xml:lang="en-US">The /etc/passwd file should be owned by root.</description>
<ident system="http://cce.mitre.org">CCE-3495-9</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1017" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1018" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Permissions on 'shadow' file</title>
<description xml:lang="en-US">File permissions for /etc/shadow should be set
correctly.</description>
<ident system="http://cce.mitre.org">CCE-4130-1</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1018" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1019" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Permissions on 'group' file</title>
<description xml:lang="en-US">File permissions for /etc/group should be set
correctly.</description>
<ident system="http://cce.mitre.org">CCE-3967-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1019" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1020" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Permissions on 'gshadow' file</title>
<description xml:lang="en-US">File permissions for /etc/gshadow should be set
correctly.</description>
<ident system="http://cce.mitre.org">CCE-3932-1</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1020" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1021" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Permissions on 'passwd' file</title>
<description xml:lang="en-US">File permissions for /etc/passwd should be set
correctly.</description>
<ident system="http://cce.mitre.org">CCE-3566-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1021" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-verify-sticky" hidden="false">
<title xml:lang="en-US">Verify that All World-Writable Directories Have Sticky Bits Set</title>
<description xml:lang="en-US"> When the so-called 'sticky bit' is set on a
directory, only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a directory
may remove any file in the directory. Setting the sticky bit prevents users
from removing each other's files. In cases where there is no reason for a
directory to be world-writable, a better solution is to remove that
permission rather than to set the sticky bit. However, if a directory is
used by a particular application, consult that application's documentation
instead of blindly changing modes.</description>
<Rule id="rule-1022" selected="false" weight="10.000000" severity="low">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">All World-Writable Directories Have Sticky Bits Set</title>
<description xml:lang="en-US">The sticky bit should be set for all world-writable
directories.</description>
<ident system="http://cce.mitre.org">CCE-3399-3</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1022" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-verify-fwritable" hidden="false">
<title xml:lang="en-US">Find Unauthorized World-Writable Files</title>
<description xml:lang="en-US"> Data in world-writable files can be modified by
any user on the system. In almost all circumstances, files can be configured
using a combination of user and group permissions to support whatever
legitimate access is needed without the risk caused by world-writable files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It is generally a good idea to remove global (other) write
access to a file when it is discovered. However, check with documentation
for specific applications before making changes. Also, monitor for recurring
world-writable files, as these may be symptoms of a misconfigured
application or user account. </description>
<Rule id="rule-1023" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Unauthorized World-Writable Files</title>
<description xml:lang="en-US">The world-write permission should be disabled for all
files.</description>
<ident system="http://cce.mitre.org">CCE-3795-2</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1023" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-verify-suid" hidden="false">
<title xml:lang="en-US">Find Unauthorized SUID/SGID System Executables</title>
<description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The following command discovers and prints any
setuid or setgid files on local partitions. Run it once for each local
partition: </xhtml:p>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> find PART -xdev \( -perm -4000 -o -perm -2000 \) -type f -print </xhtml:code>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If the file does not require a setuid or setgid bit, then these bits can be removed with the command: </xhtml:p>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> chmod -s file </xhtml:code>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The following table contains all setuid and setgid files which
are expected to be on a stock system. To reduce system risk, the packages containing these files may be removed
in some cases; alternatively, the setuid or setgid bit on these
files may be disabled to reduce system risk if only an administrator
requires their functionality. </xhtml:p>
<xhtml:table xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:tr>
<xhtml:th>File</xhtml:th>
<xhtml:th>Set-UID</xhtml:th>
<xhtml:th>Set-GID</xhtml:th>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/bin/cgexec</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>cgred</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/bin/fusermount</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/bin/mount</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/bin/ping6</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/bin/ping</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/bin/su</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/bin/umount</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/lib64/dbus-1/dbus-daemon-launch-helper</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/lib/dbus-1/dbus-daemon-launch-helper</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/sbin/mount.ecryptfs_private</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/sbin/mount.nfs</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/sbin/netreport</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>root</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/sbin/pam_timestamp_check</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/sbin/unix_chkpwd</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/at</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/chage</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/chfn</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/chsh</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/crontab</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>root</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/gnomine</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>games</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/gpasswd</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/iagno</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>games</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/kgrantpty</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/kpac_dhcp_helper</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/ksu</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/locate</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>slocate</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/lockfile</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>mail</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/newgrp</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/newrole</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/passwd</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/pkexec</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/rcp</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/rlogin</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/rsh</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/same-gnome</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>games</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/screen</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>screen</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/sperl5.10.1</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/ssh-agent</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>nobody</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/staprun</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/sudoedit</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/sudo</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/wall</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>tty</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/write</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>tty</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/bin/Xorg</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib64/amanda/calcsize</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib64/amanda/dumper</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib64/amanda/killpgrp</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib64/amanda/planner</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib64/amanda/rundump</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib64/amanda/runtar</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib64/nspluginwrapper/plugin-config</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib64/vte/gnome-pty-helper</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>utmp</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/amanda/calcsize</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/amanda/dumper</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/amanda/killpgrp</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/amanda/planner</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/amanda/rundump</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/amanda/runtar</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/libexec/kde4/kdesud</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>root</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/libexec/mc/cons.saver</xhtml:td>
<xhtml:td>vcsa</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/libexec/openssh/ssh-keysign</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/libexec/polkit-1/polkit-agent-helper-1</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/libexec/pt_chown</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/libexec/pulse/proximity-helper</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/libexec/utempter/utempter</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>utmp</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/mailman/cgi-bin/admindb</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>mailman</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/mailman/cgi-bin/admin</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>mailman</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/mailman/cgi-bin/confirm</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>mailman</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/mailman/cgi-bin/create</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>mailman</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/mailman/cgi-bin/edithtml</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>mailman</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/mailman/cgi-bin/listinfo</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>mailman</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/mailman/cgi-bin/options</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>mailman</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/mailman/cgi-bin/private</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>mailman</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/mailman/cgi-bin/rmlist</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>mailman</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/mailman/cgi-bin/roster</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>mailman</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/mailman/cgi-bin/subscribe</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>mailman</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/mailman/mail/mailman</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>mailman</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/nspluginwrapper/plugin-config</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/lib/vte/gnome-pty-helper</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>utmp</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/sbin/amcheck</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/sbin/lockdev</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>lock</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/sbin/postdrop</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>postdrop</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/sbin/postqueue</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>postdrop</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/sbin/sendmail.sendmail</xhtml:td>
<xhtml:td>-</xhtml:td>
<xhtml:td>smmsp</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/sbin/seunshare</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/sbin/suexec</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/sbin/userhelper</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
<xhtml:tr>
<xhtml:td>/usr/sbin/usernetctl</xhtml:td>
<xhtml:td>root</xhtml:td>
<xhtml:td>-</xhtml:td>
</xhtml:tr>
</xhtml:table>
</description>
<Rule id="rule-1024" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Unauthorized SGID System Executables</title>
<description xml:lang="en-US">The sgid bit should not be set for all files.</description>
<ident system="http://cce.mitre.org">CCE-14340-4</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1024" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1025" selected="false" weight="10.000000" severity="high">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Unauthorized SUID System Executables</title>
<description xml:lang="en-US">The suid bit should not be set for all files.</description>
<ident system="http://cce.mitre.org">CCE-14340-4</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1025" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-verify-unowned" hidden="false">
<title xml:lang="en-US">Find and Repair Unowned Files</title>
<description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The following command will discover and print any
files on local partitions which do not belong to a valid user and a valid
group. Run it once for each local partition PART: </xhtml:p>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># find PART
-xdev \( -nouser -o -nogroup \) -print </xhtml:code>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If this command
prints any results, investigate each reported file and either assign it to
an appropriate user and group or remove it. Unowned files are not directly
exploitable, but they are generally a sign that something is wrong with some
system process. They may be caused by an intruder, by incorrect software
installation or draft software removal, or by failure to remove all files
belonging to a deleted account. The files should be repaired so that they
will not cause problems when accounts are created in the future, and the
problem which led to unowned files should be discovered and
addressed.</xhtml:p> </description>
<Rule id="rule-1026" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Files unowned by any user</title>
<description xml:lang="en-US">All files should be owned by a user</description>
<ident system="http://cce.mitre.org">CCE-4223-4</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1026" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1027" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Files unowned by any group</title>
<description xml:lang="en-US">All files should be owned by a group</description>
<ident system="http://cce.mitre.org">CCE-3573-3</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1027" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-verify-dwritable" hidden="false">
<title xml:lang="en-US">Verify that All World-Writable Directories Have Proper Ownership</title>
<description xml:lang="en-US"> Locate any directories in local partitions which
are world-writable and ensure that they are owned by root or another system
account. The following command will discover and print these (assuming only
system accounts have a uid lower than 500). Run it once for each local
partition PART:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># find PART -xdev -type d -perm -0002 -uid +500
-print<xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If this command produces any output, investigate why the current
owner is not root or another system account.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Allowing a user account to own a world-writeable directory is
undesirable because it allows the owner of that directory to remove or
replace any files that may be placed in the directory by other
users.</description>
<Rule id="rule-1028" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">World writable directories not owned by a system account</title>
<description xml:lang="en-US">All world writable directories should be owned by a system
user</description>
<ident system="http://cce.mitre.org">CCE-14794-2</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1028" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
<Group id="gr-restrict" hidden="false">
<title xml:lang="en-US">Restrict Programs from Dangerous Execution Patterns</title>
<description xml:lang="en-US"> The recommendations in this section provide broad
protection against information disclosure or other misbehavior. These
protections are applied at the system initialization or kernel level, and defend
against certain types of badly-configured or compromised programs.</description>
<Group id="gr-restrict-umask" hidden="false">
<title xml:lang="en-US">Set Daemon umask</title>
<description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The file /etc/rc.d/init.d/functions
which is used by most or all shell scripts in the /etc/init.d directory, set an umask.
The system umask
must be set to at least 022, or daemon processes may create world-writable
files. The more restrictive setting 027 protects files, including temporary
files and log files, from unauthorized reading by unprivileged users on the
system. </xhtml:p>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If a particular daemon needs a less restrictive umask, consider
editing the startup script or sysconfig file of that daemon to make a
specific exception.</xhtml:p> </description>
<Value id="var-1029" operator="equals" type="string">
<title xml:lang="en-US">daemon umask</title>
<description xml:lang="en-US">Enter umask for daemons</description>
<value>027</value>
<value selector="022">022</value>
<value selector="027">027</value>
</Value>
<Rule id="rule-1029" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Daemon umask setting</title>
<description xml:lang="en-US">The daemon umask should be set as appropriate</description>
<ident system="http://cce.mitre.org">CCE-4220-0</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1029" value-id="var-1029"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1029" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-restrict-dumps" hidden="false">
<title xml:lang="en-US">Disable Core Dumps</title>
<description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> A core dump file is the memory image of an
executable program when it was terminated by the operating system due to
errant behavior. In most cases, only software developers would legitimately
need to access these files. The core dump files may also contain sensitive
information, or unnecessarily occupy large amounts of disk space. </xhtml:p>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> By default, the system sets a soft limit to stop the creation of
core dump files for all users. However, compliance with
this limit is voluntary; it is a default intended only to protect users from
the annoyance of generating unwanted core files. Users can increase the
allowed core file size up to the hard limit, which is unlimited by default.
Once a hard limit is set in /etc/security/limits.conf, </xhtml:p>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> * hard core 0 </xhtml:code>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml">
the user cannot increase that limit within his own session. If access to core dumps
is required, consider restricting them to only certain users or groups. See
the limits.conf man page for more information. </xhtml:p> </description>
<Rule id="rule-1030" selected="false" weight="10.000000" severity="low">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Disable Core Dumps for all users</title>
<description xml:lang="en-US">Core dumps for all users should be disabled</description>
<ident system="http://cce.mitre.org">CCE-4225-9</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1030" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-restrict-SUID_Dumps" hidden="false">
<title xml:lang="en-US">Ensure SUID Core Dumps are Disabled</title>
<description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The sysctl variable fs.suid_dumpable
controls whether the kernel allows core dumps from these programs at all. It
should be checked to ensure that it has not been enabled at any time during
system operation. To check this, issue the command: </xhtml:p>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># sysctl fs.suid_dumpable </xhtml:code>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The output should indicate that the setting is 0. (Use of
the -n option causes output to consist of only the value, which may make
automated checking easier.) </xhtml:p> </description>
<Rule id="rule-1031" selected="false" weight="10.000000" severity="low">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Disable Core Dumps for SUID programs</title>
<description xml:lang="en-US">Core dumps for setuid programs should be disabled</description>
<ident system="http://cce.mitre.org">CCE-4247-3</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1031" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-restrict-execshield" hidden="false">
<title xml:lang="en-US">Enable ExecShield</title>
<description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> ExecShield comprises a number of kernel features
to provide protection against buffer overflows. These features include
random placement of the stack and other memory regions, prevention of
execution in memory that should only hold data, and special handling of text
buffers. This protection is enabled by default, but the sysctl variables
kernel.exec-shield and kernel.randomize va space should be checked to ensure
that it has not been disabled. </xhtml:p>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> To check that
ExecShield (including random placement of virtual memory regions) is
currently running, issue the following commands: </xhtml:p>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># sysctl kernel.exec-shield </xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># sysctl kernel.randomize_va_space </xhtml:code>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The output should indicate that the
setting of kernel.exec-shield is 1 and the setting of kernel.randomize_va_space is 2.
(Use of the -n option causes output to consist of only the
value, which may make automated checking easier.) </xhtml:p> </description>
<Value id="var-1033" operator="equals" type="string">
<title xml:lang="en-US">kernel.randomize_va_space</title>
<description xml:lang="en-US">Enter whether virtual address space should be randomized</description>
<value>2</value>
<value selector="enabled_with_heap">2</value>
<value selector="enabled_without_heap">1</value>
<value selector="disabled">0</value>
</Value>
<Rule id="rule-1032" selected="false" weight="10.000000">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">ExecShield is enabled (runtime)</title>
<description xml:lang="en-US">ExecShield should be enabled</description>
<ident system="http://cce.mitre.org">CCE-4168-1</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1032" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1033" selected="false" weight="10.000000">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">ExecShield randomized placement of virtual memory regions is enabled (runtime)</title>
<description xml:lang="en-US">ExecShield randomized placement of virtual memory regions
should be enabled</description>
<ident system="http://cce.mitre.org">CCE-4146-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1033" value-id="var-1033"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1033" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
</Group>
<Group id="gr-accounts" hidden="false">
<title xml:lang="en-US">Account and Access Control</title>
<description xml:lang="en-US"> In traditional Unix security, if an attacker gains shell
access to a certain login account, he can perform any action or access any file to
which that account has access. Therefore, making it more difficult for unauthorized
people to gain shell access to accounts, particularly to privileged accounts, is a
necessary part of securing a system. This section introduces mechanisms for
restricting access to accounts..</description>
<Group id="gr-accounts-login" hidden="false">
<title xml:lang="en-US">Protect Accounts by Restricting Password-Based Login</title>
<description xml:lang="en-US"> Conventionally, Unix shell accounts are accessed by
providing a username and password to a login program, which tests these values
for correctness using the /etc/passwd and /etc/shadow files. Password-based
login is vulnerable to guessing of weak passwords, and to sniffing and
man-in-the-middle attacks against passwords entered over a network or at an
insecure console. Therefore, mechanisms for accessing accounts by entering
usernames and passwords should be restricted to those which are operationally
necessary.</description>
<Group id="gr-accounts-login.1" hidden="false">
<title xml:lang="en-US">Restrict Root Logins to System Console</title>
<description xml:lang="en-US"> Edit the file /etc/securetty. Ensure that the
file contains only the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>The primary system console device:
<xhtml:br/>console</xhtml:li>
<xhtml:li>The virtual console devices: <xhtml:br/>tty1 tty2 tty3 tty4
tty5 tty6 ... </xhtml:li>
<xhtml:li>If required by your organization, the deprecated virtual
console interface may be retained for backwards
compatibility:<xhtml:br/>vc/1 vc/2 vc/3 vc/4 vc/5 vc/6
...</xhtml:li>
<xhtml:li>If required by your organization, the serial consoles may be
added:<xhtml:br/> ttyS0 ttyS1</xhtml:li>
</xhtml:ul> Direct root logins should be allowed only for emergency use. In
normal situations, the administrator should access the system via a unique
unprivileged account, and use su or sudo to execute privileged commands.
Discouraging administrators from accessing the root account directly ensures
an audit trail in organizations with multiple administrators. Locking down
the channels through which root can connect directly reduces opportunities
for password-guessing against the root account. The login program uses the
file /etc/securetty to determine which interfaces should allow root logins.
The virtual devices /dev/console and /dev/tty* represent the system consoles
(accessible via the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a
default installation). The default securetty file also contains /dev/vc/*.
These are likely to be deprecated in most environments, but may be retained
for compatibility. Root should also be prohibited from connecting via
network protocols. </description>
<Rule id="rule-1034" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Root logins to virtual console are not permited</title>
<description xml:lang="en-US">Root logins through the virtual console devices should be
disabled</description>
<ident system="http://cce.mitre.org">CCE-3485-0</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1034" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1035" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Root logins to serial ports are not permited</title>
<description xml:lang="en-US">Root logins on serial ports should be disabled.</description>
<ident system="http://cce.mitre.org">CCE-4256-4</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1035" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-login.2" hidden="false">
<title xml:lang="en-US">Configure su to Restrict the Root Access</title>
<description xml:lang="en-US">
<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Ensure that the group wheel exists, and that the usernames of
all administrators who should be allowed to execute commands as root
are members of that group. <xhtml:br/>
<xhtml:br/>
<xhtml:code># grep ^wheel /etc/group</xhtml:code>
</xhtml:li>
<xhtml:li>Edit the file /etc/pam.d/su. Add, uncomment, or correct the
line: <xhtml:br/>
<xhtml:code>auth required pam_wheel.so use_uid</xhtml:code>
</xhtml:li>
</xhtml:ol> The su command allows a user to gain the privileges of another
user by entering the password for that user's account. It is desirable to
restrict the root user so that only known administrators are ever allowed to
access the root account. This restricts password-guessing against the root
account by unauthorized users or by accounts which have been compromised. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By convention, the group wheel contains all users who are
allowed to run privileged commands. The PAM module pam_wheel.so is used to
restrict root access to this set of users.</description>
<Rule id="rule-1036" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">The 'wheel' group should exist</title>
<description xml:lang="en-US">Ensure that the group wheel exists</description>
<ident system="http://cce.mitre.org">CCE-14088-9</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1036" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1037" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Access to the root account via su is restricted to the wheel group</title>
<description xml:lang="en-US">Command access to the root account should be restricted to the
wheel group.</description>
<ident system="http://cce.mitre.org">CCE-15047-4</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1037" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-login.3" hidden="false">
<title xml:lang="en-US">Configure sudo to Improve Auditing of Root Access</title>
<description xml:lang="en-US">
<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Ensure that the group wheel exists, and that the usernames of
all administrators who should be allowed to execute commands as root
are members of that group. <xhtml:br/>
<xhtml:br/>
<xhtml:code># grep ^wheel /etc/group</xhtml:code>
</xhtml:li>
<xhtml:li>Edit the file /etc/sudoers. Add, uncomment, or correct the
line: <xhtml:br/>
<xhtml:br/> %wheel ALL=(ALL) ALL</xhtml:li>
</xhtml:ol>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The sudo command allows fine-grained control over which users
can execute commands using other accounts. The primary benefit of sudo when
configured as above is that it provides an audit trail of every command run
by a privileged user. It is possible for a malicious administrator to
circumvent this restriction, but, if there is an established procedure that
all root commands are run using sudo, then it is easy for an auditor to
detect unusual behavior when this procedure is not followed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Editing /etc/sudoers by hand can be dangerous, since a
configuration error may make it impossible to access the root account
remotely. The recommended means of editing this file is using the visudo
command, which checks the file's syntax for correctness before allowing it
to be saved.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Note that sudo allows any attacker who gains access to the
password of an administrator account to run commands as root. This is a
downside which must be weighed against the benefits of increased audit
capability and of being able to heavily restrict the use of the high-value
root password (which can be logistically difficult to change often). As a
basic precaution, never use the NOPASSWD directive, which would allow anyone
with access to an administrator account to execute commands as root without
knowing the administrator's password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The sudo command has many options which can be used to further
customize its behavior. See the sudoers(5) man page for
details.</description>
</Group>
<Group id="gr-accounts-login.4" hidden="false">
<title xml:lang="en-US">Block Shell and Login Access for Non-Root System Accounts</title>
<description xml:lang="en-US"> Using /etc/passwd, obtain a listing of all users,
their UIDs, and their shells, for instance by running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd<xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Identify the system accounts from this listing. These will
primarily be the accounts with UID numbers less than 500, other than root.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For each identified system account SYSACCT , lock the account: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># usermod -L SYSACCT <xhtml:br/>
</xhtml:code> and disable its shell: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># usermod -s /sbin/nologin SYSACCT <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These are the accounts which are not associated with a human
user of the system, but which exist to perform some administrative function.
