Guide to the Secure Configuration of Fedora
with profile Common Profile for General-Purpose Fedora SystemsThis profile contains items common to general-purpose Fedora installations.
scap-security-guide
package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Fedora, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Evaluation Characteristics
Target machine | thinkpad |
---|---|
Benchmark URL | ssg-fedora-ds.xml |
Benchmark ID | xccdf_org.ssgproject.content_benchmark_FEDORA |
Profile ID | xccdf_org.ssgproject.content_profile_common |
Started at | 2017-03-14T13:43:53 |
Finished at | 2017-03-14T13:49:23 |
Performed by | jcerny |
CPE Platforms
- cpe:/o:fedoraproject:fedora:25
- cpe:/o:fedoraproject:fedora:24
- cpe:/o:fedoraproject:fedora:23
Addresses
- IPv4 127.0.0.1
- IPv4 10.40.3.41
- IPv4 172.17.0.1
- IPv4 192.168.122.1
- IPv6 0:0:0:0:0:0:0:1
- IPv6 2620:52:0:2802:5000:a46b:5715:bddd
- IPv6 fe80:0:0:0:fe78:8fcb:8aee:26d7
- IPv6 fe80:0:0:0:42:cbff:fef9:8c91
- MAC 00:00:00:00:00:00
- MAC 28:D2:44:DF:33:37
- MAC 02:42:CB:F9:8C:91
Compliance and Scoring
Rule results
Severity of failed rules
Score
Scoring system | Score | Maximum | Percent |
---|---|---|---|
urn:xccdf:scoring:default | 57.513893 | 100.000000 |
Rule Overview
Result Details
gpgcheck Enabled In Main Dnf Configuration
Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated |
Result | pass |
Time | 2017-03-14T13:43:53 |
Severity | high |
Identifiers and References | |
Description | The gpgcheck=1 |
Rationale | Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering. |
gpgcheck Enabled For All Dnf Package Repositories
Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled |
Result | fail |
Time | 2017-03-14T13:43:53 |
Severity | high |
Identifiers and References | |
Description | To ensure signature checking is not disabled for
any repos, remove any lines from files in gpgcheck=0 |
Rationale | Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering. |
Install AIDE
Rule ID | xccdf_org.ssgproject.content_rule_package_aide_installed |
Result | notselected |
Time | 2017-03-14T13:43:53 |
Severity | medium |
Identifiers and References | references: CM-3(d), CM-3(e), CM-6(d), CM-6(3), SC-28, SI-7, 1069 |
Description | Install the AIDE package with the command: $ sudo dnf install aide |
Rationale | The AIDE package must be installed if it is to be available for integrity checking. |
Disable Prelinking
Rule ID | xccdf_org.ssgproject.content_rule_disable_prelink |
Result | pass |
Time | 2017-03-14T13:43:53 |
Severity | low |
Identifiers and References | |
Description |
The prelinking feature changes binaries in an attempt to decrease their startup
time. In order to disable it, change or add the following line inside the file
PRELINKING=noNext, run the following command to return binaries to a normal, non-prelinked state: $ sudo /usr/sbin/prelink -ua |
Rationale | The prelinking feature can interfere with the operation of AIDE, because it changes binaries. |
Build and Test AIDE Database
Rule ID | xccdf_org.ssgproject.content_rule_aide_build_database |
Result | fail |
Time | 2017-03-14T13:43:53 |