Make it more difficult for an attacker to use these accounts by locking
their passwords and by setting their shells to some non-valid shell. The
default non-valid shell is /sbin/nologin, but any command which will
exit with a failure status and disallow execution of any further commands,
such as /bin/false or /dev/null, will work.</description>
<warning xml:lang="en-US" override="false" category="functionality">Do not perform the steps in
this section on the root account. Doing so might cause the system to become
inaccessible.</warning>
<Rule id="rule-1038" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Login Access for Non-Root System Accounts is blocked</title>
<description xml:lang="en-US">Login access to non-root system accounts should be
disabled</description>
<ident system="http://cce.mitre.org">CCE-3987-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1038" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-login.5" hidden="false">
<title xml:lang="en-US">Verify that No Accounts Have Empty Password Fields</title>
<description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If an account has an empty password,
anybody may log in and run commands with the privileges of that account. Accounts
with empty passwords should never be used in operational environments. </xhtml:p>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> Run the command: </xhtml:p>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($2 == "") {print}' /etc/shadow </xhtml:code>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> If this produces any output, fix the problem by locking each
account or by setting a password. </xhtml:p> </description>
<Rule id="rule-1039" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">No Accounts Have Empty Password Fields</title>
<description xml:lang="en-US">Login access to accounts without passwords should be
disabled</description>
<ident system="http://cce.mitre.org">CCE-4238-2</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1039" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-login.6" hidden="false">
<title xml:lang="en-US">Verify that All Account Password Hashes are Shadowed</title>
<description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> The hashes for all user account
passwords should be stored in the file /etc/shadow and never in /etc/passwd, which
is readable by all users. </xhtml:p>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> To ensure that no password hashes are stored
in /etc/passwd, the following command should have no output: </xhtml:p>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($2 != "x") {print}' /etc/passwd </xhtml:code>
</description>
<Rule id="rule-1040" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">All Account Password Hashes are Shadowed</title>
<description xml:lang="en-US">Check that passwords are shadowed</description>
<ident system="http://cce.mitre.org">CCE-14300-8</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1040" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-login.7" hidden="false">
<title xml:lang="en-US">Verify that No Non-Root Accounts Have UID 0</title>
<description xml:lang="en-US"> <xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> In general, the best practice solution for auditing use of the
root account is to restrict the set of cases in which root must be accessed
anonymously by requiring use of su or sudo in almost all cases. Some sites
choose to have more than one account with UID 0 in order to differentiate
between administrators, but this practice may have unexpected side effects,
and is therefore not recommended. </xhtml:p>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> This command will print all password file entries
for accounts with UID 0: </xhtml:p>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($3 == "0") {print}' /etc/passwd </xhtml:code>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml"> This should print only one line, for the user root. If any other
lines appear, ensure that these additional UID-0 accounts are authorized,
and that there is a good reason for them to exist. </xhtml:p> </description>
<Rule id="rule-1041" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">No Non-Root Accounts Have UID 0</title>
<description xml:lang="en-US">Anonymous root logins should be disabled</description>
<ident system="http://cce.mitre.org">CCE-4009-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1041" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-login.8" hidden="false">
<title xml:lang="en-US">Set Password Expiration Parameters</title>
<description xml:lang="en-US"> Edit the file /etc/login.defs to specify password
expiration settings for new accounts. Add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_MAX_DAYS=180</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_MIN_DAYS=7</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_WARN_AGE=7</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
For each existing human user USER , modify the current expiration settings to match these: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
# chage -M 180 -m 7 -W 7 USER<xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Users should be forced to change their passwords, in order to
decrease the utility of compromised passwords. However, the need to change
passwords often should be balanced against the risk that users will reuse or
write down passwords if forced to change them too often. Forcing password
changes every 90-360 days, depending on the environment, is recommended. Set
the appropriate value as PASS_MAX_DAYS and apply it to existing accounts
with the -M flag. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The PASS_MIN_DAYS (-m) setting prevents password changes for 7
days after the first change, to discourage password cycling. If you use this
setting, train users to contact an administrator for an emergency password
change in case a new password becomes compromised. The PASS_WARN_AGE (-W)
setting gives users 7 days of warnings at login time that their passwords
are about to expire.</description>
<Value id="var-1042" operator="equals" type="string">
<title xml:lang="en-US">Minimum password age</title>
<description xml:lang="en-US">Enter minimum duration before allowing a
password change</description>
<value>7</value>
<value selector="0_days">0</value>
<value selector="1_day">1</value>
<value selector="7_days">7</value>
</Value>
<Value id="var-1043" operator="equals" type="string">
<title xml:lang="en-US">Maximum password age</title>
<description xml:lang="en-US">Enter age before which a password must be
changed</description>
<value>180</value>
<value selector="0_days">0</value>
<value selector="30_days">30</value>
<value selector="60_days">60</value>
<value selector="90_days">90</value>
<value selector="120_days">120</value>
<value selector="150_days">150</value>
<value selector="180_days">180</value>
<value selector="99999_days">99999</value>
</Value>
<Value id="var-1044" operator="equals" type="string">
<title xml:lang="en-US">Password warn age</title>
<description xml:lang="en-US"> The number of days warning given before a
password expires. A zero means warning is given only upon the day of
expiration, a negative value means no warning is given. If not
specified, no warning will be provided.</description>
<value>7</value>
<value selector="7_days">7</value>
<value selector="8_days">8</value>
<value selector="14_days">14</value>
</Value>
<Rule id="rule-1042" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Minimum password age</title>
<description xml:lang="en-US">The minimum password age should be set
appropriately</description>
<ident system="http://cce.mitre.org">CCE-4180-6</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1042" value-id="var-1042"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1042" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1043" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Maximum password age</title>
<description xml:lang="en-US">The maximum password age should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1043"/>
</description>
<ident system="http://cce.mitre.org">CCE-4092-3</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1043" value-id="var-1043"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1043" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1044" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Password warn age</title>
<description xml:lang="en-US">The password warn age should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1044"/>
</description>
<ident system="http://cce.mitre.org">CCE-4097-2</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1044" value-id="var-1044"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1044" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
<Group id="gr-accounts-pam" hidden="false">
<title xml:lang="en-US">Protect Accounts by Configuring PAM</title>
<description xml:lang="en-US"> PAM, or Pluggable Authentication Modules, is a system
which implements modular authentication for Linux programs. PAM is
well-integrated into Linux's authentication architecture, making it difficult to
remove, but it can be configured to minimize your system's exposure to
unnecessary risk. This section contains guidance on how to accomplish that, and
how to ensure that the modules used by your PAM configuration do what they are
supposed to do. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> PAM is implemented as a set of shared objects which are loaded and
invoked whenever an application wishes to authenticate a user. Typically, the
application must be running as root in order to take advantage of PAM.
Traditional privileged network listeners (e.g. sshd) or SUID programs (e.g.
sudo) already meet this requirement. An SUID root application, userhelper, is
provided so that programs which are not SUID or privileged themselves can still
take advantage of PAM. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> PAM looks in the directory /etc/pam.d for application-specific
configuration information. For instance, if the program login attempts to
authenticate a user, then PAM's libraries follow the instructions in the file
/etc/pam.d/login to determine what actions should be taken. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>One very important file in /etc/pam.d is /etc/pam.d/system-auth. This
file, which is included by many other PAM configuration files, defines 'default'
system authentication measures. Modifying this file is a good way to make
far-reaching authentication changes, for instance when implementing a
centralized authentication service. Another important file is password-auth. It contains just the same
things as system-auth except modules that make sense only for local
services are removed (used for sshd for example)</description>
<warning xml:lang="en-US"> Be careful when making changes to PAM's configuration
files. The syntax for these files is complex, and modifications can have
unexpected consequences. The default configurations shipped with applications
should be sufficient for most users. </warning>
<warning xml:lang="en-US"> Running authconfig or system-config-authentication will
re-write the PAM configuration files, destroying any manually made changes and
replacing them with a series of system defaults. The reference to the
configuration file syntax can be found at
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html. </warning>
<Group id="gr-accounts-pam.1" hidden="false">
<title xml:lang="en-US">Set Password Quality Requirements</title>
<description xml:lang="en-US"> The default pam_cracklib PAM module provides
strength checking for passwords. It performs a number of checks, such as
making sure passwords are not similar to dictionary words, are of at least a
certain length, are not the previous password reversed, and are not simply a
change of case from the previous password. It can also require passwords to
be in certain character classes.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The pam_passwdqc PAM module provides the ability to enforce even
more stringent password strength requirements. It is provided in an RPM of
the same name. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The man pages pam_cracklib(8) and pam_passwdqc(8) provide
information on the capabilities and configuration of each. </description>
<Group id="gr-accounts-pam.1.1" hidden="false">
<title xml:lang="en-US">Password Quality Requirements Set By pam_cracklib module</title>
<description xml:lang="en-US"> The default pam_cracklib PAM module provides
strength checking for passwords. It performs a number of checks, such as
making sure passwords are not similar to dictionary words, are of at least a
certain length, are not the previous password reversed, and are not simply a
change of case from the previous password. It can also require passwords to
be in certain character classes. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
For example to configure pam_cracklib to require at least one uppercase character,
lowercase character, digit, and other (special) character, locate the following line in
/etc/pam.d/system-auth and /etc/pam.d/password-auth:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
password requisite pam_cracklib.so try_first_pass retry=3 <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and then alter it to read:
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
password required pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0<xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If necessary, modify the arguments to ensure compliance with
your organization’s security policy. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
The man page pam_cracklib(8) provide information on the capabilities and configuration.
</description>
<warning xml:lang="en-US">Note that the password quality requirements are not enforced for the root account for some reason. </warning>
<Value id="var-1045" type="number">
<title xml:lang="en-US">retry</title>
<description xml:lang="en-US">Number of retry attempts before erroring out</description>
<value>3</value>
<value selector="1">1</value>
<value selector="2">2</value>
<value selector="3">3</value>
</Value>
<Value id="var-1046" type="number">
<title xml:lang="en-US">minlen</title>
<description xml:lang="en-US">Minimum number of characters in password</description>
<value>12</value>
<value selector="6">6</value>
<value selector="8">8</value>
<value selector="10">10</value>
<value selector="12">12</value>
<value selector="14">14</value>
<value selector="15">15</value>
</Value>
<Value id="var-1047" type="number">
<title xml:lang="en-US">dcredit</title>
<description xml:lang="en-US">Mininum number of digits in password</description>
<value>-2</value>
<value selector="2">-2</value>
<value selector="1">-1</value>
<value selector="0">0</value>
</Value>
<Value id="var-1049" type="number">
<title xml:lang="en-US">ocredit</title>
<description xml:lang="en-US">Mininum number of other (special characters) in password</description>
<value>-2</value>
<value selector="2">-2</value>
<value selector="1">-1</value>
<value selector="0">0</value>
</Value>
<Value id="var-1050" type="number">
<title xml:lang="en-US">lcredit</title>
<description xml:lang="en-US">Mininum number of lower case in password</description>
<value>-2</value>
<value selector="2">-2</value>
<value selector="1">-1</value>
<value selector="0">0</value>
</Value>
<Value id="var-1048" type="number">
<title xml:lang="en-US">ucredit</title>
<description xml:lang="en-US">Mininum number of upper case in
password</description>
<value>-2</value>
<value selector="2">-2</value>
<value selector="1">-1</value>
<value selector="0">0</value>
</Value>
<Value id="var-1051" type="number">
<title xml:lang="en-US">difok</title>
<description xml:lang="en-US">Mininum number of characters not present
in old password</description>
<warning xml:lang="en-US">Keep this high for short passwords</warning>
<value>5</value>
<value selector="2">2</value>
<value selector="3">3</value>
<value selector="4">4</value>
<value selector="5">5</value>
</Value>
<Rule id="rule-1045" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Password retry Requirements</title>
<description xml:lang="en-US">The password retry should meet minimum
requirements</description>
<ident system="http://cce.mitre.org">CCE-15054-0</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1045" value-id="var-1045"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1045" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1046" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Password minlen Requirements</title>
<description xml:lang="en-US">The password minlen should meet minimum
requirements</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1046" value-id="var-1046"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1046" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1047" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">The password strength parameters should require a minimum number of digits</title>
<description xml:lang="en-US">The password dcredit should meet minimum
requirements</description>
<ident system="http://cce.mitre.org">CCE-14113-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1047" value-id="var-1047"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1047" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1048" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">The password strength parameters should require a minimum number of uppercase characters</title>
<description xml:lang="en-US">The password ucredit should meet minimum
requirements</description>
<ident system="http://cce.mitre.org">CCE-14672-0</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1048" value-id="var-1048"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1048" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1049" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">The password strength parameters should require a minimum number of special characters</title>
<description xml:lang="en-US">The password strength parameters should require a minimum number of special characters</description>
<ident system="http://cce.mitre.org">CCE-14122-6</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1049" value-id="var-1049"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1049" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1050" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Set Password lcredit Requirements</title>
<description xml:lang="en-US">The password strength parameters should require a minimum number of lowercase characters</description>
<ident system="http://cce.mitre.org">CCE-14712-4</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1050" value-id="var-1050"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1050" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1051" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">The password strength parameters should require new passwords to difer from old ones by a minimum number of characters</title>
<description xml:lang="en-US">The password difok should meet minimum
requirements</description>
<ident system="http://cce.mitre.org">CCE-14701-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1051" value-id="var-1051"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1051" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-pam.1.2" hidden="false">
<title xml:lang="en-US">Set Password Quality Requirements, if using pam_passwdqc</title>
<description xml:lang="en-US"> If password strength stronger than that
guaranteed by pam_cracklib is required, configure PAM to use pam_passwdqc.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To activate pam_passwdqc, locate the following line in /etc/pam.d/system-auth:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> password requisite pam_cracklib.so try_first_pass retry=3<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and then replace it with the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> password requisite pam_passwdqc.so min=disabled,disabled,16,12,8<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If necessary, modify the arguments
(min=disabled,disabled,16,12,8) to ensure compliance with your
organization’s security policy. Configuration options are described in
the man page pam_passwdqc(8) and also in
/usr/share/doc/pam_passwdqc-version. The minimum lengths provided here
supercede that specified by the argument PASS_MIN_LEN in login.defs.
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The options given in the example above set a minimum length
for each of the password “classes” that pam_passwdqc recognizes. Setting
a particular minimum value to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">disabled</xhtml:code>
will stop users from choosing a
password that falls into that category alone. </description>
<!-- The individual values do not have a generic meaning that is likely to make sense outside of pam_passwdqc, so this test only allows verifying
a policy specifically designed for pam_passwdqc. -->
<Value id="var-1052" type="string">
<title xml:lang="en-US">pam_passwdqc min</title>
<description xml:lang="en-US">"min" parameter for pam_passwdqc</description>
<value>disabled,disabled,16,12,8</value>
</Value>
<Rule id="rule-1052" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">The password strength parameters should be configured using pam_passwdqc</title>
<description xml:lang="en-US">pam_passwdqc "min" should be configured as described by the policy</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1052" value-id="var-1052"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1052" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
<Group id="gr-accounts-pam.2" hidden="false">
<title xml:lang="en-US">Set Lockouts for Failed Password Attempts</title>
<description xml:lang="en-US"> The pam_tally2 PAM module provides the capability
to lock out user accounts after a number of failed login attempts. Its
documentation is available in the man page pam_tally2(8). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If locking out accounts after a number of incorrect login
attempts is required by your security policy, implement use of pam_tally2.so
for the relevant PAM-aware programs such as login, sshd, and vsftpd. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Find the following line in /etc/pam.d/system-auth: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> auth sufficient pam_unix.so nullok try_first_pass <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and then change it so that it reads as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> auth required pam_unix.so nullok try_first_pass <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> In the same file, comment out or delete the lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> auth requisite pam_succeed_if.so uid >= 500 quiet <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
auth required pam_deny.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
After changing /etc/pam.d/system-auth as described above, perform the same set of changes in /etc/pam.d/password-auth as well.
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To enforce password lockout, add the following to the individual
programs' configuration files in /etc/pam.d. First, add to end of the auth
lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> auth required pam_tally2.so deny=5 onerr=fail <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Second, add to the end of the account lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> account required pam_tally2.so<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Adjust the deny argument to conform to your system security
policy. The pam_tally2 utility can be used to unlock user accounts as
follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># /sbin/pam_tally2 --user username --reset <xhtml:br/>
</xhtml:code>
</description>
<warning xml:lang="en-US"> Locking out user accounts presents the risk of a
denial-of-service attack. The security policy regarding system lockout must
weigh whether the risk of such a denial-of-service attack outweighs the
benefits of thwarting password guessing attacks. The pam_tally2 utility can
be run from a cron job on a hourly or daily basis to try and offset this
risk. </warning>
<!-- Not tested, this needs to be tested in files specific for each service, and coordinated editing of several PAM configuration items is required. -->
</Group>
<Group id="gr-accounts-pam.3" hidden="false">
<title xml:lang="en-US">Use pam_deny.so to Quickly Deny Access to a Service</title>
<description xml:lang="en-US"> In order to deny access to a service SVCNAME via
PAM, edit the file /etc/pam.d/SVCNAME . Prepend this line to the beginning
of the file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> auth requisite pam_deny.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Under most circumstances, there are better ways to disable a
service than to deny access via PAM. However, this should suffice as a way
to quickly make a service unavailable to future users (existing sessions
which have already been authenticated, are not affected). The requisite tag
tells PAM that, if the named module returns failure, authentication should
fail, and PAM should immediately stop processing the configuration file. The
pam_deny.so module always returns failure regardless of its
input.</description>
</Group>
<Group id="gr-accounts-pam.4" hidden="false">
<title xml:lang="en-US">Ensure the Password Hashing Algorithm is SHA-512</title>
<description xml:lang="en-US"> The default algorithm for storing password hashes
in /etc/shadow is SHA-512, but a weaker algorithm could have been configured.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> In order to configure the system to use the SHA-512 algorithm,
issue the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># /usr/sbin/authconfig --passalgo=sha512 --update<xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> When users changes their passwords, hashes for the new passwords
will be generated using the SHA-512 algorithm.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> </description>
<Value id="var-1053" operator="equals" type="string">
<title xml:lang="en-US">Password hashing algorithm</title>
<description xml:lang="en-US">Enter /etc/shadow password hashing
algorithm</description>
<value>sha512</value>
<value selector="MD5">md5</value>
<value selector="SHA-256">sha256</value>
<value selector="SHA-512">sha512</value>
</Value>
<Rule id="rule-1053" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Password hashing algorithm</title>
<description xml:lang="en-US">The password hashing algorithm should be set to
<sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1053"/></description>
<ident system="http://cce.mitre.org">CCE-14063-2</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1053" value-id="var-1053"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1053" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-pam.5" hidden="false">
<title xml:lang="en-US">Limit Password Reuse</title>
<description xml:lang="en-US"> Do not allow users to reuse recent passwords.
This can be accomplished by using the remember option for the pam_unix PAM
module. In order to prevent a user from re-using any of his or her last 5
passwords, locate the <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> password requisite pam_cracklib.so ... </xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> or <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">password requisite pam_passwdqc.so ... </xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>line in /etc/pam.d/system-auth,
and add the following line immediately below:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> password requisite pam_pwhistory.so use_authtok remember=5 </xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Old (and thus no longer valid) passwords are stored in the file
/etc/security/opasswd. </description>
<Value id="var-1054" operator="equals" type="number">
<title xml:lang="en-US">remember</title>
<description xml:lang="en-US"> The last n passwords for each user are saved
in /etc/security/opasswd in order to force password change history and
keep the user from alternating between the same password too frequently. </description>
<value>5</value>
<value selector="0">0</value>
<value selector="5">5</value>
<value selector="10">10</value>
</Value>
<Rule id="rule-1054" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Limit password reuse</title>
<description xml:lang="en-US">The passwords to remember should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1054"/>
</description>
<ident system="http://cce.mitre.org">CCE-14939-3</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1054" value-id="var-1054"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1054" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
<Group id="gr-accounts-config" hidden="false">
<title xml:lang="en-US">Secure Session Configuration Files for Login Accounts</title>
<description xml:lang="en-US"> When a user logs into a Unix account, the system
configures the user's session by reading a number of files. Many of these files
are located in the user's home directory, and may have weak permissions as a
result of user error or misconfiguration. If an attacker can modify or even read
certain types of account configuration information, he can often gain full
access to the affected user's account. Therefore, it is important to test and
correct configuration file permissions for interactive accounts, particularly
those of privileged users such as root or system administrators.</description>
<Group id="gr-accounts-config.1" hidden="false">
<title xml:lang="en-US">Ensure that No Dangerous Directories Exist in Root's Path</title>
<description xml:lang="en-US"> The active path of the root account can be
obtained by starting a new root shell and running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># echo $PATH </xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>This will produce a colon-separated list of directories in the
path. For each directory DIR in the path, ensure that DIR is not equal to a
single . character. Also ensure that there are no 'empty' elements in the
path, such as in these examples: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH=:/bin</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH=/bin:</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH=/bin::/sbin</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These empty elements have the same effect as a single .
character. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For each element in the path, run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld DIR <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and ensure that write permissions are disabled for group and
other. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It is important to prevent root from executing unknown or
untrusted programs, since such programs could contain malicious code.
Therefore, root should not run programs installed by unprivileged users.
Since root may often be working inside untrusted directories, the .
character, which represents the current directory, should never be in the
root path, nor should any directory which can be written to by an
unprivileged or semi-privileged (system) user. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It is a good practice for administrators to always execute
privileged commands by typing the full path to the command.</description>
<Rule id="rule-1055" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">No Dangerous Directories Exist in Root's PATH variable</title>
<description xml:lang="en-US">The PATH variable should be set correctly for user
root</description>
<ident system="http://cce.mitre.org">CCE-3301-9</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1055" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1056" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">The PATH variable for root does not include any world-writable or group-writable directories</title>
<description xml:lang="en-US">Check each directory in root's path and make use it does not
grant write permission to group and other</description>
<ident system="http://cce.mitre.org">CCE-14957-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1056" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-config.2" hidden="false">
<title xml:lang="en-US">Ensure that User Home Directories are not Group-Writable or World-Readable</title>
<description xml:lang="en-US"> For each human user USER of the system, view the
permissions of the user's home directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld /home/USER <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Ensure that the directory is not group-writable and that it is
not world-readable. If necessary, repair the permissions:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod g-w /home/USER</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod o-rwx /home/USER</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> User home directories contain many configuration files which
affect the behavior of a user's account. No user should ever have write
permission to another user's home directory. Group shared directories can be
configured in subdirectories or elsewhere in the filesystem if they are
needed. Typically, user home directories should not be world-readable. If a
subset of users need read access to one another's home directories, this can
be provided using groups.</description>
<warning xml:lang="en-US">This section recommends modifying user home
directories. Notify your user community, and solicit input if appropriate,
before making this type of change. </warning>
<Rule id="rule-1057" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">User Home Directories are not Group-Writable or World-Readable</title>
<description xml:lang="en-US">File permissions should be set correctly for the home
directories for all user accounts.</description>
<ident system="http://cce.mitre.org">CCE-4090-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1057" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-config.3" hidden="false">
<title xml:lang="en-US">Ensure that User Dot-Files are not World-writable</title>
<description xml:lang="en-US"> For each human user USER of the system, view the
permissions of all dot-files in the user's home directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld /home/USER/.[A-Za-z0-9]* <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Ensure that none of these files are group- or world-writable.
Correct each misconfigured file FILE by executing: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod go-w /home/USER/FILE <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A user who can modify another user's configuration files can
likely execute commands with the other user's privileges, including stealing
data, destroying files, or launching further attacks on the
system.</description>
<warning xml:lang="en-US">This section recommends modifying user home
directories. Notify your user community, and solicit input if appropriate,
before making this type of change. </warning>
<Rule id="rule-1058" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">User Home Directories are not Group-Writable or World-Readable</title>
<description xml:lang="en-US">File permissions should be set correctly for the home
directories for all user accounts.</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1058" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-config.4" hidden="false">
<title xml:lang="en-US">Ensure that Users Have Sensible Umask Values</title>
<description xml:lang="en-US">
<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Edit the global configuration files /etc/profile, /etc/bashrc,
and /etc/csh.cshrc. Add or correct the line: <xhtml:br/>
<xhtml:br/> umask 077</xhtml:li>
<xhtml:li>Edit the user definitions file /etc/login.defs. Add or correct
the line:<xhtml:br/>
<xhtml:br/> UMASK 077 </xhtml:li>
<xhtml:li>View the additional configuration files /etc/csh.login and
/etc/profile.d/*, and ensure that none of these files redefine the
umask to a more permissive value unless there is a good reason for
it.</xhtml:li>
<xhtml:li>Edit the root shell configuration files /root/.bashrc,
/root/.bash profile, /root/.cshrc, and /root/.tcshrc. Add or correct
the line: <xhtml:br/>
<xhtml:br/> umask 077 </xhtml:li>
</xhtml:ol> With a default umask setting of 077, files and directories
created by users will not be readable by any other user on the system. Users
who wish to make specific files group- or world-readable can accomplish this
using the chmod command. Additionally, users can make all their files
readable to their group by default by setting a umask of 027 in their shell
configuration files. If default per-user groups exist (that is, if every
user has a default group whose name is the same as that user's username and
whose only member is the user), then it may even be safe for users to select
a umask of 007, making it very easy to intentionally share files with group
s of which the user is a member. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> In addition, it may be necessary to change root's umask
temporarily in order to install software or files which must be readable by
other users, or to change the default umasks of certain service accounts
such as the FTP user. However, setting a restrictive default protects the
files of users who have not taken steps to make their files more available,
and preventing files from being inadvertently shared.</description>
<warning xml:lang="en-US">This sections recommends modifying user home
directories. Notify your user community, and solicit input if appropriate,
before making this type of change. </warning>
<Value id="var-1059" operator="equals" type="string">
<title xml:lang="en-US">Default user umask</title>
<description xml:lang="en-US">Enter default user umask</description>
<value>022</value>
<value selector="002">002</value>
<value selector="007">007</value>
<value selector="022">022</value>
<value selector="027">027</value>
<value selector="077">077</value>
</Value>
<Value id="var-1061" operator="equals" type="string">
<title xml:lang="en-US">umask for shadow-utils</title>
<description xml:lang="en-US">Enter default user umask</description>
<value>077</value>
<value selector="007">007</value>
<value selector="022">022</value>
<value selector="027">027</value>
<value selector="077">077</value>
</Value>
<Rule id="rule-1059" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">The default umask for all users is set correctly in /etc/bashrc</title>
<description xml:lang="en-US">The default umask for all users for the bash shell should be
set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1059"/>
</description>
<ident system="http://cce.mitre.org">CCE-3844-8</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1059" value-id="var-1059"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1059" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1060" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">The default umask for all users is set correctly in /etc/csh.cshrc</title>
<description xml:lang="en-US">The default umask for all users for the csh shell should be set
to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1059"/>
</description>
<ident system="http://cce.mitre.org">CCE-4227-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1059" value-id="var-1059"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1060" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1061" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">The default umask for all users is set correctly in /etc/login.defs</title>
<description xml:lang="en-US">The default umask for all users should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1061"/>
</description>
<ident system="http://cce.mitre.org">CCE-14107-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1061" value-id="var-1061"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1061" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1062" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">The default umask for all users is set correctly in /etc/profile</title>
<description xml:lang="en-US">The default umask for all users should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1059"/>
</description>
<ident system="http://cce.mitre.org">CCE-14847-8</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1059" value-id="var-1059"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1062" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-config.5" hidden="false">
<title xml:lang="en-US">Ensure that Users do not Have .netrc Files</title>
<description xml:lang="en-US"> For each human user USER of the system, ensure
that the user has no .netrc file. The command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -l /home/USER/.netrc <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> should return the error 'No such file or directory'. If any user
has such a file, approach that user to discuss removing this file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The .netrc file is a configuration file used to make unattended
logins to other systems via FTP. When this file exists, it frequently
contains unencrypted passwords which may be used to attack other
systems.</description>
<warning xml:lang="en-US">This section recommends modifying user home
directories. Notify your user community, and solicit input if appropriate,
before making this type of change. </warning>
<Rule id="rule-1063" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">No ~/.netrc files exist</title>
<description xml:lang="en-US">No user's home directory should contain a .netrc file</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1063" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
<Group id="gr-accounts-physical" hidden="false">
<title xml:lang="en-US">Protect Physical Console Access</title>
<description xml:lang="en-US"> It is impossible to fully protect a system from an
attacker with physical access, so securing the space in which the system is
located should be considered a necessary step. However, there are some steps
which, if taken, make it more difficult for an attacker to quickly or
undetectably modify a system from its console.</description>
<Group id="gr-accounts-physical.1" hidden="false">
<title xml:lang="en-US">Set BIOS Password</title>
<description xml:lang="en-US"> The BIOS (on x86 systems) is the first code to
execute during system startup and controls many important system parameters,
including which devices the system will try to boot from, and in which
order. Assign a password to prevent any unauthorized changes to the BIOS
configuration. The exact steps will vary depending on your machine, but are
likely to include:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Reboot the machine.</xhtml:li>
<xhtml:li>Press the appropriate key during the initial boot screen (F2
is typical)</xhtml:li>
<xhtml:li>Navigate the BIOS configuration menu to add a
password.</xhtml:li>
</xhtml:ol> The exact process will be system-specific and the system's
hardware manual may provide detailed instructions. This password should
prevent attackers with physical access from attempting to change important
parameters.
However, an attacker with physical access can usually clear the BIOS
password. The password should be written down and stored in a
physically-secure location, such as a safe, in the event that it is
forgotten and must be retrieved.</description>
</Group>
<Group id="gr-accounts-physical.2" hidden="false">
<title xml:lang="en-US">Boot Loader Password</title>
<description xml:lang="en-US"> During the boot process, the boot loader is
responsible for starting the execution of the kernel and passing options to
it. The boot loader allows for the selection of different kernels – possibly
on different partitions or media. Options it can pass to the kernel include
'single-user mode,' which provides root access without any authentication,
and the ability to disable SELinux. To prevent local users from modifying
the boot parameters and endangering security, the boot loader configuration
should be protected with a password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default RHEL boot loader for x86 systems is called GRUB. To
protect its configuration: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Select a password and then generate a hash from it by running: <xhtml:br/>
<xhtml:br/>
<xhtml:code># grub-crypt --sha-512 </xhtml:code>
</xhtml:li>
<xhtml:li>Insert the following line into /boot/grub/grub.conf immediately
after the header comments. (Use the output from grub-crypt as
the value of password-hash ): <xhtml:br/>
<xhtml:br/>
<xhtml:code>password --encrypted password-hash </xhtml:code>
</xhtml:li>
<xhtml:li>Verify the permissions on /boot/grub/grub.conf (which is a symlink
to ../boot/grub/grub.conf): <xhtml:br/>
<xhtml:br/>
<xhtml:code> # chown root:root /boot/grub/grub.conf</xhtml:code><xhtml:br/>
<xhtml:code> # chmod 600 /boot/grub/grub.conf</xhtml:code>
</xhtml:li>
</xhtml:ol> Boot loaders for other platforms should offer a similar password
protection feature.</description>
<Value id="var-1064" operator="equals" type="string">
<title xml:lang="en-US">User that owns /boot/grub/grub.conf</title>
<description xml:lang="en-US">Choose user that should own
/boot/grub/grub.conf</description>
<value>0</value>
<value selector="root">0</value>
</Value>
<Value id="var-1065" operator="equals" type="string">
<title xml:lang="en-US">Group that owns /boot/grub/grub.conf</title>
<description xml:lang="en-US">Choose group that should own
/boot/grub/grub.conf</description>
<value>0</value>
<value selector="root">0</value>
</Value>
<Rule id="rule-1064" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Boot Loader user owner</title>
<description xml:lang="en-US">Boot Loader configuration file should be owned by root.</description>
<ident system="http://cce.mitre.org">CCE-4144-2</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1064" value-id="var-1064"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1064" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1065" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Boot Loader group owner</title>
<description xml:lang="en-US">Boot Loader configuration file should be owned by group
root.</description>
<ident system="http://cce.mitre.org">CCE-4197-0</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1065" value-id="var-1065"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1065" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1066" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Permissions on boot loader</title>
<description xml:lang="en-US">Boot Loader configuration file permissions should be set
correctly.</description>
<ident system="http://cce.mitre.org">CCE-3923-0</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1066" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1067" selected="false" weight="10.000000" severity="high">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Enable Boot Loader Password</title>
<description xml:lang="en-US">The grub boot loader should have sha-512 password protection
enabled</description>
<ident system="http://cce.mitre.org">CCE-3818-2</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1067" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-physical.3" hidden="false">
<title xml:lang="en-US">Require Authentication for Single-User Mode</title>
<description xml:lang="en-US"> Single-user mode is intended as a system recovery
method, providing a single user root access to the system by providing a
boot option at startup. By default, no authentication is performed if
single-user mode is selected. This provides a trivial mechanism of bypassing
security on the machine and gaining root access. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To require entry of the root password even if the system is
started in single-user mode, change the SINGLE value in /etc/sysconfig/init as follows:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SINGLE=/sbin/sulogin</xhtml:code></description>
<Rule id="rule-1068" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Require Authentication for Single-User Mode</title>
<description xml:lang="en-US">A password should be required to boot into single-user mode.</description>
<ident system="http://cce.mitre.org">CCE-4241-6</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1068" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-physical.4" hidden="false">
<title xml:lang="en-US">Disable Interactive Boot</title>
<description xml:lang="en-US"> Edit the file /etc/sysconfig/init. Add or correct
the setting:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> PROMPT=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The PROMPT option allows the console user
to perform an interactive system startup, in which it is possible to select
the set of services which are started on boot. Using interactive boot, the
console user could disable auditing, firewalls, or other services, weakening
system security.</description>
<Rule id="rule-1069" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Disable Interactive Boot</title>
<description xml:lang="en-US">The ability for users to perform interactive startups should be
disabled.</description>
<ident system="http://cce.mitre.org">CCE-4245-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1069" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-physical.5" hidden="false">
<title xml:lang="en-US">Implement Inactivity Time-out for Login Shells</title>
<description xml:lang="en-US"> If the system does not run X Windows, then the
login shells can be configured to automatically log users out after a period
of inactivity. The following instructions are not practical for systems
which run X Windows, as they will close terminal windows in the X
environment. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To implement a 15-minute idle time-out for the default /bin/bash
shell, create a new file tmout.sh in the directory /etc/profile.d with the
following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> TMOUT=900 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> readonly TMOUT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> export TMOUT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To implement a 15-minute idle time-out for the tcsh shell,
create a new file autologout.csh in the directory /etc/profile.d with the
following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> set -r autologout=15 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Similar actions should be taken for any other login shells used. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The example time-out here of 15 minutes should be adjusted to
whatever your security policy requires. The readonly line for bash and the
-r option for tcsh can be omitted if policy allows users to override the
value. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The automatic shell logout only occurs when the shell is the
foreground process. If, for example, a vi session is left idle, then
automatic logout would not occur. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> When logging in through a remote connection, as with SSH, it may
be more effective to set the timeout value directly through that service.</description>
<Value id="var-1070" operator="equals" type="number">
<title xml:lang="en-US">Inactivity timeout</title>
<description xml:lang="en-US">Choose allowed duration of inactive SSH
connections, shells, and X sessions</description>
<value>15</value>
<value selector="0_minutes">0</value>
<value selector="10_minutes">10</value>
<value selector="15_minutes">15</value>
</Value>
<Rule id="rule-1070" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Enforce an inactivity timeout for Bourne shells</title>
<description xml:lang="en-US">Bourne shells should be closed after <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1070"/> minutes of inactivity.</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1070" value-id="var-1070"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1070" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1071" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Enforce an inactivity timeout for C shells</title>
<description xml:lang="en-US">C shells should be closed after <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1070"/> minutes of inactivity.</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1070" value-id="var-1070"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1071" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-physical.6" hidden="false">
<title xml:lang="en-US">Configure Screen Locking</title>
<description xml:lang="en-US"> When a user must temporarily leave an account
logged-in, screen locking should be employed to prevent passersby from
abusing the account. User education and training is particularly important
for screen locking to be effective. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A policy should be implemented that trains all users to lock the
screen when they plan to temporarily step away from a logged-in account.
Automatic screen locking is only meant as a safeguard for those cases where
a user forgot to lock the screen.</description>
<Group id="gr-accounts-physical.6.1" hidden="false">
<title xml:lang="en-US">Configure GUI Screen Locking</title>
<description xml:lang="en-US"> In the default GNOME desktop, the screen can
be locked by choosing Lock Screen from the System menu. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The gconftool-2 program can be used to enforce mandatory
screen locking settings for the default GNOME environment. Run the
following commands to enforce idle activation of the screen saver,
screen locking, a blank-screen screensaver, and 15-minute idle
activation time: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
# gconftool-2 --direct
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
--type bool
--set /apps/gnome-screensaver/idle_activation_enabled true
</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
# gconftool-2 --direct
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
--type bool
--set /apps/gnome-screensaver/lock_enabled true
</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
# gconftool-2 --direct
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
--type string
--set /apps/gnome-screensaver/mode blank-only
</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
# gconftool-2 --direct
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
--type int
--set /desktop/gnome/session/idle_delay 15
</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default setting of 15 minutes for idle activation is
reasonable for many office environments, but the setting should conform
to whatever policy is defined. The screensaver mode blank-only is
selected to conceal the contents of the display from passersby. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Because users should be trained to lock the screen when they
step away from the computer, the automatic locking feature is only meant
as a backup. The Lock Screen icon from the System menu can also be
dragged to the taskbar in order to facilitate even more convenient
screen-locking. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The root account cannot be screen-locked, but this should
have no practical effect as the root account should never be used to log
into an X Windows environment, and should only be used to for direct
login via console in emergency circumstances. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For more information about configuring GNOME screensaver,
see http://live.gnome.org/GnomeScreensaver. For more information about
enforcing preferences in the GNOME environment using the GConf
configuration system, see http://www.gnome.org/projects/gconf and the
man page gconftool-2(1).</description>
<Rule id="rule-1072" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Implement Inactivity Time-out for GNOME</title>
<description xml:lang="en-US">The idle time-out value for GNOME
desktop lockout should be 15 minutes</description>
<ident system="http://cce.mitre.org">CCE-3315-9</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1070" value-id="var-1070"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1072" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1073" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">The gnome desktop screensaver should be enabled.</title>
<description xml:lang="en-US">Idle activation of the screen saver should be
enabled</description>
<ident system="http://cce.mitre.org">CCE-14604-3</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1073" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1074" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Lock the screensaver with a password</title>
<description xml:lang="en-US">The screensaver should ask for a password</description>
<ident system="http://cce.mitre.org">CCE-14023-6</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1074" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1075" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Implement blank screen saver</title>
<description xml:lang="en-US">The screen saver should be blank</description>
<ident system="http://cce.mitre.org">CCE-14735-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1075" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-physical.6.2" hidden="false">
<title xml:lang="en-US">Configure Console Screen Locking</title>
<description xml:lang="en-US"> A console screen locking mechanism is
provided in the vlock package, which is not installed by default. If the
ability to lock console screens is necessary, install the vlock package: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install vlock <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Instruct users to invoke the program when necessary, in
order to prevent passersby from abusing their login: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ vlock <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The -a option can be used to prevent switching to other
virtual consoles.</description>
<Rule id="rule-1076" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Configure console screen locking</title>
<description xml:lang="en-US">The vlock package should be installed</description>
<ident system="http://cce.mitre.org">CCE-3910-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1076" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
<Group id="gr-accounts-physical.7" hidden="false">
<title xml:lang="en-US">Disable Unnecessary Ports</title>
<description xml:lang="en-US"> Though unusual, some systems may be managed only
remotely and yet also exposed to risk from attackers with direct physical
access to them. In these cases, reduce an attacker’s access to the system by
disabling unnecessary external ports (e.g. USB, FireWire, NIC) in the
system’s BIOS.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Disable ports on the system which are not necessary for normal
system operation. The exact steps will vary depending on your machine, but
are likely to include: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Reboot the machine.</xhtml:li>
<xhtml:li>Press the appropriate key during the initial boot screen (F2
is typical). </xhtml:li>
<xhtml:li>Navigate the BIOS conguration menu to disable ports, such as
USB, FireWire, and NIC.</xhtml:li>
</xhtml:ol>
</description>
<warning xml:lang="en-US">Disabling USB ports is particularly unusual and will
cause problems for important input devices such as keyboards or mice
attached to the system.</warning>
</Group>
</Group>
<Group id="gr-accounts-centralized" hidden="false">
<title xml:lang="en-US">Use a Centralized Authentication Service</title>
<description xml:lang="en-US"> A centralized authentication service is any method of
maintaining central control over account and authentication data and of keeping
this data synchronized between machines. Such services can range in complexity
from a script which pushes centrally-generated password files out to all
machines, to a managed scheme such as LDAP or Kerberos. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If authentication information is not centrally managed, it quickly
becomes inconsistent, leading to out-of-date credentials and forgotten accounts
which should have been deleted. In addition, many older protocols (such as NFS)
make use of the UID to identify users over a network. This is not a good
practice, and these protocols should be avoided if possible. However, since most
sites must still make use of some older protocols, having consistent UIDs and
GIDs site-wide is a significant benefit. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Centralized authentication services do have the disadvantage that
authentication information must be transmitted over a network, leading to a risk
that credentials may be intercepted or manipulated. Therefore, these services
must be deployed carefully. The following precautions should be taken when
configuring any authentication service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Ensure that authentication information and any sensitive account
information are never sent over the network unencrypted.</xhtml:li>
<xhtml:li>Ensure that the root account has a local password, to allow
recovery in case of network outage or authentication server
failure.</xhtml:li>
</xhtml:ul> This guide recommends the use of LDAP. Kerberos is also
a good choice for a centralized authentication service, but a description of its
configuration is beyond the scope of this guide. The NIS service is not
recommended, and should be considered obsolete. </description>
</Group>
<Group id="gr-accounts-banners" hidden="false">
<title xml:lang="en-US">Warning Banners for System Accesses</title>
<description xml:lang="en-US"> Each system should expose as little information about
itself as possible. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> System banners, which are typically displayed just before a login
prompt, give out information about the service or the host's operating system.
This might include the distribution name and the system kernel version, and the
particular version of a network service. This information can assist intruders
in gaining access to the system as it can reveal whether the system is running
vulnerable software. Most network services can be configured to limit what
information is displayed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Many organizations implement security policies that require a system
banner provide notice of the system's ownership, provide warning to unauthorized
users, and remind authorized users of their consent to monitoring.</description>
<Value id="var-1077" operator="equals" type="string">
<title xml:lang="en-US">login banner verbiage</title>
<description xml:lang="en-US">Enter an appropriate login banner for your
organization</description>
<value/>
</Value>
<Group id="gr-accounts-banners.1" hidden="false">
<title xml:lang="en-US">Modify the System Login Banner</title>
<description xml:lang="en-US"> The contents of the file /etc/issue are displayed
on the screen just above the login prompt for users logging directly into a
terminal. Remote login programs such as SSH or FTP can be configured to
display /etc/issue as well.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By default, the system will display the version of the OS, the
kernel version, and the host name. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit /etc/issue. Replace the default text with a message
compliant with the local site policy or a legal disclaimer.</description>
<Rule id="rule-1077" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Modify the System Login Banner</title>
<description xml:lang="en-US">The system login banner text should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1077"/>
</description>
<ident system="http://cce.mitre.org">CCE-4060-0</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1077" value-id="var-1077"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1077" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-accounts-banners.2" hidden="false">
<title xml:lang="en-US">Implement a GUI Warning Banner</title>
<description xml:lang="en-US"> In the default graphical environment, users
logging directly into the system are greeted with a login screen provided by
the GNOME display manager. The warning banner should be displayed in this
graphical environment for these users.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
Configure the banner using the following commands:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
# gconftool-2 --direct
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
--type bool
--set /apps/gdm/simple-greeter/banner_message_enable true
</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
# gconftool-2 --direct
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
--type string
--set /apps/gdm/simple-greeter/banner_message_text 'YOUR_TEXT'
</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
</description>
<Rule id="rule-1078" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Implement a GUI Warning Banner</title>
<description xml:lang="en-US">The direct gnome login warning banner text should be set
appropriately</description>
<ident system="http://cce.mitre.org">CCE-4188-9</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1077" value-id="var-1077"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1078" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
</Group>
<Group id="gr-selinux" hidden="false">
<title xml:lang="en-US">SELinux</title>
<description xml:lang="en-US"> SELinux is a feature of the Linux kernel which can be
used to guard against misconfigured or compromised programs. SELinux enforces the
idea that programs should be limited in what files they can access and what actions
they can take. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default SELinux policy, as configured on RHEL6,
should be usable on almost any RHEL
machine with minimal configuration and a small amount of system administrator
training. This policy prevents system services — including most of the common
network-visible services such as mail servers, ftp servers, and DNS servers — from
accessing files which those services have no valid reason to access. This action
alone prevents a huge amount of possible damage from network attacks against
services, from trojaned software, and so forth. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This guide recommends that SELinux be enabled using the default
(targeted) policy on every RHEL system, unless that system has requirements which
make a stronger policy appropriate.</description>
<Group id="gr-selinux-intro" hidden="false">
<title xml:lang="en-US">How SELinux Works</title>
<description xml:lang="en-US"> In the traditional Linux/Unix security model, known
as Discretionary Access Control (DAC), processes run under a user and group
identity, and enjoy that user and group's access rights to all files and other
objects on the system. This system brings with it a number of security problems,
most notably: that processes frequently do not need and should not have the full
rights of the user who ran them; that user and group access rights are not very
granular, and may require administrators to allow too much access in order to
allow the access that is needed; that the Unix filesystem contains many
resources (such as temporary directories and world-readable files) which are
accessible to users who have no legitimate reason to access them; and that
legitimate users can easily provide open access to their own resources through
confusion or carelessness. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> SELinux provides a Mandatory Access Control (MAC) system that
greatly augments the DAC model. Under SELinux, every process and every object
(e.g. file, socket, pipe) on the system is given a security context, a label
which include detailed type information about the object. The kernel allows
processes to access objects only if that access is explicitly allowed by the
policy in effect. The policy defines transitions, so that a user can be allowed
to run software, but the software can run under a different context than the
user's default. This automatically limits the damage that the software can do to
files accessible by the calling user — the user does not need to take any action
to gain this benefit. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For an action to occur, both the traditional DAC permissions must be
satisifed as well as SELinux's MAC rules. If either do not permit the action,
then it will not be allowed. In this way, SELinux rules can only make a system's
permissions more restrictive and secure. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> SELinux requires a complex policy in order to allow all the actions
required of a system under normal operation. Three such policies have been
designed for use with RHEL6, and are included with the system. In increasing
order of power and complexity, they are: targeted, strict (which is newly not provided
as an individual package but is part of targeted policy package. The process
of making strict policy is described later) and mls. The targeted
SELinux policy consists mostly of Type Enforcement (TE) rules, and a small
number of Role-Based Access Control (RBAC) rules. It restricts the actions of
many types of programs, but leaves interactive users largely unaffected. The
strict policy also uses TE and RBAC rules, but on more programs and more
aggressively. The mls policy implements Multi-Level Security (MLS), which
introduces even more kinds of labels — sensitivity and category — and rules that
govern access based on these. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The remainder of this section provides guidance for the
configuration of the targeted policy and the administration of systems under
this policy. Some pointers will be provided for readers who are interested in
further strengthening their systems by using one of the stricter policies
provided with RHEL6 or in writing their own policy.</description>
</Group>
<Group id="gr-selinux-enable" hidden="false">
<title xml:lang="en-US">Enable SELinux</title>
<description xml:lang="en-US"> The SELinux is enabled by default on RHEL6. The file /etc/selinux/config should contain
the following lines for targeted policy: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SELINUX=enforcing </xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SELINUXTYPE=targeted </xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit the file /boot/grub/grub.conf. Ensure that the following arguments DO
NOT appear on any kernel command line in the file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">selinux=0 </xhtml:code> or
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">enforcing=0 </xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The directive SELINUX=enforcing enables SELinux at boot time. If
SELinux is causing a lot of problems or preventing the system from booting, it
is possible to boot into the warning-only mode SELINUX=permissive for debugging
purposes. Make certain to change the mode back to enforcing after debugging, set
the filesystems to be relabeled for consistency using the command touch
/.autorelabel, and reboot. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> However, the RHEL6 default SELinux configuration should be
sufficiently reasonable that most systems will boot without serious problems.
Some applications that require deep or unusual system privileges, may not be compatible with SELinux in its default
configuration. However, this should be uncommon, and SELinux's application
support continues to improve. In other cases, SELinux may reveal unusual or
insecure program behavior by design. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The directive SELINUXTYPE=targeted configures SELinux to use the
default targeted policy.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The SELinux boot mode specified in /etc/selinux/config can be
overridden by command-line arguments passed to the kernel. It is necessary to
check grub.conf to ensure that this has not been done and to protect the
bootloader against unauthorized configuration change.</description>
<Value id="var-1080" operator="equals" type="string">
<title xml:lang="en-US">SELinux state</title>
<description xml:lang="en-US"> enforcing - SELinux security policy is enforced.
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> permissive - SELinux prints warnings instead of
enforcing.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> disabled - SELinux is fully disabled. </description>
<value>enforcing</value>
<value selector="enforcing">enforcing</value>
<value selector="permissive">permissive</value>
<value selector="disabled">disabled</value>
</Value>
<Value id="var-1081" operator="equals" type="string">
<title xml:lang="en-US">SELinux policy</title>
<description xml:lang="en-US"> Type of policy in use. Possible values
are:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> targeted - Only targeted network daemons are
protected.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> strict - Full SELinux protection.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> mls -
Multi-level security</description>
<value>targeted</value>
<value selector="targeted">targeted</value>
<value selector="strict">strict</value>
<value selector="mls">mls</value>
</Value>
<Group id="gr-selinux-enable.1" hidden="false">
<title xml:lang="en-US">Ensure SELinux is Properly Enabled</title>
<description xml:lang="en-US"> Run the command:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ /usr/sbin/sestatus<xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If the system is properly configured, the output should indicate:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>SELinux status: enabled</xhtml:li>
<xhtml:li>Current mode: enforcing</xhtml:li>
<xhtml:li>Mode from config file: enforcing</xhtml:li>
<xhtml:li>Policy from config file: targeted</xhtml:li>
</xhtml:ul>
</description>
</Group>
<Rule id="rule-1079" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">SELinux should NOT be disabled in /boot/grub/grub.conf.</title>
<description xml:lang="en-US">SELinux should NOT be disabled in /boot/grub/grub.conf. Check that
selinux=0 is not found</description>
<ident system="http://cce.mitre.org">CCE-3977-6</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1079" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1080" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Proper SELinux state</title>
<description xml:lang="en-US">The SELinux state should be set appropriately</description>
<ident system="http://cce.mitre.org">CCE-3999-0</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1080" value-id="var-1080"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1080" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1081" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Proper SELinux policy</title>
<description xml:lang="en-US">The SELinux policy should be set appropriately.</description>
<ident system="http://cce.mitre.org">CCE-3624-4</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1081" value-id="var-1081"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1081" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-selinux-daemons" hidden="false">
<title xml:lang="en-US">Disable Unnecessary SELinux Daemons</title>
<description xml:lang="en-US"> Several daemons are installed by default as part of
the RHEL6 SELinux support mechanism. These daemons may improve the system's
ability to enforce SELinux policy in a useful fashion, but may also represent
unnecessary code running on the machine, increasing system risk. If these
daemons are available in your RHEL6 installation and are not needed on your system,
they should be disabled.</description>
<Group id="gr-selinux-daemons.1" hidden="false">
<title xml:lang="en-US">Remove SETroubleshoot if Possible</title>
<description xml:lang="en-US"> Is there a mission-critical reason to allow users
to view SELinux denial information using the sealert GUI? If not,
remove the setroubleshoot packages:
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ yum remove setroubleshoot-\*<xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The setroubleshoot,
which is newly D-Bus system service, is a facility for notifying the
desktop user of SELinux denials in a user-friendly fashion. SELinux errors
may provide important information about intrusion attempts in progress, or
may give information about SELinux configuration problems which are
preventing correct system operation. In order to maintain a secure and
usable SELinux installation, error logging and notification is necessary.
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> However,
setroubleshoot is a service which has complex
functionality, which runs a daemon and uses D-Bus to distribute information
which may be sensitive, or even to allow users to modify SELinux settings.
This guide recommends removing setroubleshoot and using the kernel audit functionality
to monitor SELinux's behavior.</description>
<Rule id="rule-1082" selected="false" weight="10.000000" severity="low">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Remove SETroubleshoot</title>
<description xml:lang="en-US">The setroubleshoot-server package should not be installed.</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1082" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-selinux-daemons.2" hidden="false">
<title xml:lang="en-US">Disable MCS Translation Service (mcstrans) if Possible</title>
<description xml:lang="en-US"> Unless there is some overriding need for the
convenience of category label translation, disable the MCS translation
service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig mcstrans off <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The mcstransd daemon provides the category label translation
information defined in /etc/selinux/targeted/setrans.conf to client
processes which request this information.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Category labelling is unlikely to be used except in sites with
special requirements. Therefore, it should be disabled in order to reduce
the amount of potentially vulnerable code running on the system.</description>
<Rule id="rule-1083" selected="false" weight="10.000000" severity="low">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Disable MCS Translation Service (mcstrans) if Possible</title>
<description xml:lang="en-US">The mcstrans service should be disabled.</description>
<ident system="http://cce.mitre.org">CCE-3668-1</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1083" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-selinux-daemons.3" hidden="false">
<title xml:lang="en-US">Restorecon Service (restorecond)</title>
<description xml:lang="en-US"> The restorecond daemon monitors a list of files
which are frequently created or modified on running systems, and whose
SELinux contexts are not set correctly. It looks for creation events related
to files listed either in /etc/selinux/restorecond.conf or restorecond_user.conf ,
and sets the contexts ofthose files when they are discovered.
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The restorecond program is fairly simple, so it brings low risk,
but, in its default configuration, does not add much value to a system. An
automated program such as restorecond may be used to monitor problematic
files for context problems, or system administrators may be trained to check
file contexts of newly-created files using the command ls -lZ, and to repair
contexts manually using the restorecon command. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This guide makes no recommendation either for or against the use
of restorecond.</description>
</Group>
</Group>
<Group id="gr-selinux-unconfined" hidden="false">
<title xml:lang="en-US">Check for Unconfined Daemons</title>
<description xml:lang="en-US"> Daemons that SELinux policy does not know about will
inherit the context of the parent process. Because daemons are launched during
startup and descend from the init process, they inherit the initrc_t context.
This is a problem because it may cause AVC denials, or it could allow privileges
that the daemon does not require. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To check for unconfined daemons, run the following command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
# ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
<xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It should produce no output in a well-configured
system.</description>
</Group>
<Group id="gr-selinux-unlabeled" hidden="false">
<title xml:lang="en-US">Check for Unlabeled Device Files</title>
<description xml:lang="en-US"> Device files are used for communication with important
system resources. SELinux contexts should exist for these. If a device file is
not labeled, then misconfiguration is likely.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To check for unlabeled device files, run the following command:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -Z /dev | grep unlabeled_t<xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> It should produce no output in a well-configured
system.</description>
</Group>
<Group id="gr-selinux-debugging" hidden="false">
<title xml:lang="en-US">Debugging SELinux Policy Errors</title>
<description xml:lang="en-US"> SELinux's default policies have improved
significantly over time, and most systems should have few problems using the
targeted SELinux policy. However, policy problems may still occasionally prevent
accesses which should be allowed. This is especially true if your site runs any
custom or heavily modified applications. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This section gives some brief guidance on discovering and repairing
SELinux-related access problems. Guidance given here is necessarily draft, but
should provide a starting point for debugging. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If you suspect that a permission error or other failure may be
caused by SELinux (and are certain that misconfiguration of the traditional Unix
permissions are not the cause of the problem), search the audit logs for AVC
events: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ausearch -m AVC,USER_AVC -sv no <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The output of this command will be a set of events. The timestamp,
along with the comm and pid fields, should indicate which line describes the
problem. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Look up the context under which the process is running. Assuming the
process ID is PID , find the context by running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ps -p PID -Z <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The AVC denial message should identify the offending file or
directory. The name field should contain the filename (not the full pathname by
default), and the ino field can be used to search by inode, if necessary.
Assuming the file is FILE , find its SELinux context: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -Z FILE <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> An administrator should suspect an SELinux misconfiguration whenever
a program gets a 'permission denied' error but the standard Unix permissions
appear to be correct, or a program fails mysteriously on a task which seems to
involve file access or network communication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> As described earlier, SELinux augments each process with a
context providing detailed type information about that process. The contexts
under which processes run may be referred to as subject contexts. Similarly,
each filesystem object is given a context. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The targeted policy consists of a set of rules, each of which allows
a subject type to perform some operation on a given object type. The kernel
stores information about these access decisions in an structure known as an
Access Vector Cache (AVC), so authorization decisions made by the system are
audited with the type AVC. It is also possible for userspace modules to
implement their own policies based on SELinux, and these decisions are audited
with the type USER_AVC. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> AVC denials are logged by the kernel audit facility (see Section
2.6.2 for configuration guidance on this subsystem) and may also be visible via
setroubleshoot. This guide recommends the use of the audit userspace utilities
to find AVC errors. It is possible to manually locate these errors by looking in
the file /var/log/audit/audit.log or in /var/log/messages (depending on the
syslog configuration in effect), but the ausearch tool allows finegrained
searching on audit event types, which may be necessary if system call auditing
is enabled as well. The command line above tells ausearch to look for kernel or
userspace AVC messages (-m AVC,USER AVC) where the access attempt did not
succeed (-sv no). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If an AVC denial occurs when it should not have, the problem is
generally one of the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>The program is running with the wrong subject context. This could
happen as a result of an incorrect context on the program's executable
file, which could happen if 3rd party software is installed and not
given appropriate SELinux file contexts. </xhtml:li>
<xhtml:li>The file has the wrong object context because the current file's
context does not match the specification. This can occur when files are
created or modified in certain ways. It is not atypical for
configuration files to get the wrong contexts after a system
configuration change performed by an administrator. To repair the file,
use the command: <xhtml:br/>
<xhtml:br/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
# restorecon -v FILE
</xhtml:code>
<xhtml:br/>This should produce output indicating that the file's
context has been changed. The /usr/bin/chcon program can be used to
manually change a file's context, but this is problematic because the
change will not persist if it does not agree with the policy-defined
contexts applied by restorecon.</xhtml:li>
<xhtml:li>The file has the wrong object context because the specification is
either incorrect or does not match the way the file is being used on
this system. In this case, it will be necessary to change the system
file contexts. <xhtml:br/>
<xhtml:br/> Run the system-config-selinux tool, and go to the 'File
Labeling' menu. This will give a list of files and wildcards
corresponding to file labelling rules on the system. Add a rule which
maps the file in question to the desired context. As an alternative,
file contexts can be modified from the command line using the
semanage(8) tool.</xhtml:li>
<xhtml:li>The program and file have the correct contexts, but the policy
should allow some operation between those two contexts which is
currently not allowed. In this case, it will be necessary to modify the
SELinux policy. <xhtml:br/>
<xhtml:br/> Run the system-config-selinux tool, and go to the 'Boolean'
menu. If your configuration is supported, but is not the Red Hat
default, then there will be a boolean allowing real-time modification of
the SELinux policy to fix the problem. Browse through the items in this
menu, looking for one which is related to the service which is not
working. As an alternative, SELinux booleans can be modified from the
command line using the getsebool(8) and setsebool(8) tools. <xhtml:br/>
<xhtml:br/> If there is no boolean, it will be necessary to create and
load a policy module. A simple way to build a policy module is to use
the audit2allow tool. This tool can take input in the format of AVC
denial messages, and generate syntactically correct Type Enforcement
rules which would be sufficient to prevent those denials. For example,
to generate and display rules which would allow all kernel denials seen
in the past fitfteen minutes, run: <xhtml:br/>
<xhtml:br/>
<xhtml:code># ausearch -m AVC -sv no -ts recent | audit2allow
<xhtml:br/>
</xhtml:code>
<xhtml:br/> It is possible to use audit2allow to directly create a
module package suitable for loading into the kernel policy. To do this,
invoke audit2allow with the -M flag: <xhtml:br/>
<xhtml:br/>
<xhtml:code># ausearch -m AVC -sv no -ts recent | audit2allow -M
localmodule <xhtml:br/>
</xhtml:code>
<xhtml:br/> If this is successful, several lines of output should
appear. Review the generated TE rules in the file localmodule .te and
ensure that they express what you wish to allow. <xhtml:br/>
<xhtml:br/> The file localmodule .pp should also have been created. This
file is a policy module package that can be loaded into the kernel. To
do so, use system-config-selinux, go to the 'Policy Module' menu and use
the 'Add' button to enable your module package in SELinux, or load it
from the command line using semodule(8): <xhtml:br/>
<xhtml:br/>
<xhtml:code># semodule -i localmodule .pp <xhtml:br/>
</xhtml:code>
<xhtml:br/>In RHEL5, if you created a local policy, you needed to
switch to permissive mode globally to better debugging sometimes.
This is no longer needed in RHEL6. The permissive domains was
implemented which means only a domain can become permissive. <xhtml:br/>
<xhtml:br/>
<xhtml:code>semanage -a permissive DOMAIN<xhtml:br/>
</xhtml:code>
<xhtml:br/> Section 45.2 of [9] covers this procedure in
detail.</xhtml:li>
</xhtml:ul>
</description>
</Group>
<Group id="gr-selinux-strengthening" hidden="false">
<title xml:lang="en-US">Further Strengthening</title>
<description xml:lang="en-US"> The recommendations up to this point have discussed
how to configure and maintain a system under the default configuration of the
targeted policy, which constrains only the actions of daemons and system
software. This guide strongly recommends that any site which is not currently
using SELinux at all transition to the targeted policy, to gain the substantial
security benefits provided by that policy.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> However, the default policy provides only a subset of the full
security gains available from using SELinux. In particular, the SELinux policy
is also capable of constraining the actions of interactive users, of providing
compartmented access by sensitivity level (MLS) and/or category (MCS), and of
restricting certain types of system actions using booleans beyond the RHEL6
defaults. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This section introduces other uses of SELinux which may be possible,
and provides links to some outside resources about their use. Detailed
description of how to implement these steps is beyond the scope of this
guide.</description>
<Group id="gr-selinux-strengthening.1" hidden="false">
<title xml:lang="en-US">Strengthen the Default SELinux Boolean Configuration</title>
<description xml:lang="en-US"> SELinux booleans are used to enable or disable
segments of policy to comply with site policy. Booleans may apply to the
entire system or to an individual daemon. For instance, the boolean allow
execstack, if enabled, allows programs to make part of their stack memory
region executable. The boolean ftp home dir allows ftpd processes to
access user home directories,
and applies only to daemons which implement FTP. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The command <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ getsebool -a
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ semanage boolean -l <xhtml:br/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> lists the values of all SELinux booleans on the system. Section
2.4.5 discussed loosening boolean values in order to debug functionality
problems which occur under more restrictive defaults. It is also useful to
examine and strengthen the boolean settings, to disable functionality which
is not required by legitimate programs on your system, but which might be
symptomatic of an attack. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> See the manpages booleans(8),
getsebool(8), setsebool(8) and semanage(8) for
general information about booleans. There are also manual pages for several
subsystems which discuss the use of SELinux with those systems. Examples
include ftpd selinux(8), httpd selinux(8), and nfs_selinux(8). Another good
reference is the html documentation distributed with the selinux-policy RPM.
This documentation is stored under <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> /usr/share/doc/selinux-policy-version/html/ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The pages global tunables.html and global booleans.html may be
useful when examining booleans.</description>
</Group>
<Group id="gr-selinux-strengthening.2" hidden="false">
<title xml:lang="en-US">Use a Stronger Policy</title>
<description xml:lang="en-US"> Using a stronger policy can greatly enhance
security, but will generally require customization to be compatible with the
particular system's purpose, and this may be costly or time consuming. Under
the targeted policy, interactive processes are given the type unconfined t,
so interactive users are not constrained by SELinux even if they attempt to
take strange or malicious actions.
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
Previously, in RHEL5, we had strict policy
which could be installed using selinux-policy-strict package. In RHEL6, we combine
strict and targeted policy together. There exist two SELinux policy modules -
unconfined.pp and unconfineduser.pp policy modules. These two modules are optional,
and removing it gives you the equivalent of strict policy.
Firstly, you can just remove unconfined.pp policy module. You will be closer to strict
policy but this leaves only user domains unconfined, along with some domains
that do not make sense to confine (anaconda, firstboot, kernel,rpm) and also
unconfined_t user will be exist.
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semodule -d unconfined</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
Then you can disable all unconfined domains by disabling unconfineduser
module which is equal strict policy. In this case, you need to setup all
your users as confined users, before removing the unconfineduser module
using semanage tool
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage login -m -s staff_u root</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage login -m -s staff_u __default__</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage user -d unconfined_u</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage user -m -R "staff_r system_r sysadm_r" staff_u</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semodule -d unconfineduser</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
Note: One of the RHEL6 features are Confined Users. This means,
unconfined.pp and unconfineduser.pp policy modules can be used
and an user can be confined even so. All this magic lie in adding login
mappings between linux users and SELinux confined users.
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage login -a -s user_u -r s0-s0:c0.c1023 USERNAME1</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage login -a -s staff_u -r s0-s0:c0.c1023 USERNAME2</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>The mls policy type can be used to enforce sensitivity or category labelling,
and requires site-specific configuration of these labels in order to be useful.
To use this policy, install the appropriate policy module:
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install selinux-policy-mls</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
Then edit /etc/selinux/config and correct the line:
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
SELINUXTYPE=mls</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
Configure the system to boot into run level 3 by default:
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
sed -i "s/^id:5:initdefault:/id:3:initdefault:/g" /etc/inittab
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
Note: Switching between policies typically requires the entire disk to be
relabelled, so that files get the appropriate SELinux contexts under
the new policy. Add autorelabel flag
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">touch /.autorelabel; reboot</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
and boot with the additional grub command-line options
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
enforcing=0</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
to relabel the disk, then reboot normally.
</description>
</Group>
</Group>
<Group id="gr-selinux-references" hidden="false">
<title xml:lang="en-US">SELinux References</title>
<description xml:lang="en-US">
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>NSA SELinux resources:<xhtml:br/>
<xhtml:ul>
<xhtml:li>Web page: http://www.nsa.gov/selinux/</xhtml:li>
<xhtml:li>Mailing list: selinux@tycho.nsa.gov <xhtml:br/> List
information at:
http://www.nsa.gov/selinux/info/list.cfm</xhtml:li>
</xhtml:ul>
</xhtml:li>
<xhtml:li>Fedora SELinux resources:<xhtml:br/>
<xhtml:ul>
<xhtml:li>FAQ: http://docs.fedoraproject.org/selinux-faq/</xhtml:li>
<xhtml:li>Wiki: http://fedoraproject.org/wiki/SELinux/</xhtml:li>
<xhtml:li>Mailing list: fedora-selinux-list@redhat.com <xhtml:br/>
List information at:
https://www.redhat.com/mailman/listinfo/fedora-selinux-list</xhtml:li>
</xhtml:ul>
</xhtml:li>
<xhtml:li>Chapters 43–45 of Red Hat Enterprise Linux 5: Deployment Guide
[9]</xhtml:li>
<xhtml:li>The book SELinux by Example: Using Security Enhanced Linux
[13]</xhtml:li>
</xhtml:ul>
</description>
</Group>
</Group>
<Group id="gr-networking" hidden="false">
<title xml:lang="en-US">Network Configuration and Firewalls</title>
<description xml:lang="en-US"> Most machines must be connected to a network of some
sort, and this brings with it the substantial risk of network attack. This section
discusses the security impact of decisions about networking which must be made when
configuring a system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This section also discusses firewalls, network access controls, and
other network security frameworks, which allow system-level rules to be written that
can limit attackers' ability to connect to your system. These rules can specify that
network traffic should be allowed or denied from certain IP addresses, hosts, and
networks. The rules can also specify which of the system's network services are
available to particular hosts or networks.</description>
<Group id="gr-networking-sysctl" hidden="false">
<title xml:lang="en-US">Kernel Parameters which Affect Networking</title>
<description xml:lang="en-US"> The sysctl utility is used to set a number of
parameters which affect the operation of the Linux kernel. Several of these
parameters are specific to networking, and the configuration options in this
section are recommended.</description>
<Group id="gr-networking-sysctl.1" hidden="false">
<title xml:lang="en-US">Network Parameters for Hosts Only</title>
<description xml:lang="en-US"> Is this system going to be used as a firewall or
gateway to pass IP traffic between different networks? <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If not,
edit the file /etc/sysctl.conf and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv4.ip forward = 0</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.send_redirects = 0</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv4.conf.default.send_redirects = 0</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These settings disable hosts from performing network
functionality which is only appropriate for routers.</description>
<Rule id="rule-1084" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Default setting for sending ICMP redirects is configured to be disabled (runtime)</title>
<description xml:lang="en-US">The default setting for sending ICMP redirects should be
disabled for network interfaces.</description>
<ident system="http://cce.mitre.org">CCE-4151-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1084" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1085" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Sending ICMP redirects for all interfaces is configured to be disabled</title>
<description xml:lang="en-US">Sending ICMP redirects should be disabled for all
interfaces.</description>
<ident system="http://cce.mitre.org">CCE-4155-8</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1085" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1086" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">IP forwarding is configured to be disabled</title>
<description xml:lang="en-US">IP forwarding should be disabled.</description>
<ident system="http://cce.mitre.org">CCE-3561-8</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1086" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-networking-sysctl.2" hidden="false">
<title xml:lang="en-US">Network Parameters for Hosts and Routers</title>
<description xml:lang="en-US"> Edit the file /etc/sysctl.conf and add or correct
the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> net.ipv4.conf.all.accept_source_route = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
net.ipv4.conf.all.accept_redirects = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
net.ipv4.conf.all.secure_redirects = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
net.ipv4.conf.all.log_martians = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
net.ipv4.conf.default.accept_source_route = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
net.ipv4.conf.default.accept_redirects = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
net.ipv4.conf.default.secure_redirects = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
net.ipv4.conf.default.log_martians = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
net.ipv4.icmp_echo_ignore_broadcasts = 1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
net.ipv4.icmp_ignore_bogus_error_responses = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
net.ipv4.tcp_syncookies = 1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> net.ipv4.conf.all.rp_filter = 1
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> net.ipv4.conf.default.rp_filter = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These options improve Linux's ability to defend against certain
types of IPv4 protocol attacks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The accept source route, accept redirects, and secure redirects
options are turned off to disable IPv4 protocol features which are
considered to have few legitimate uses and to be easy to abuse. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The net.ipv4.conf.all.log martians option logs several types of
suspicious packets, such as spoofed packets, source-routed packets, and
redirects. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The icmp echo ignore broadcasts icmp ignore bogus error messages
options protect against ICMP attacks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The tcp syncookies option uses a cryptographic feature called
SYN cookies to allow machines to continue to accept legitimate connections
when faced with a SYN flood attack. See [12] for further information on this
option. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The rp filter option enables RFC-recommended source validation.
It should not be used on machines which are routers for very complicated
networks, but is helpful for end hosts and routers serving small networks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For more information on any of these, see the kernel source
documentation file /Documentation/networking/ip-sysctl.txt.</description>
<Value id="var-1087" operator="equals" type="string">
<title xml:lang="en-US">net.ipv4.conf.*.accept_source_route</title>
<description xml:lang="en-US">Accept source routing?</description>
<value>0</value>
<value selector="enabled">1</value>
<value selector="disabled">0</value>
</Value>
<Value id="var-1088" operator="equals" type="string">
<title xml:lang="en-US">net.ipv4.conf.*.accept_redirects</title>
<description xml:lang="en-US">Accept ICMP Redirects?</description>
<value>0</value>
<value selector="enabled">1</value>
<value selector="disabled">0</value>
</Value>
<Value id="var-1089" operator="equals" type="string">
<title xml:lang="en-US">net.ipv4.conf.*.secure_redirects</title>
<description xml:lang="en-US">Accept redirects from gateways known in routing table?</description>
<value>0</value>
<value selector="enabled">1</value>
<value selector="disabled">0</value>
</Value>
<Value id="var-1090" operator="equals" type="string">
<title xml:lang="en-US">net.ipv4.conf.*.log_martians</title>
<description xml:lang="en-US">Log Spoofed Packets, Source Routed Packets, Redirect Packets?</description>
<value>0</value>
<value selector="enabled">1</value>
<value selector="disabled">0</value>
</Value>
<Value id="var-1095" operator="equals" type="string">
<title xml:lang="en-US">net.ipv4.icmp_echo_ignore_broadcast</title>
<description xml:lang="en-US">Ignore all ICMP ECHO and TIMESTAMP requests
sent to it via broadcast/multicast</description>
<value>1</value>
<value selector="enabled">1</value>
<value selector="disabled">0</value>
</Value>
<Value id="var-1096" operator="equals" type="string">
<title xml:lang="en-US">net.ipv4.icmp_ignore_bogus_error_messages</title>
<description xml:lang="en-US">Enable to prevent certain types of
attacks</description>
<value>1</value>
<value selector="enabled">1</value>
<value selector="disabled">0</value>
</Value>
<Value id="var-1097" operator="equals" type="string">
<title xml:lang="en-US">net.ipv4.tcp_syncookie</title>
<description xml:lang="en-US">Enable to turn on TCP SYN Cookie
Protection</description>
<value>1</value>
<value selector="enabled">1</value>
<value selector="disabled">0</value>
</Value>
<Value id="var-1098" operator="equals" type="string">
<title xml:lang="en-US">net.ipv4.conf.*.rp_filter</title>
<description xml:lang="en-US">Enable to enforce sanity checking, also called
ingress filtering or egress filtering. The point is to drop a packet if
the source and destination IP addresses in the IP header do not make
sense when considered in light of the physical interface on which it
arrived. </description>
<value>1</value>
<value selector="enabled">1</value>
<value selector="disabled">0</value>
</Value>
<Rule id="rule-1087" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Accepting source routed packets for all interfaces is configured (runtime)</title>
<description xml:lang="en-US">Accepting source routed packets should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1087"/> for all interfaces as
appropriate.</description>
<ident system="http://cce.mitre.org">CCE-4236-6</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1087" value-id="var-1087"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1087" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1088" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Accepting ICMP redirects for all interfaces is configured (runtime)</title>
<description xml:lang="en-US">Accepting ICMP redirects should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1088"/> for all interfaces as
appropriate.</description>
<ident system="http://cce.mitre.org">CCE-4217-6</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1088" value-id="var-1088"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1088" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1089" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Accepting "secure" ICMP redirects for all interfaces is configured (runtime)</title>
<description xml:lang="en-US">Accepting "secure" ICMP redirects (those from gateways listed
in the default gateways list) should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1089"/> for all interfaces as
appropriate.</description>
<ident system="http://cce.mitre.org">CCE-3472-8</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1089" value-id="var-1089"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1089" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1090" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Logging of "martian" packets for all interfaces is configured (runtime)</title>
<description xml:lang="en-US">Logging of "martian" packets (those with impossible addresses)
should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1090"/> for all interfaces as
appropriate.</description>
<ident system="http://cce.mitre.org">CCE-4320-8</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1090" value-id="var-1090"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1090" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1091" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Default accepting of source routed packets is configured (runtime)</title>
<description xml:lang="en-US">The default setting for accepting source routed packets should
be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1087"/> for all interfaces as
appropriate.</description>
<ident system="http://cce.mitre.org">CCE-4091-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1087" value-id="var-1087"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1091" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1092" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Default accepting ICMP redirects is configured (runtime)</title>
<description xml:lang="en-US">The default setting for accepting ICMP redirects should be:
<sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1088"/> for all interfaces as
appropriate.</description>
<ident system="http://cce.mitre.org">CCE-4186-3</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1088" value-id="var-1088"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1092" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1093" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Default accepting of "secure" ICMP redirects is configured (runtime)</title>
<description xml:lang="en-US">The default setting for accepting "secure" ICMP redirects
(those from gateways listed in the default gateways list) should be:
<sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1089"/> for all interfaces as
appropriate.</description>
<ident system="http://cce.mitre.org">CCE-3339-9</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1089" value-id="var-1089"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1093" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1094" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Default logging of "martian" packets for all interfaces is configured (runtime)</title>
<description xml:lang="en-US">Logging of "martian" packets (those with impossible addresses)
should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1090"/> for all interfaces as
appropriate.</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1090" value-id="var-1090"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1094" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1095" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Ignoring ICMP echo requests is configured (runtime)</title>
<description xml:lang="en-US">Ignoring ICMP echo requests (pings) sent to broadcast /
multicast addresses should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1095"/>
for all interfaces as appropriate.</description>
<ident system="http://cce.mitre.org">CCE-3644-2</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1095" value-id="var-1095"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1095" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1096" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Ignoring bogus ICMP responses is configured (runtime)</title>
<description xml:lang="en-US">Ignoring bogus ICMP responses to broadcasts should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1096"/> for all interfaces as
appropriate.</description>
<ident system="http://cce.mitre.org">CCE-4133-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1096" value-id="var-1096"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1096" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1097" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Sending TCP syncookies is configured (runtime)</title>
<description xml:lang="en-US">Sending TCP syncookies should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1097"/> for all interfaces as
appropriate.</description>
<ident system="http://cce.mitre.org">CCE-4265-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1097" value-id="var-1097"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1097" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1098" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Performing source validation by reverse path is configured (runtime)</title>
<description xml:lang="en-US">Performing source validation by reverse path should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1098"/> for all interfaces as
appropriate.</description>
<ident system="http://cce.mitre.org">CCE-4080-8</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1098" value-id="var-1098"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1098" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1099" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">The default setting for performing source validation by reverse path is configured (runtime)</title>
<description xml:lang="en-US">The default setting for performing source validation by reverse
path should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1098"/> for all
interfaces as appropriate.</description>
<ident system="http://cce.mitre.org">CCE-3840-6</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1098" value-id="var-1098"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1099" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
<Group id="gr-networking-wifi" hidden="false">
<title xml:lang="en-US">Wireless Networking</title>
<description xml:lang="en-US"><xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml">Wireless networking (sometimes referred to as 802.11
or Wi-Fi) presents a serious security risk to sensitive or classified systems
and networks. Wireless networking hardware is much more likely to be included in
laptop or portable systems than desktops or servers. Bluetooth serves a different purpose
and possesses a much shorter range, but it still presents serious security
risks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Removal of hardware is the only way to absolutely ensure that the
wireless capability remains disabled. If it is completely impractical to remove
the wireless hardware, and site policy still allows the device to enter
sensitive spaces, every effort to disable the capability via software should be
made. In general, acquisition policy should include provisions to prevent the
purchase of equipment that will be used in sensitive spaces and includes
wireless capabilities.</xhtml:p>
<xhtml:p xmlns:xhtml="http://www.w3.org/1999/xhtml">
If it is impossible to remove the wireless
hardware from the device in question, disable as much of it as possible
through software. Note that software methods do not prevent malicious
software or careless system administrators from re-activating the devices with absolute certainty.
</xhtml:p></description>
<Group id="gr-networking-wifi.1" hidden="false">
<title xml:lang="en-US">Remove Wireless Hardware if Possible</title>
<description xml:lang="en-US"> Identifying the wireless hardware is the first
step in removing it. The system's hardware manual should contain information
on its wireless capabilities. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Wireless hardware included with a laptop typically takes the
form of a mini-PCI card or PC card. Other forms include devices which plug
into USB or Ethernet ports, but these should be readily apparent and easy to
remove from the base system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A PC Card (originally called a PCMCIA card) is designed to be
easy to remove, though it may be hidden when inserted into the system.
Frequently, there will be one or more buttons near the card slot that, when
pressed, eject the card from the system. If no card is ejected, the slot is
empty. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A mini-PCI card is approximately credit-card sized and typically
accessible via a removable panel on the underside of the laptop. Removing
the panel may require simple tools. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> In addition to manually inspecting the hardware, it is also
possible to query the system for its installed hardware devices. The
commands /sbin/lspci and /sbin/lsusb will show a list of all recognized
devices on their respective buses, and this may indicate the presence of a
wireless device.</description>
</Group>
<Group id="gr-networking-wifi.2" hidden="false">
<title xml:lang="en-US">Disable Wireless in BIOS</title>
<description xml:lang="en-US"> Some laptops that include built-in wireless
support offer the ability to disable the device through the BIOS. This
is system-specific; consult your hardware manual or explore the BIOS
setup during boot.</description>
</Group>
<Group id="gr-networking-wifi.3" hidden="false">
<title xml:lang="en-US">Deactivate Wireless Interfaces</title>
<description xml:lang="en-US"> Deactivating the wireless interfaces should
prevent normal usage of the wireless capability. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> First, identify the interfaces available with the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ip link ls <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Additionally,the following command may also be used to
determine whether wireless support ('extensions') is included for a
particular interface, though this may not always be a clear indicator: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># iwconfig <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> After identifying any wireless interfaces (which may have
names like wlan0, ath0, wifi0, or eth0), deactivate the interface with
the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ip link set interface down <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These changes will only last until the next reboot. To
disable the interface for future boots, locate its configuration file /etc/sysconfig/network-scripts/ifcfg-interface and add or replace configuration directives to match the following:
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ONBOOT=no</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">USERCTL=no</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">NM_CONTROLLED=no</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
</description>
<Rule id="rule-1100" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Deactivate Wireless Interfaces</title>
<description xml:lang="en-US">All wireless interfaces should be disabled.</description>
<ident system="http://cce.mitre.org">CCE-4276-2</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1100" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
<Group id="gr-networking-ipv6" hidden="false">
<title xml:lang="en-US">IPv6</title>
<description xml:lang="en-US"> The system includes support for Internet Protocol
version 6. A major and often-mentioned improvement over IPv4 is its enormous
increase in the number of available addresses. Another important feature is its
support for automatic configuration of many network settings.</description>
<Group id="gr-networking-ipv6.1" hidden="false">
<title xml:lang="en-US">Disable Support for IPv6 unless Needed</title>
<description xml:lang="en-US"> Because the IPv6 networking code is relatively
new and complex, it is particularly important that it be disabled unless
needed. Despite configuration that suggests support for IPv6 has been
disabled, link-local IPv6 address autoconfiguration occurs even when only an
IPv4 address is assigned. The only way to effectively prevent execution of
the IPv6 networking stack is to prevent the kernel from loading the IPv6
kernel module.</description>
<Group id="gr-networking-ipv6.1.1" hidden="false">
<title xml:lang="en-US">Disable Automatic Loading of IPv6 Kernel Module</title>
<description xml:lang="en-US"> To prevent the IPv6 kernel module (ipv6) from
being loaded, create /etc/modprobe.d/ipv6.conf with the following content: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> install ipv6 /bin/true <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> When the kernel requests the ipv6 module, this line will
direct the system to run the program /bin/true instead.</description>
<Rule id="rule-1101" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Disable Automatic Loading of IPv6 Kernel Module</title>
<description xml:lang="en-US">Automatic loading of the IPv6 kernel module should be
disabled.</description>
<ident system="http://cce.mitre.org">CCE-3562-6</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1101" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-networking-ipv6.1.2" hidden="false">
<title xml:lang="en-US">Disable Interface Usage of IPv6</title>
<description xml:lang="en-US"> To prevent configuration of IPv6 for all
interfaces, add or correct the following line in
/etc/sysconfig/network: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6INIT=no<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For each network interface IFACE , add or correct the
following lines in /etc/sysconfig/network-scripts/ifcfg-IFACE as an
additional prevention mechanism:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6INIT=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If it becomes necessary later to configure IPv6, only the
interfaces requiring it should be enabled.</description>
</Group>
</Group>
<Group id="gr-networking-ipv6.2" hidden="false">
<title xml:lang="en-US">Configure IPv6 Settings if Necessary</title>
<description xml:lang="en-US"> A major feature of IPv6 is the extent to which
systems implementing it can automatically configure their networking devices
using information from the network. From a security perspective, manually
configuring important configuration information is always preferable to
accepting it from the network in an unauthenticated fashion.</description>
<Group id="gr-networking-ipv6.2.1" hidden="false">
<title xml:lang="en-US">Disable Automatic Configuration</title>
<description xml:lang="en-US"> Disable the system's acceptance of router
advertisements and redirects by adding or correcting the following line
in /etc/sysconfig/network (note that this does not disable sending
router solicitations): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6_AUTOCONF=no</description>
<Value id="var-1102" operator="equals" type="string">
<title xml:lang="en-US">IPV6_AUTOCONF</title>
<description xml:lang="en-US">Default setting for IPv6 autoconfiguration</description>
<value>no</value>
<value selector="enabled">yes</value>
<value selector="disabled">no</value>
</Value>
<Rule id="rule-1102" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Configure IPv6 autoconfiguration</title>
<description xml:lang="en-US">The default setting for IPv6 autoconfiguration should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1102"/>.</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1102" value-id="var-1102"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1102" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-networking-ipv6.2.2" hidden="false">
<title xml:lang="en-US">Manually Assign Global IPv6 Address</title>
<description xml:lang="en-US"> To manually assign an IP address for an
interface IFACE, edit the file /etc/sysconfig/network-scripts/
ifcfg-IFACE. Add or correct the following line (substituting the correct
IPv6 address): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6ADDR=2001:0DB8::ABCD/64 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Manually assigning an IP address is preferable to accepting
one from routers or from the network otherwise. The example address here
is an IPv6 address reserved for documentation purposes, as defined by
RFC3849.</description>
</Group>
<Group id="gr-networking-ipv6.2.3" hidden="false">
<title xml:lang="en-US">Use Privacy Extensions for Address if Necessary</title>
<description xml:lang="en-US"> To introduce randomness into the automatic
generation of IPv6 addresses, add or correct the following line in
/etc/sysconfig/network-scripts/ifcfg-IFACE: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6_PRIVACY=rfc3041<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Automatically-generated IPv6 addresses are based on the
underlying hardware (e.g. Ethernet) address, and so it becomes possible
to track a piece of hardware over its lifetime using its traffic. If it
is important for a system's IP address to not trivially reveal its
hardware address, this setting should be applied.</description>
</Group>
<Group id="gr-networking-ipv6.2.4" hidden="false">
<title xml:lang="en-US">Manually Assign IPv6 Router Address</title>
<description xml:lang="en-US"> Edit the file
/etc/sysconfig/network-scripts/ifcfg-IFACE , and add or correct the
following line (substituting your gateway IP as appropriate):<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> IPV6_DEFAULTGW=2001:0DB8::0001 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Router addresses should be manually set and not accepted via
any autoconfiguration or router advertisement.</description>
</Group>
<Group id="gr-networking-ipv6.2.5" hidden="false">
<title xml:lang="en-US">Limit Network-Transmitted Configuration</title>
<description xml:lang="en-US"> Add the following lines to /etc/sysctl.conf
to limit the configuration information requested from other systems, and
accepted from the network:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> net.ipv6.conf.default.router_solicitations = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
net.ipv6.conf.default.accept_ra_rtr_pref = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
net.ipv6.conf.default.accept_ra_pinfo = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
net.ipv6.conf.default.accept_ra_defrtr = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
net.ipv6.conf.default.autoconf = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
net.ipv6.conf.default.dad_transmits = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
net.ipv6.conf.default.max_addresses = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The router solicitations setting determines how many router
solicitations are sent when bringing up the interface. If addresses are
statically assigned, there is no need to send any solicitations. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The accept_ra_pinfo setting controls whether the system will
accept prefix info from the router. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The accept_ra_defrtr setting controls whether the system
will accept Hop Limit settings from a router advertisement. Setting it
to 0 prevents a router from changing your default IPv6 Hop Limit for
outgoing packets. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The autoconf setting controls whether router advertisements
can cause the system to assign a global unicast address to an interface. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The dad_transmits setting determines how many neighbor
solicitations to send out per address (global and link-local) when
bringing up an interface to ensure the desired address is unique on the
network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The max_addresses setting determines how many global unicast
IPv6 addresses can be assigned to each interface. The default is 16, but
it should be set to exactly the number of statically configured global
addresses required.</description>
<Value id="var-1103" operator="equals" type="number">
<title xml:lang="en-US">net.ipv6.conf.default.router_solicitations</title>
<description xml:lang="en-US">Number of router solicitations to send</description>
<value>0</value>
<value selector="0">0</value>
<value selector="3">3</value>
</Value>
<Value id="var-1104" operator="equals" type="number">
<title xml:lang="en-US">net.ipv6.conf.default.accept_ra_rtr_pref</title>
<description xml:lang="en-US">Whether to accept router preference from router advertisements</description>
<value>0</value>
<value selector="no">0</value>
<value selector="yes">1</value>
</Value>
<Value id="var-1105" operator="equals" type="number">
<title xml:lang="en-US">net.ipv6.conf.default.accept_ra_pinfo</title>
<description xml:lang="en-US">Whether to accept prefix information from router advertisements</description>
<value>0</value>
<value selector="no">0</value>
<value selector="yes">1</value>
</Value>
<Value id="var-1106" operator="equals" type="number">
<title xml:lang="en-US">net.ipv6.conf.default.accept_ra_defrtr</title>
<description xml:lang="en-US">Whether to accept default router information from router advertisements</description>
<value>0</value>
<value selector="no">0</value>
<value selector="yes">1</value>
</Value>
<Value id="var-1107" operator="equals" type="number">
<title xml:lang="en-US">net.ipv6.conf.default.autoconf</title>
<description xml:lang="en-US">Whether to autoconfigure addresses from router advertisements</description>
<value>0</value>
<value selector="no">0</value>
<value selector="yes">1</value>
</Value>
<Value id="var-1108" operator="equals" type="number">
<title xml:lang="en-US">net.ipv6.conf.default.dad_transmits</title>
<description xml:lang="en-US">Number of duplicate address detection probes to send</description>
<value>0</value>
<value selector="0">0</value>
<value selector="1">1</value>
</Value>
<Value id="var-1109" operator="equals" type="number">
<title xml:lang="en-US">net.ipv6.conf.default.max_addresses</title>
<description xml:lang="en-US">Maximum number of autoconfigured addresses</description>
<value>1</value>
<value selector="1">1</value>
<value selector="16">16</value>
</Value>
<Rule id="rule-1103" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Configure number of sent router solicitations</title>
<description xml:lang="en-US">The default number of sent router solicitations should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1103"/> for
all interfaces.</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1103" value-id="var-1103"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1103" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1104" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Configure whether to accept router preference</title>
<description xml:lang="en-US">Router preference should be accepted by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1104"/></description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1104" value-id="var-1104"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1104" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1105" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Configure whether to accept path information</title>
<description xml:lang="en-US">Path information should be accepted by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1105"/></description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1105" value-id="var-1105"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1105" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1106" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Configure whether to accept default router information</title>
<description xml:lang="en-US">Default router information should be accepted by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1106"/></description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1106" value-id="var-1106"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1106" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1107" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Configure whether to autoconfigure addresses</title>
<description xml:lang="en-US">Addresses should be autoconfigured by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1107"/></description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1107" value-id="var-1107"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1107" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1108" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Configure number of duplicate address detection probes</title>
<description xml:lang="en-US">Number of duplicate address detection probes should be by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1108"/></description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1108" value-id="var-1108"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1108" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1109" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Configure maximum number of autoconfigured addresses</title>
<description xml:lang="en-US">Maximum number of autoconfigured addresses be by default: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1109"/></description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1109" value-id="var-1109"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1109" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
</Group>
<Group id="gr-networking-libwrap" hidden="false">
<title xml:lang="en-US">TCP Wrapper</title>
<description xml:lang="en-US"> TCP Wrapper is a library which provides simple access
control and standardized logging for supported applications which accept
connections over a network. Historically, TCP Wrapper was used to support inetd
services. Now that inetd is deprecated, TCP Wrapper supports
only services which were built to make use of the libwrap library. To determine
whether a given executable daemon /path/to/daemon supports TCP Wrapper, check
the documentation, or run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ ldd /path/to/daemon | grep libwrap.so <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If this command returns any output, then the daemon probably
supports TCP Wrapper. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> An alternative to TCP Wrapper support is packet filtering using
iptables. Note that iptables works at the network level, while TCP Wrapper works
at the application level. This means that iptables filtering is more efficient
and more resistant to flaws in the software being protected, but TCP Wrapper
provides support for logging, banners, and other application-level tricks which
iptables cannot provide.</description>
<Group id="gr-networking-libwrap.1" hidden="false">
<title xml:lang="en-US">How TCP Wrapper Protects Services</title>
<description xml:lang="en-US"> TCP Wrapper provides access control for the
system's network services using two configuration files. When a connection
is attempted: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>The file /etc/hosts.allow is searched for a rule matching the
connection. If one is found, the connection is allowed. </xhtml:li>
<xhtml:li>Otherwise, the file /etc/hosts.deny is searched for a rule
matching the connection. If one is found, the connection is
rejected. </xhtml:li>
<xhtml:li>If no matching rules are found in either file, then the
connection is allowed. By default, TCP Wrapper does not block access
to any services. </xhtml:li>
</xhtml:ol>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> In the simplest case, each rule in /etc/hosts.allow and
/etc/hosts.deny takes the form: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> daemon : client <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> where daemon is the name of the server process for which the
connection is destined, and client is the partial or full hostname or IP
address of the client. It is valid for daemon and client to contain one
item, a comma-separated list of items, or a special keyword like ALL, which
matches any service or client. (See the hosts_access(5) manpage for a list
of other keywords.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Note: Partial hostnames start at the root domain and are
delimited by the . character. So the client machine host03.dev.example.com,
with IP address 10.7.2.3, could be matched by any of the specifications: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> .example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> .dev.example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10.7.2.</description>
</Group>
<Group id="gr-networking-libwrap.2" hidden="false">
<title xml:lang="en-US">Reject All Connections From Other Hosts if Appropriate</title>
<description xml:lang="en-US"> Restrict all connections to non-public services
to localhost only. Suppose pubsrv1 and pubsrv2 are the names of daemons
which must be accessed remotely. Configure TCP Wrapper as follows. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit /etc/hosts.allow. Add the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> pubsrv1 ,pubsrv2 : ALL<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> ALL: localhost <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit /etc/hosts.deny. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> ALL: ALL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These rules deny connections to all TCP Wrapper enabled services
from any host other than localhost, but allow connections from anywhere to
the services which must be publicly accessible. (If no public services
exist, the first line in /etc/hosts.allow may be omitted.)</description>
<Rule id="rule-1110" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Reject Connections in TCP Wrapper by Default</title>
<description xml:lang="en-US">TCP wrapper should be configured to reject connections that were not explicitly allowed</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1110" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-networking-libwrap.3" hidden="false">
<title xml:lang="en-US">Allow Connections Only From Hosts in This Domain if Appropriate</title>
<description xml:lang="en-US"> For each daemon, domainsrv , which only needs to
be contacted from inside the local domain, example.com , configure TCP
Wrapper to deny remote connections. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit /etc/hosts.allow. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> domainsrv : .example.com<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit /etc/hosts.deny. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> domainsrv : ALL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> There are many possible examples of services which need to
communicate only within the local domain. If a machine is a local compute
server, it may be necessary for users to connect via SSH from their desktop
workstations, but not from outside the domain. In that case, you should
protect the daemon sshd using this method. As another example, RPC-based
services such as NFS might be enabled within the domain only, in which case
the daemon portmap should be protected. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
</description>
<warning xml:lang="en-US">Note: This example protects only the service domainsrv
. No filtering is done on other services unless a line is entered into
/etc/hosts.deny which refers to those services by name, or which restricts
the special service ALL.</warning>
</Group>
<Group id="gr-networking-libwrap.4" hidden="false">
<title xml:lang="en-US">Monitor Syslog for Relevant Connections and Failures</title>
<description xml:lang="en-US"> Ensure that the following line exists in
/etc/rsyslog.conf. (This is the default, so it is likely to be correct if the
configuration has not been modified): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> authpriv.* /var/log/secure <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Configure logwatch or other log monitoring tools to periodically
summarize failed connections reported by TCP Wrapper at the facility
authpriv.info. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By default, TCP Wrapper audits all rejected connections at the
facility authpriv, level info. In the log file, TCP Wrapper rejections will
contain the substring: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> daemon [pid ]: refused connect from ipaddr <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> These lines can be used to detect malicious scans, and to debug
failures resulting from an incorrect TCP Wrapper configuration. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If appropriate, it is possible to change the syslog facility and
level used by a given TCP Wrapper rule by adding the severity option to each
desired configuration line in /etc/hosts.deny: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> daemon : client : severity facility.level <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By default, successful connections are not logged by TCP
Wrapper.</description>
</Group>
<Group id="gr-networking-libwrap.5" hidden="false">
<title xml:lang="en-US">Further Resources</title>
<description xml:lang="en-US"> For more information about TCP Wrapper, see the
tcpd(8) and hosts_access(5) manpages and the documentation directory
/usr/share/doc/tcp_wrappers-version. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Some information may be available from the Tools section of the
author's website, http://www.porcupine.org, and from the RHEL6 Security
Guide.</description>
</Group>
</Group>
<Group id="gr-networking-iptables" hidden="false">
<title xml:lang="en-US">Iptables and Ip6tables</title>
<description xml:lang="en-US"> A host-based firewall called Netfilter is included as
part of the Linux kernel distributed with the system. It is activated by
default. This firewall is controlled by the program iptables, and the entire
capability is frequently referred to by this name. An analogous program called
ip6tables handles filtering for IPv6. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Unlike TCP Wrappers, which depends on the network server program to
support and respect the rules written, Netfilter filtering occurs at the kernel
level, before a program can even process the data from the network packet. As
such, any program on the system is affected by the rules written. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This section provides basic information about strengthening the
iptables and ip6tables configurations included with the system. For more
complete information that may allow the construction of a sophisticated ruleset
tailored to your environment, please consult the references at the end of this
section.</description>
<Group id="gr-networking-iptables.1" hidden="false">
<title xml:lang="en-US">Inspect and Activate Default Rules</title>
<description xml:lang="en-US"> View the currently-enforced iptables rules by
running the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># iptables -nL --line-numbers <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The command is analogous for the ip6tables program. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If the firewall does not appear to be active (i.e., no rules
appear), activate it and ensure that it starts at boot by issuing the
following commands (and analogously for ip6tables): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># service iptables restart</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig iptables on</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default iptables rules are: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">Chain INPUT (policy ACCEPT)</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">num target prot opt source destination</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">Chain FORWARD (policy ACCEPT)</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">num target prot opt source destination</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">Chain OUTPUT (policy ACCEPT)</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">num target prot opt source destination</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The ip6tables default
rules are similar, with its input rules 2 and 5 and forward rule 1
reflecting protocol naming and addressing differences.</description>
<Rule id="rule-1111" selected="false" weight="10.000000" severity="high">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">ip6tables service is enabled</title>
<description xml:lang="en-US">The ip6tables service should be enabled.</description>
<ident system="http://cce.mitre.org">CCE-4167-3</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1111" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1112" selected="false" weight="10.000000" severity="high">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">iptables service is enabled</title>
<description xml:lang="en-US">The iptables service should be enabled.</description>
<ident system="http://cce.mitre.org">CCE-4189-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1112" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-networking-iptables.2" hidden="false">
<title xml:lang="en-US">Understand the Default Ruleset</title>
<description xml:lang="en-US"> Understanding and creating firewall rules can be
a challenging activity, filled with corner cases and difficult-to debug
problems. Because of this, administrators should develop a thorough
understanding of the default ruleset before carefully modifying it. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default ruleset is divided into three sections, each of which
is called a chain: INPUT, FORWARD and OUTPUT. Each of these chains
is built-in. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>The INPUT chain is activated on packets destined for (i.e.,
addressed to) the system. </xhtml:li>
<xhtml:li>The OUTPUT chain is activated on packets which are originating
from the system. </xhtml:li>
<xhtml:li>The FORWARD chain is activated for packets that the system
will process and send through another interface, if so configured. </xhtml:li>
</xhtml:ul>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A packet starts at the first rule in the appropriate chain and
proceeds until it matches a rule. If a match occurs, then control will jump
to the specified target. The default ruleset uses the built-in targets
ACCEPT and REJECT. Jumping to the target ACCEPT means to allow the packet
through, while REJECT means to drop the packet and send an error message to
the sending host. A related target called DROP means to drop the packet
without even sending an error message. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default policy for all of the built-in chains (shown after
their names in the rule output above) is set to ACCEPT. This means that if
no rules in the chain match the packets, they are allowed through. Because
no rules at all are written for the OUTPUT chain, this means that iptables
does not stop any packets originating from the system.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>The INPUT chain tries to match, in order, the following
rules for both iptables and ip6tables: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Rule 1, allows inbound packets that are
part of a session initiated by the system.</xhtml:li>
<xhtml:li>Rule 2 explicitly allows all icmp packet types.</xhtml:li>
<xhtml:li>Rule 3 appears to accept all packets. However, this appears
true only because the rules are not presented in verbose mode.
Executing the command <xhtml:br/>
<xhtml:br/>
<xhtml:code># iptables -vnL --line-numbers <xhtml:br/>
</xhtml:code>
<xhtml:br/> reveals that this rule applies only to the loopback (lo)
interface (see column in), while all other rules apply to all
interfaces. Thus, packets not coming from the loopback interface do
not match and proceed to the next rule. </xhtml:li>
<xhtml:li>Rule 4 allows inbound connections in tcp
port 22, which is the SSH protocol. </xhtml:li>
<xhtml:li>Rule 5 rejects all other packets and
sends an error message to the sender. Because this is the last rule
and matches any packet, it effectively prevents any packet from
reaching the chain's default ACCEPT target. Preventing the
acceptance of any packet that is not explicitly allowed is proper
design for a firewall.</xhtml:li>
</xhtml:ul>
</description>
</Group>
<Group id="gr-networking-iptables.3" hidden="false">
<title xml:lang="en-US">Strengthen the Default Ruleset</title>
<description xml:lang="en-US"> The default rules can be strengthened. The system
scripts that activate the firewall rules expect them to be defined in the
configuration files iptables and ip6tables in the directory /etc/sysconfig.
Many of the lines in these files are similar to the command line arguments
that would be provided to the programs /sbin/iptables or /sbin/ip6tables –
but some are quite different. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The following recommendations describe how to strengthen the
default ruleset configuration file. An alternative to editing this
configuration file is to create a shell script that makes calls to the
iptables program to load in rules, and then invokes
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">service iptables save</xhtml:code> to
write those loaded rules to /etc/sysconfig/iptables. If the construction of the default ruleset meets
your requirements, system-config-firewall-tui may be used to customize it, to the extent the tool allows it.
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The following alterations can be made directly to
/etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Instructions apply to
both unless otherwise noted. Language and address conventions for regular
iptables are used throughout this section; configuration for ip6tables will
be either analogous or explicitly covered.</description>
<warning xml:lang="en-US">The program system-config-firewall-tui automatically adjusts /etc/sysconfig/iptables . This program is only
useful if the construction of the default ruleset meets your security requirements. Otherwise,
this program should not be used to make changes to the firewall
configuration because it re-writes the saved configuration file. </warning>
<Group id="gr-networking-iptables.3.1" hidden="false">
<title xml:lang="en-US">Change the Default Policies</title>
<description xml:lang="en-US"> Change the default policy to DROP (from
ACCEPT) for the INPUT and FORWARD built-in chains: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> *filter <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> :INPUT DROP [0:0] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> :FORWARD
DROP [0:0] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Changing the default policy in this way implements proper
design for a firewall, i.e. any packets which are not explicitly
permitted should not be accepted.</description>
<Rule id="rule-1113" selected="false" weight="10.000000" severity="high">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">The default policy for ip*tables INPUT table should be set appropriately</title>
<description xml:lang="en-US">Change the default policy to DROP (from ACCEPT) for the
INPUT built-in chain.</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1113" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1114" selected="false" weight="10.000000" severity="high">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">The default policy for ip*tables FORWARD table should be set appropriately</title>
<description xml:lang="en-US">Change the default policy to DROP (from ACCEPT) for the
FORWARD built-in chain.</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1114" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-networking-iptables.3.2" hidden="false">
<title xml:lang="en-US">Restrict ICMP Message Types</title>
<description xml:lang="en-US"> In /etc/sysconfig/iptables, the accepted ICMP
messages types can be restricted. To accept only ICMP echo reply,
destination unreachable, and time exceeded messages, remove the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmp -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and insert the lines:
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To allow the system to respond to pings, also insert the
following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Ping responses can also be limited to certain networks or
hosts by using the -s option in the previous rule. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Because IPv6 depends so heavily on ICMPv6, it is preferable
to deny the ICMPv6 packets you know you don't need (e.g. ping requests)
in /etc/sysconfig/ip6tables, while letting everything else through: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If you are going to statically configure the
machine's address, it should ignore Router Advertisements which could
add another IPv6 address to the interface or alter important network
settings: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Restricting other ICMPv6 message types in
/etc/sysconfig/ip6tables is not recommended because the operation of
IPv6 depends heavily on ICMPv6. Thus, more care must be taken when
blocking ICMPv6 types.</description>
<Rule id="rule-1115" selected="false" weight="10.000000" severity="high">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Restrict ICMP message types</title>
<description xml:lang="en-US">Accept only some ICMP messages in the INPUT built-in chain.</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1115" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-networking-iptables.3.3" hidden="false">
<title xml:lang="en-US">Log and Drop Packets with Suspicious Source Addresses</title>
<description xml:lang="en-US"> Packets with non-routable source addresses
should be rejected, as they may indicate spoofing. Because the modified
policy will reject non-matching packets, you only need to add these
rules if you are interested in also logging these spoofing or suspicious
attempts before they are dropped. If you do choose to log various
suspicious traffic, add identical rules with a target of DROP after each
LOG. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To log and then drop these IPv4 packets, insert the
following rules in /etc/sysconfig/iptables (excepting any that are
intentionally used): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP
SPOOF A: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG
--log-prefix "IP DROP SPOOF B: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -s
192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A
INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: "
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP
SPOOF E: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG
--log-prefix "IP DROP LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Similarly, you might wish to log packets containing some
IPv6 reserved addresses if they are not expected on your network: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -i eth0 -s ::1 -j LOG --log-prefix "IPv6 DROP
LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002:E000::/20 -j LOG --log-prefix
"IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002:7F00::/24 -j LOG
--log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s
2002:0000::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A
INPUT -s 2002:FF00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002:0A00::/24 -j LOG --log-prefix "IPv6 6to4
TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002:AC10::/28 -j LOG --log-prefix
"IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002:C0A8::/32 -j LOG
--log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If you are not expecting to see site-local multicast or
auto-tunneled traffic, you can log those: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s FF05::/16 -j LOG --log-prefix "IPv6 SITE-LOCAL
MULTICAST: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s ::0.0.0.0/96 -j LOG --log-prefix
"IPv4 COMPATIBLE IPv6 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If you wish to block multicasts to all link-local nodes
(e.g. if you are not using router autoconfiguration and do not plan to
have any services that multicast to the entire local network), you can
block the link-local all-nodes multicast address (before accepting
incoming ICMPv6): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -d FF02::1 -j LOG --log-prefix "Link-local
All-Nodes Multicast: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> However, if you're going to allow IPv4 compatible IPv6
addresses (of the form ::0.0.0.0/96), you should then consider logging
the non-routable IPv4-compatible addresses: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s ::0.0.0.0/104 -j LOG --log-prefix "IP
NON-ROUTABLE ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s ::127.0.0.0/104 -j LOG
--log-prefix "IP DROP LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s
::224.0.0.0.0/100 -j LOG --log-prefix "IP DROP MULTICAST D: "
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s ::255.0.0.0/104 -j LOG --log-prefix "IP
BROADCAST: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If you are not expecting to see any IPv4 (or
IPv4-compatible) traffic on your network, consider logging it before it
gets dropped: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s ::FFFF:0.0.0.0/96 -j LOG --log-prefix "IPv4
MAPPED IPv6 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s 2002::/16 -j LOG
--log-prefix "IPv6 6to4 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The following rule will log all traffic originating from a
site-local address, which is deprecated address space: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -s FEC0::/10 -j LOG --log-prefix "SITE-LOCAL
ADDRESS TRAFFIC: "</description>
</Group>
<Group id="gr-networking-iptables.3.4" hidden="false">
<title xml:lang="en-US">Log and Drop All Other Packets</title>
<description xml:lang="en-US"> To log before dropping all packets that are
not explicitly accepted by previous rules, change the final lines from <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -j REJECT --reject-with icmp-host-prohibited
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> COMMIT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> to <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -j LOG
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -A INPUT -j DROP
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> COMMIT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The rule to log all dropped packets must be used with care.
Chatty but otherwise non-malicious network protocols (e.g. NetBIOS) may
result in voluminous logs; insertion of earlier rules to explicitly drop
their packets without logging may be appropriate.</description>
<Rule id="rule-1116" selected="false" weight="10.000000" severity="high">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Log and Drop All Other Packets</title>
<description xml:lang="en-US">Log and drop packets that were not explicitly drop in the INPUT built-in chain.</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1116" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
<Group id="gr-networking-iptables.4" hidden="false">
<title xml:lang="en-US">Further Strengthening</title>
<description xml:lang="en-US"> Further strengthening, particularly as a result
of customization to a particular environment, is possible for the iptables
rules. Consider the following options, though their practicality depends on
the network environment and usage scenario: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Restrict outgoing traffic. As shown above, the OUTPUT chain's
default policy can be changed to DROP, and rules can be written to
specifically allow only certain types of outbound traffic. Such a
policy could prevent casual usage of insecure protocols such as ftp
and telnet, or even disrupt spyware. However, it would still not
prevent a sophisticated user or program from using a proxy to
circumvent the intended effects, and many client programs even try
to automatically tunnel through port 80 to avoid such
restrictions.</xhtml:li>
<xhtml:li>SYN flood protection. SYN flood protection can be provided by
iptables, but might run into limiting issues for servers. For
example, the iplimit match can be used to limit simultaneous
connections from a given host or class. Similarly, the recent match
allows the firewall to deny additional connections from any host
within a given period of time (e.g. more than 3 –state NEW
connections on port 22 within a minute to prevent dictionary login
attacks). <xhtml:br/>
<xhtml:br/> A more precise option for DoS protection is using TCP
SYN cookies.</xhtml:li>
</xhtml:ul>
</description>
</Group>
<Group id="gr-networking-iptables.5" hidden="false">
<title xml:lang="en-US">Further Resources</title>
<description xml:lang="en-US"> More complex, restrictive, and powerful rulesets
can be created, but this requires careful customization that relies on
knowledge of the particular environment. The following resources provide
more detailed information: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>The iptables(8) man page </xhtml:li>
<xhtml:li>The Netfilter Project's documentation at
http://www.netfilter.org</xhtml:li>
<xhtml:li>The Red Hat Enterprise Linux 6 Security Guide</xhtml:li>
</xhtml:ul>
</description>
</Group>
</Group>
<Group id="gr-networking-tls" hidden="false">
<title xml:lang="en-US">Transport Layer Security Support</title>
<description xml:lang="en-US"> The Transport Layer Security (TLS) protocol provides
encrypted and authenticated network communications, and many network services
include support for it. Using TLS is recommended, especially to avoid any
plaintext transmission of sensitive data, even over a local network. The three primary TLS
implementations included with the system are GnuTLS, NSS and OpenSSL. Older
versions of TLS were called Secure Sockets Layer (SSL).<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> TLS uses public key cryptography to provide authentication and
encryption. Public key cryptography involves two keys, one called the public key
and the other called the private key. These keys are mathematically related such
that data encrypted with one key can only be decrypted by the other, and vice
versa. As their names suggest, public keys can be distributed to anyone while a
private key must remain known only to its owner. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> TLS uses certificates, which are files that hold cryptographic data:
a public key, and a signature of that public key. In TLS authentication, a
server presents a client with its certificate as a means of demonstrating that
it is who it claims it is. If everything goes correctly, the client can verify
the server's certificate by determining that the signature inside the
certificate could only have been generated by a third party whom the client
trusts. This third party is called a Certificate Authority (CA). Each client
system should also have certificates from trusted CAs, and the client uses these
CA certificates to verify the authenticity of the server's certificate. After
authenticating a server using its certificate and a CA certificate, TLS provides
encryption by using the server certificate to securely negotiate a shared secret
key. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If your server must communicate using TLS with systems that might
not be able to securely accept a new CA certificate prior to any TLS
communication, then paying an established CA (whose certificates your clients
already have) to sign your server certificates is recommended. The steps for
doing this vary by vendor. Once the signed certificates have been obtained,
configuration of the services is the same whether they were purchased from a
vendor or signed by your own CA.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> For setting up an internal network and encrypting local traffic,
creating your own CA to sign X.509 certificates can be appropriate. The major
steps in this process are: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Create a CA to sign certificates </xhtml:li>
<xhtml:li>Create X.509 certificates for servers using that CA</xhtml:li>
<xhtml:li>Enable client support by distributing the CA's
certificate</xhtml:li>
</xhtml:ol>
</description>
<Group id="gr-networking-tls.1" hidden="false">
<title xml:lang="en-US">Create a CA to Sign Certificates</title>
<description xml:lang="en-US"> The following instructions apply to OpenSSL. The security of certificates depends on the
security of the CA that signed them, so performing these steps on a secure
machine is critical. The system used as a CA should be physically secure and
not connected to any network. It should receive any certificate signing
requests (CSRs) via removable media and output certificates onto removable
media. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The script /etc/pki/tls/misc/CA is included to assist in the
process of setting up a CA. This script uses many settings in
/etc/pki/tls/openssl.cnf. The settings in this file can be changed to suit
your needs and allow easier selection of default settings, particularly in
the [req distinguished name] section. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To create the CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/misc</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ./CA -newca</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>When prompted, press enter to create a new CA key with the
default name cakey.pem.</xhtml:li>
<xhtml:li>When prompted, enter a password that will protect the private
key, then enter the same password again to verify it.</xhtml:li>
<xhtml:li>At the prompts, fill out as much of the CA information as is
relevant for your site. You must specify a common name, or
generation of the CA certificate will fail. </xhtml:li>
<xhtml:li>Next, you will be prompted for the password, so that the
script can re-open the private key in order to write the
certificate.</xhtml:li>
</xhtml:ul>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This step performs the following actions: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>creates the directory /etc/pki/CA (by default), which contains
files necessary for the operation of a certificate authority. These
are:</xhtml:li>
<xhtml:ul>
<xhtml:li>serial, which contains the current serial number for
certificates signed by the CA</xhtml:li>
<xhtml:li>index.txt, which is a text database file that contains
information about certificates signed</xhtml:li>
<xhtml:li>crl, which is a directory for holding revoked
certificates</xhtml:li>
<xhtml:li>private, a directory which stores the CA's private
key</xhtml:li>
</xhtml:ul>
<xhtml:li>creates a public-private key pair for the CA in the file
/etc/pki/CA/private/cakey.pem. The private key must be kept private
in order to ensure the security of the certificates the CA will
later sign.</xhtml:li>
<xhtml:li>signs the public key (using the corresponding private key, in
a process called self-signing) to create the CA certificate, which
is then stored in /etc/pki/CA/cacert.pem. </xhtml:li>
<xhtml:li/>
</xhtml:ul>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> When the CA later signs a server certificate using its private
key, it means that it is vouching for the authenticity of that server. A
client can then use the CA's certificate (which contains its public key) to
verify the authenticity of the server certificate. To accomplish this, it is
necessary to distribute the CA certificate to any clients.</description>
</Group>
<Group id="gr-networking-tls.2" hidden="false">
<title xml:lang="en-US">Create X.509 Certificates for Servers</title>
<description xml:lang="en-US"> Creating an X.509 certificate for a server involves
the following steps: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>A public-private key pair for the server must be
generated.</xhtml:li>
<xhtml:li>A certificate signing request (CSR) must be created from the
key pair.</xhtml:li>
<xhtml:li>The CSR must be signed by a certificate authority (CA) to
create the server certificate.</xhtml:li>
<xhtml:li>The server certificate and keys must be installed on the
server. </xhtml:li>
</xhtml:ol>
</description>
</Group>
<Group id="gr-networking-tls.3" hidden="false">
<title xml:lang="en-US">Enable Client Support</title>
<description xml:lang="en-US"> The system ships with certificates from
well-known commercial CAs. If your server certificates were signed by one of
these established CAs, then this step is not necessary since the clients
should include the CA certificate already. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If your servers use certificates signed by your own CA, some
user applications will warn that the server's certificate cannot be verified
because the CA is not recognized. Other applications may simply fail to
accept the certificate and refuse to operate, or continue operating without
ever having properly verified the server certificate. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To avoid this warning, and properly authenticate the servers,
your CA certificate must be exported to every application on every client
system that will be connecting to an TLS-enabled server.</description>
<Group id="gr-networking-tls.3.1" hidden="false">
<title xml:lang="en-US">Adding a Trusted CA for Firefox</title>
<description xml:lang="en-US"> Firefox needs to have a certificate from the
CA that signed the web server's certificate, so that it can authenticate
the web server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To import a new CA certificate into Firefox 3.6:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Launch Firefox and choose Preferences from the Edit menu. </xhtml:li>
<xhtml:li>Click the Advanced button.</xhtml:li>
<xhtml:li>Select the Encryption pane.</xhtml:li>
<xhtml:li>Click the View Certificates button.</xhtml:li>
<xhtml:li>Click the Authorities tab. </xhtml:li>
<xhtml:li>Click the Import button at the bottom of the
screen.</xhtml:li>
<xhtml:li>Navigate to the CA certificate and import it.</xhtml:li>
</xhtml:ol>
</description>
</Group>
<Group id="gr-networking-tls.3.2" hidden="false">
<title xml:lang="en-US">Adding a Trusted CA for Thunderbird</title>
<description xml:lang="en-US"> Thunderbird needs to have a certificate from
the CA that signed the mail server's certificates, so that it can
authenticate the mail server(s).<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To import a new CA certificate into Thunderbird 3: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Launch Thunderbird and choose Preferences from the
Edit menu.</xhtml:li>
<xhtml:li>Click the Advanced button.</xhtml:li>
<xhtml:li>Select the Certificates tab</xhtml:li>
<xhtml:li>Click the View Certificates button.</xhtml:li>
<xhtml:li>Select the Authorities tab.</xhtml:li>
<xhtml:li>Click the Import button at the bottom of the
screen.</xhtml:li>
<xhtml:li>Navigate to the CA certificate and import it. Determine
whether the CA should be used to identify web sites, e-mail
users, and software developers and trust it for each
accordingly.</xhtml:li>
</xhtml:ol>
</description>
</Group>
<Group id="gr-networking-tls.3.3" hidden="false">
<title xml:lang="en-US">Adding a Trusted CA for Evolution</title>
<description xml:lang="en-US"> The Evolution e-mail client needs to have a
certificate from the CA that signed the mail server's certificates, so
that it can authenticate the mail server(s). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> To import a new CA certificate into Evolution: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Launch Evolution and choose Preferences from the Edit
menu.</xhtml:li>
<xhtml:li>Select Certificates from the icon list on the
left.</xhtml:li>
<xhtml:li>Select the Authorities tab.</xhtml:li>
<xhtml:li>Click the Import button.</xhtml:li>
<xhtml:li>Navigate to the CA certificate and import it.</xhtml:li>
</xhtml:ol>
</description>
</Group>
</Group>
<Group id="gr-networking-tls.4" hidden="false">
<title xml:lang="en-US">Further Resources</title>
<description xml:lang="en-US">
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>The OpenSSL Project home page at
http://www.openssl.org</xhtml:li>
<xhtml:li>The openssl(1) man page</xhtml:li>
</xhtml:ul>
</description>
</Group>
</Group>
<Group id="gr-networking.7" hidden="false">
<title xml:lang="en-US">Uncommon Network Protocols</title>
<description xml:lang="en-US"> The system includes support for several network
protocols which are not commonly used. Although security vulnerabilities in
kernel networking code are not frequently discovered, the consequences can be
dramatic. Ensuring uncommon network protocols are disabled reduces the system’s
risk to attacks targeted at its implementation of those protocols.</description>
<Group id="gr-networking.7.1" hidden="false">
<title xml:lang="en-US">Disable Support for DCCP</title>
<description xml:lang="en-US"> To prevent the DCCP kernel module from being
loaded, create /etc/modprobe.d/dccp.conf with the following content:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install dccp /bin/true<xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The Datagram Congestion Control Protocol (DCCP) is a relatively
new transport layer protocol, designed to support streaming media and
telephony.</description>
<Rule id="rule-1117" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Disable Support for DCCP</title>
<description xml:lang="en-US">Support for DCCP should be disabled.</description>
<ident system="http://cce.mitre.org">CCE-14268-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1117" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-networking.7.2" hidden="false">
<title xml:lang="en-US">Disable Support for SCTP</title>
<description xml:lang="en-US"> To prevent the SCTP kernel module from being
loaded, create /etc/modprobe.d/sctp.conf with the following content:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install sctp /bin/true<xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The Stream Control Transmission Protocol (SCTP) is a transport
layer protocol, designed to support the idea of message-oriented
communication, with several streams of messages within one
connection.</description>
<Rule id="rule-1118" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Disable Support for SCTP</title>
<description xml:lang="en-US">Support for SCTP should be disabled.</description>
<ident system="http://cce.mitre.org">CCE-14132-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1118" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-networking.7.3" hidden="false">
<title xml:lang="en-US">Disable Support for RDS</title>
<description xml:lang="en-US"> To prevent the RDS kernel module from being
loaded, create /etc/modprobe.d/rds.conf with the following content:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install rds /bin/true<xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The Reliable Datagram Sockets (RDS) protocol is a transport
layer protocol designed to provide reliable high-bandwidth, low-latency
communications between nodes in a cluster.</description>
<Rule id="rule-1119" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Disable Support for RDS</title>
<description xml:lang="en-US">Support for RDS should be disabled.</description>
<ident system="http://cce.mitre.org">CCE-14027-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1119" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
</Group>
<Group id="gr-logs" hidden="false">
<title xml:lang="en-US">Logging and Auditing</title>
<description xml:lang="en-US"> Successful local or network attacks on systems do not
necessarily leave clear evidence of what happened. It is necessary to build a
configuration in advance that collects this evidence, both in order to determine
that something anomalous has occurred, and in order to respond appropriately. In
addition, a well-configured logging and audit infrastructure will show evidence of
any misconfiguration which might leave the system vulnerable to attack. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Logging and auditing take different approaches to collecting data. A
logging infrastructure provides a framework for individual programs running on the
system to report whatever events are considered interesting: the sshd program may
report each successful or failed login attempt, while the sendmail program may
report each time it sends an e-mail on behalf of a local or remote user. An auditing
infrastructure, on the other hand, reports each instance of certain low-level
events, such as entry to the setuid system call, regardless of which program caused
the event to occur. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Auditing has the advantage of being more comprehensive, but the
disadvantage of reporting a large amount of information, most of which is
uninteresting. Logging (particularly using a standard framework like syslog) has the
advantage of being compatible with a wide variety of client applications, and of
reporting only information considered important by each application, but the
disadvantage that the information reported is not consistent between applications. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> A robust infrastructure will perform both logging and auditing, and will
use configurable automated methods of summarizing the reported data, so that system
administrators can remove or compress reports of events known to be uninteresting in
favor of alert monitoring for events known to be interesting. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This section discusses how to configure logging, log monitoring, and
auditing, using tools included with RHEL6. It is recommended that rsyslog be used for
logging, with logwatch providing summarization, and that auditd be used for
auditing, with aureport providing summarization.</description>
<Group id="gr-logs-syslog" hidden="false">
<title xml:lang="en-US">Configure Rsyslog</title>
<description xml:lang="en-US"> Rsyslog is an enhanced, multi-threaded syslog daemon.
This section discusses how to configure rsyslog for best
effect, and how to use tools provided with the system to maintain and monitor
your logs.</description>
<Rule id="rule-1120" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Rsyslog service is enabled</title>
<description xml:lang="en-US">The rsyslog service should be enabled.</description>
<ident system="http://cce.mitre.org">CCE-3679-8</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1120" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Group id="gr-logs-syslog.1" hidden="false">
<title xml:lang="en-US">Ensure All Important Messages are Captured</title>
<description xml:lang="en-US">
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The default RHEL6 rsyslog configuration stores the facilities
authpriv, cron, and mail in named logs. This guide describes the
implementation of the following configuration, but any configuration which
stores the important facilities and is usable by the administrators will suffice:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Store each of the facilities kern, daemon, and syslog in its
own log, so that it will be easy to access information about
messages from those facilities. </xhtml:li>
<xhtml:li>Restrict the information stored in /var/log/messages to only
the facilities auth and user, and store all messages from those
facilities. Messages can easily become cluttered otherwise. </xhtml:li>
<xhtml:li>Store information about all facilities which should not be in
use at this site in a file called /var/log/unused.log. If any
messages are logged to this file at some future point, this may be
an indication that an unknown service is running, and should be
investigated. In addition, if news and uucp are not in use at this
site, remove the directive from the default syslog.conf which stores
those facilities. </xhtml:li>
</xhtml:ul>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Making use of the local facilities is also recommended. Specific
configuration is beyond the scope of this guide, but applications such as
SSH can easily be configured to log to a local facility which is not being
used for anything else. If this is done, reconfigure /etc/syslog.conf to
store this facility in an appropriate named log or in /var/log/messages,
rather than in /var/log/unused.log.</description>
</Group>
<Group id="gr-logs-syslog.2" hidden="false">
<title xml:lang="en-US">Confirm Existence and Permissions of System Log Files</title>
<description xml:lang="en-US"> For each log file LOGFILE referenced in
/etc/rsyslog.conf, run the commands: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># touch LOGFILE</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root LOGFILE</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod 0600 LOGFILE</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Some logs may contain
sensitive information, so it is better to restrict permissions so that only
administrative users can read or write logfiles.</description>
<Value id="var-1121" operator="equals" type="string">
<title xml:lang="en-US">User that owns log files</title>
<description xml:lang="en-US">Specify user owner of all logfiles specified
in /etc/rsyslog.conf.</description>
<value>0</value>
<value selector="root">0</value>
</Value>
<Value id="var-1122" operator="equals" type="string">
<title xml:lang="en-US">Group that owns log files</title>
<description xml:lang="en-US">Specify group owner of all logfiles specified
in /etc/rsyslog.conf.</description>
<value>0</value>
<value selector="root">0</value>
</Value>
<Rule id="rule-1121" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">User ownership of System Log Files</title>
<description xml:lang="en-US">All syslog log files should be owned by user <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1121"/>.</description>
<ident system="http://cce.mitre.org">CCE-4366-1</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1121" value-id="var-1121"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1121" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1122" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Group ownership of System Log Files</title>
<description xml:lang="en-US">All syslog log files should be group owned group <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-1122"/>.</description>
<ident system="http://cce.mitre.org">CCE-3701-0</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:org.open-scap.rhel6:var:1122" value-id="var-1122"/>
<check-content-ref name="oval:org.open-scap.rhel6:def:1122" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
<Rule id="rule-1123" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Permissions on System Log Files</title>
<description xml:lang="en-US">File permissions for all syslog log files should be set
correctly.</description>
<ident system="http://cce.mitre.org">CCE-4233-3</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1123" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-syslog.3" hidden="false">
<title xml:lang="en-US">Syslog logs should be sent to a remote loghost</title>
<description xml:lang="en-US">
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If system logs are to be useful in detecting malicious
activities, it is necessary to send logs to a remote server. An intruder who
has compromised the root account on a machine may delete the log entries
which indicate that the system was attacked before they are seen by an
administrator. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
</description>
<Rule id="rule-1124" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Send Logs to a Remote Loghost</title>
<description xml:lang="en-US">Syslog logs should be sent to a remote loghost</description>
<ident system="http://cce.mitre.org">CCE-4260-6</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1124" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-syslog.4" hidden="false">
<title xml:lang="en-US">Rsyslog shouldn't be run in a compatibility mode</title>
<description xml:lang="en-US">Rsyslog can be run in a compatibility mode which simulates the behavior of its older versions.
The version to be compatible with is specified with a command line option. It is advisable to run the daemon in a mode
that matches its current version. Using an older mode may alter your configuration in an unexpected way.
The mode can be configured by changing the value of the SYSLOGD_OPTIONS variable in /etc/sysconfig/rsyslog.
</description>
<Rule id="rule-1125" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Rsyslog shouldn't be run in a compatibility mode</title>
<description xml:lang="en-US">An appropriate compatibility mode, that matches the daemons current version should be specified
using the SYSLOGD_OPTION variable in /etc/sysconfig/rsyslog.
</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1125" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-syslog.5" hidden="false">
<title xml:lang="en-US">Ensure All Logs are Rotated by logrotate</title>
<description xml:lang="en-US"> Edit the file /etc/logrotate.d/syslog. Find the
first line, which should look like this: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> /var/log/messages /var/log/secure /var/log/maillog
/var/log/spooler /var/log/boot.log /var/log/cron { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Edit this line so that it contains a one-space-separated listing
of each log file referenced in /etc/rsyslog.conf. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> All logs in use
on a system must be rotated regularly, or the log files will consume disk
space over time, eventually interfering with system operation. The file
/etc/logrotate.d/syslog is the configuration file used by the logrotate
program to maintain all log files written by syslog. By default, it rotates
logs weekly and stores four archival copies of each log. These settings can
be modified by editing /etc/logrotate.conf, but the defaults are sufficient
for purposes of this guide. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Note that logrotate is run nightly by the cron job
/etc/cron.daily/logrotate. If particularly active logs need to be rotated
more often than once a day, some other mechanism must be used.</description>
<Rule id="rule-1126" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">All Logs are Rotated by logrotate</title>
<description xml:lang="en-US">The logrotate (syslog rotater) service should be
enabled.</description>
<ident system="http://cce.mitre.org">CCE-4182-2</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1126" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-syslog.6" hidden="false">
<title xml:lang="en-US">Monitor Suspicious Log Messages using Logwatch</title>
<description xml:lang="en-US"> The system includes an extensible program called
Logwatch for reporting on unusual items in syslog. Logwatch is valuable
because it provides a parser for the syslog entry format and a number of
signatures for types of lines which are considered to be mundane or
noteworthy. Logwatch has a number of downsides: the signatures can be
inaccurate and are not always categorized consistently, and you must be able
to program in Perl in order to customize the signature database. However, it
is recommended that all Linux sites which do not have time to deploy a
third-party log monitoring application run Logwatch in its default
configuration. This provides some useful information about system activity
in exchange for very little administrator effort. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> This guide recommends that Logwatch be run only on the central
logserver, if your site has one, in order to focus administrator attention
by sending all daily logs in a single e-mail.</description>
<Group id="gr-logs-syslog.6.1" hidden="false">
<title xml:lang="en-US">Configure Logwatch on the Central Log Server</title>
<description xml:lang="en-US"> Is this machine the central log server? If
so, edit the file /etc/logwatch/conf/logwatch.conf. Add or correct the
following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">HostLimit = no</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SplitHosts = yes</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">MultiEmail = no</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">Service = -zz-disk_space</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> On a central logserver, you want Logwatch to summarize all
syslog entries, including those which did not originate on the logserver
itself. The HostLimit setting tells Logwatch to report on all hosts, not
just the one on which it is running. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If SplitHosts is set, Logwatch will separate entries by
hostname. This makes the report longer but significantly more usable. If
it is not set, then Logwatch will not report which host generated a
given log entry, and that information is almost always necessary. If
MultiEmail is set, then each host's information will be sent in a
separate e-mail message. This is a matter of preference.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The Service directive -zz-disk space tells Logwatch not to
run the zz-disk space report, which reports on free disk space. Since
all log monitoring is being done on the central logserver, the disk
space listing will always be that of the logserver, regardless of which
host is being monitored. This is confusing, so disable that service.
Note that this does mean that Logwatch will not monitor disk usage
information. Many workarounds are possible, such as running df on each
host daily via cron and sending the output to syslog so that it will be
reported to the logserver.</description>
</Group>
<Group id="gr-logs-syslog.6.2" hidden="false">
<title xml:lang="en-US">Remove Logwatch on Clients if a Logserver Exists</title>
<description xml:lang="en-US"> Does your site have a central logserver which
has been configured to report on logs received from all systems? If so: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum remove logwatch<xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> If no logserver exists, it will be necessary for each
machine to run Logwatch individually. Using a central logserver provides
the security and reliability benefits discussed earlier, and also makes
monitoring logs easier and less time-intensive for
administrators.</description>
</Group>
</Group>
</Group>
<Group id="gr-logs-audit" hidden="false">
<title xml:lang="en-US">System Accounting with auditd</title>
<description xml:lang="en-US"> The audit service is the current Linux recommendation
for kernel-level auditing. By default, the service records SELinux AVC
denials and certain types of security-relevant events such as system logins,
account modifications, and authentication events performed by programs such as
sudo. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Under its default configuration, auditd has modest disk space
requirements, and should not noticeably impact system performance. The audit
service, in its default configuration, is strongly recommended for all sites,
regardless of whether they are running SELinux. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> DoD or federal networks often have substantial auditing requirements
and auditd can be configured to meet these requirements.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Typical DoD requirements include:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Ensure Auditing is Configured to Collect Certain System Events <xhtml:ul>
<xhtml:li>Information on the Use of Print Command (unsuccessful and
successful)</xhtml:li>
<xhtml:li>Startup and Shutdown Events (unsuccessful and
successful)</xhtml:li>
</xhtml:ul>
</xhtml:li>
<xhtml:li>Ensure the auditing software can record the following for each
audit event: <xhtml:ul>
<xhtml:li>Date and time of the event</xhtml:li>
<xhtml:li>Userid that initiated the event</xhtml:li>
<xhtml:li>Type of event</xhtml:li>
<xhtml:li>Success or failure of the event</xhtml:li>
<xhtml:li>For I&A events, the origin of the request (e.g.,
terminal ID)</xhtml:li>
<xhtml:li>For events that introduce an object into a user’s address
space, and for object deletion events, the name of the object,
and in MLS systems, the objects security level.</xhtml:li>
</xhtml:ul>
</xhtml:li>
<xhtml:li>Ensure files are backed up no less than weekly onto a different
system than the system being audited or backup media.</xhtml:li>
<xhtml:li>Ensure old logs are closed out and new audit logs are started
daily</xhtml:li>
<xhtml:li>Ensure the configuration is immutable. With the -e 2 setting a
reboot will be required to change any audit rules.</xhtml:li>
<xhtml:li>Ensure that the audit data files have permissions of 640, or more
restrictive.</xhtml:li>
</xhtml:ul>
</description>
<Group id="gr-logs-audit.1" hidden="false">
<title xml:lang="en-US">Enable the auditd Service</title>
<description xml:lang="en-US"> Ensure that the auditd service is enabled (this
is the default): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig auditd on <xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By default, auditd logs only SELinux denials, which are helpful
for debugging SELinux and discovering intrusion attempts, and certain types
of security events, such as modifications to user accounts (useradd, passwd,
etc), login events, and calls to sudo. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Data is stored in /var/log/audit/audit.log. By default, auditd
rotates 4 logs by size (5MB), retaining a maximum of 20MB of data in total,
and refuses to write entries when the disk is too full. This minimizes the
risk of audit data filling its partition and impacting other services.
However, it is possible to lose audit data if the system is
busy.</description>
<Rule id="rule-1127" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">accepted</status>
<title xml:lang="en-US">Auditd service is enabled</title>
<description xml:lang="en-US">The auditd service should be enabled.</description>
<ident system="http://cce.mitre.org">CCE-4292-9</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1127" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-audit.2" hidden="false">
<title xml:lang="en-US">Configure auditd Data Retention</title>
<description xml:lang="en-US">
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Determine STOREMB , the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
/etc/audit/auditd.conf. Add or modify the following line:<xhtml:br/>
<xhtml:br/> max_log_file = STOREMB</xhtml:li>
<xhtml:li>Use a dedicated partition (or logical volume) for log files. It
is straightforward to create such a partition or logical volume
during system installation time. The partition should be larger than
the maximum space which auditd will ever use, which is the maximum
size of each log file (max log file) multiplied by the number of log
files (num logs). Ensure the partition is mounted on
/var/log/audit.</xhtml:li>
<xhtml:li>If your site requires that the machine be disabled when
auditing cannot be performed, configure auditd to halt the system
when disk space for auditing runs low. Edit /etc/audit/auditd.conf,
and add or correct the following lines:<xhtml:br/>
<xhtml:br/> space_left_action = email<xhtml:br/> action_mail_acct =
root<xhtml:br/> admin_space_left_action = halt<xhtml:br/>
</xhtml:li>
</xhtml:ul> The default action to take when the logs reach their maximum
size is to rotate the log files, discarding the oldest one. If it is more
important to retain all possible auditing information, even if that opens
the possibility of running out of space and taking the action defined by
admin space left action, add or correct the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> max_log_file_action = keep_logs<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> By default, auditd retains 4 log files of size 5Mb apiece. For a
busy system or a system which is thoroughly auditing system activity, this
is likely to be insufficient.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The log file size needed will depend heavily on what types of
events are being audited. First configure auditing to log all the events of
interest. Then monitor the log size manually for a while to determine what
file size will allow you to keep the required data for the correct time period.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Using a dedicated partition for /var/log/audit prevents the
auditd logs from disrupting system functionality if they fill the partition, and, more
importantly, prevents other activity in /var from filling the partition and
stopping the audit trail. (The audit logs are size-limited and therefore
unlikely to grow without bound unless configured to do so.) Some machines may
have requirements that no actions occur which cannot be audited. If this is
the case, then auditd can be configured to halt the machine if it runs out of space.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Note: Since older logs are rotated, configuring auditd this way
does not prevent older logs from being rotated away before they can be
viewed. </description>
<warning xml:lang="en-US">If your system is configured to halt when logging
cannot be performed, make sure this can never happen under normal
circumstances! Ensure that /var/log/audit is on its own partition, and
that this partition is larger than the maximum amount of data auditd will
retain normally.</warning>
</Group>
<Group id="gr-logs-audit.3" hidden="false">
<title xml:lang="en-US">Enable Auditing for Processes Which Start Prior to the Audit Daemon</title>
<description xml:lang="en-US"> To ensure that all processes can be audited, even
those which start prior to the audit daemon, add the argument audit=1 to the
kernel line in /boot/grub/grub.conf, in the manner below:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00
rhgb quiet audit=1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Each process on the system carries an ”auditable” flag which
indicates whether its activities can be audited. Although auditd takes care
of enabling this for all processes which launch after it does, adding the
kernel argument ensures that it is set for every process during boot. </description>
<Rule id="rule-1128" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Enable Auditing for Processes Which Start Prior to the Audit Daemon</title>
<description xml:lang="en-US"> To ensure that all processes can be audited, even those which
start prior to the audit daemon, add the argument audit=1 to the kernel
line in /boot/grub/grub.conf</description>
<ident system="http://cce.mitre.org">CCE-15026-8</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1128" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-audit.4" hidden="false">
<title xml:lang="en-US">Configure auditd Rules for Comprehensive Auditing</title>
<description xml:lang="en-US"> The auditd program can perform comprehensive
monitoring of system activity. This section describes recommended
configuration settings for comprehensive auditing, but a full description of
the auditing system’s capabilities is beyond the scope of this guide. The
mailing list linux-audit@redhat.com may be a good source of further information.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> The audit subsystem supports extensive collection of events, including:
<xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xhtml:li>Tracing of arbitrary system calls (identified by name or
number) on entry or exit.</xhtml:li>
<xhtml:li>Filtering by PID, UID, call success, system call argument
(with some limitations), etc.</xhtml:li>
<xhtml:li>Monitoring of specific files for modifications to the file’s
contents or metadata.</xhtml:li>
</xhtml:ul>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Auditing rules are controlled in the file /etc/audit/audit.rules.
Add rules to it to meet the auditing requirements for your organization.
Each line in /etc/audit/audit.rules represents a series of arguments that
can be passed to auditctl and can be individually tested as such. See
documentation in /usr/share/doc/audit-<xhtml:i xmlns:xhtml="http://www.w3.org/1999/xhtml">version</xhtml:i> and in the related man pages
for more details.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> Recommended audit rules are provided in
/usr/share/doc/audit-<xhtml:i xmlns:xhtml="http://www.w3.org/1999/xhtml">version</xhtml:i>/stig.rules. In order to activate those rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cp /usr/share/doc/audit-<xhtml:i xmlns:xhtml="http://www.w3.org/1999/xhtml">version</xhtml:i>/stig.rules
/etc/audit/audit.rules<xhtml:br/>
</xhtml:code>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and then edit /etc/audit/audit.rules and comment out the lines
containing arch= which are not appropriate for your system’s architecture.
Then review and understand the following rules, ensuring rules are activated
as needed for the appropriate architecture.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> After reviewing all the rules, reading the following sections,
and editing as needed, activate the new rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># service auditd restart</xhtml:code>
</description>
<Group id="gr-logs-audit.4.1" hidden="false">
<title xml:lang="en-US">Records Events that Modify Date and Time Information</title>
<description xml:lang="en-US"> Add the following to /etc/audit/audit.rules,
setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S adjtimex -S settimeofday -S
stime -k time-change<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S
clock_settime -k time-change<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/localtime -p wa -k
time-change </description>
<Rule id="rule-1129" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Records Events that Modify Date and Time Information</title>
<description xml:lang="en-US">Audit rules about time</description>
<ident system="http://cce.mitre.org">CCE-14051-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1129" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-audit.4.2" hidden="false">
<title xml:lang="en-US">Record Events that Modify User/Group Information</title>
<description xml:lang="en-US"> Add the following to /etc/audit/audit.rules,
in order to capture events that modify account changes:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/group -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/passwd -p
wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/gshadow -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
-w /etc/shadow -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/security/opasswd -p
wa -k identity </description>
<Rule id="rule-1130" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Record Events that Modify User/Group Information</title>
<description xml:lang="en-US">Audit rules about User/Group Information</description>
<ident system="http://cce.mitre.org">CCE-14829-6</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1130" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-audit.4.3" hidden="false">
<title xml:lang="en-US">Record Events that Modify the System’s Network Environment</title>
<description xml:lang="en-US"> Add the following to /etc/audit/audit.rules,
setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a exit,always -F arch=ARCH -S sethostname -S setdomainname
-k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/issue -p wa -k
system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/issue.net -p wa -k
system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/hosts -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
-w /etc/sysconfig/network -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
</description>
<Rule id="rule-1131" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Record Events that Modify the System’s Network Environment</title>
<description xml:lang="en-US">Audit rules about the System’s Network
Environment</description>
<ident system="http://cce.mitre.org">CCE-14816-3</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1131" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-audit.4.4" hidden="false">
<title xml:lang="en-US">Record Events that Modify the System’s Mandatory Access Controls</title>
<description xml:lang="en-US"> Add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/selinux/ -p wa -k MAC-policy </description>
<Rule id="rule-1132" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Record Events that Modify the System’s Mandatory Access Controls</title>
<description xml:lang="en-US">Audit rules about the System’s Mandatory Access
Controls</description>
<ident system="http://cce.mitre.org">CCE-14821-3</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1132" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-audit.4.5" hidden="false">
<title xml:lang="en-US">Ensure auditd Collects Logon and Logout Events</title>
<description xml:lang="en-US"> At a minimum the audit system should collect
login info for all users and root. Add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /var/log/tallylog -p wa -k logins
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /var/log/faillock/ -p wa -k logins
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /var/log/lastlog -p wa -k logins </description>
<Rule id="rule-1133" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Auditd Collects Logon and Logout Events</title>
<description xml:lang="en-US">Audit rules about the Logon and Logout Events</description>
<ident system="http://cce.mitre.org">CCE-14904-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1133" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-audit.4.6" hidden="false">
<title xml:lang="en-US">Ensure auditd Collects Process and Session Initiation Information</title>
<description xml:lang="en-US"> At a minimum the audit system should collect
process information for all users and root. Add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /var/run/utmp -p wa -k session<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w
/var/log/btmp -p wa -k session<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /var/log/wtmp -p wa -k
session </description>
<Rule id="rule-1134" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Ensure auditd Collects Process and Session Initiation Information</title>
<description xml:lang="en-US">Audit rules about the Process and Session Initiation
Information</description>
<ident system="http://cce.mitre.org">CCE-14679-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1134" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-audit.4.7" hidden="false">
<title xml:lang="en-US">Ensure auditd Collects Discretionary Access Control Permission Modification Events</title>
<description xml:lang="en-US"> At a minimum the audit system should collect
file permission changes for all users and root. Add the following to
/etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate
for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat
-F auid>=500 -F auid!=4294967295 -k perm_mod<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a
always,exit -F arch=ARCH -S chown -S fchown -S fchownat -S lchown -F
auid>=500 -F auid!=4294967295 -k perm_mod<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a
always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod </description>
<Rule id="rule-1135" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Ensure auditd Collects Discretionary Access Control Permission Modification Events</title>
<description xml:lang="en-US">Audit rules about the Discretionary Access Control
Permission Modification Events</description>
<ident system="http://cce.mitre.org">CCE-14058-2</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1135" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-audit.4.8" hidden="false">
<title xml:lang="en-US">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</title>
<description xml:lang="en-US"> At a minimum the audit system should collect
unauthorized file accesses for all users and root. Add the following to
/etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate
for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S creat -S open -S openat -S
truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F
auid!=4294967295 -k access<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S
creat -S open -S openat -S truncate -S ftruncate -F
exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access </description>
<Rule id="rule-1136" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</title>
<description xml:lang="en-US">Audit rules about the Unauthorized Access Attempts to Files
(unsuccessful)</description>
<ident system="http://cce.mitre.org">CCE-14917-9</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1136" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-audit.4.9" hidden="false">
<title xml:lang="en-US">Ensure auditd Collects Information on the Use of Privileged Commands</title>
<description xml:lang="en-US"> At a minimum the audit system should collect
the execution of privileged commands for all users and root. Find all set-uid programs by running
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">find /bin -type f -perm -04000 2>/dev/null</xhtml:code>
and for each such program, add a rule similar to the
following to /etc/audit/audit.rules, replacing /bin/ping by path to the program in question:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F
auid!=4294967295 -k privileged </description>
<Rule id="rule-1137" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Ensure auditd Collects Information on the Use of Privileged Commands</title>
<description xml:lang="en-US">Audit rules about the Information on the Use of Privileged
Commands</description>
<ident system="http://cce.mitre.org">CCE-14296-8</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1137" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-audit.4.10" hidden="false">
<title xml:lang="en-US">Ensure auditd Collects Information on Exporting to Media (successful)</title>
<description xml:lang="en-US"> At a minimum the audit system should collect
media exportation events for all users and root. Add the following to
/etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate
for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S mount -F auid>=500 -F
auid!=4294967295 -k export </description>
<Rule id="rule-1138" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Ensure auditd Collects Information on Exporting to Media (successful)</title>
<description xml:lang="en-US">Audit rules about the Information on Exporting to Media
(successful)</description>
<ident system="http://cce.mitre.org">CCE-14569-8</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1138" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-audit.4.11" hidden="false">
<title xml:lang="en-US">Ensure auditd Collects Files Deletion Events by User (successful and unsuccessful)</title>
<description xml:lang="en-US"> At a minimum the audit system should collect
file deletion events for all users and root. Add the following to
/etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate
for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename
-S renameat -F auid>=500 -F auid!=4294967295 -k delete </description>
<Rule id="rule-1139" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Ensure auditd Collects Files Deletion Events by User (successful and unsuccessful)</title>
<description xml:lang="en-US">Audit rules about the Files Deletion Events by User
(successful and unsuccessful)</description>
<ident system="http://cce.mitre.org">CCE-14820-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1139" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-audit.4.12" hidden="false">
<title xml:lang="en-US">Ensure auditd Collects System Administrator Actions</title>
<description xml:lang="en-US"> At a minimum the audit system should collect
administrator actions for all users and root. Append the following line to /etc/pam.d/system-auth and /etc/pam.d/password-auth:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
session required pam_tty_audit.so disable=* enable=root
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> and the following line to /etc/pam.d/sudo and /etc/pam.d/sudo-i:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
session required pam_tty_audit.so open_only enable=root
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>Also add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /etc/sudoers -p wa -k actions</description>
<Rule id="rule-1140" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Ensure auditd Collects System Administrator Actions</title>
<description xml:lang="en-US">Audit rules about the System Administrator
Actions</description>
<ident system="http://cce.mitre.org">CCE-14824-7</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1140" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-audit.4.13" hidden="false">
<title xml:lang="en-US">Ensure auditd Collects Information on Kernel Module Loading and Unloading</title>
<description xml:lang="en-US"> Add the following to /etc/audit/audit.rules
in order to capture kernel module loading and unloading events:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /sbin/insmod -p x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /sbin/rmmod -p
x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -w /sbin/modprobe -p x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -a
always,exit -F arch=ARCH -S init_module -S delete_module -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
</description>
<Rule id="rule-1141" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Ensure auditd Collects Information on Kernel Module Loading and Unloading</title>
<description xml:lang="en-US">Audit rules about the Information on Kernel Module Loading
and Unloading</description>
<ident system="http://cce.mitre.org">CCE-14688-6</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1141" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="gr-logs-audit.4.14" hidden="false">
<title xml:lang="en-US">Make the auditd Configuration Immutable</title>
<description xml:lang="en-US"> Add the following to /etc/audit/audit.rules
in order to make the configuration immutable:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> -e 2<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> With this setting, a reboot will be required to change any
audit rules. </description>
<Rule id="rule-1142" selected="false" weight="10.000000" severity="medium">
<status date="2010-07-01">draft</status>
<title xml:lang="en-US">Make the auditd Configuration Immutable</title>
<description xml:lang="en-US">Force a reboot to change audit rules</description>
<ident system="http://cce.mitre.org">CCE-14692-8</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.open-scap.rhel6:def:1142" href="scap-rhel6-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
</Group>
</Group>
</Group>
</Benchmark>
|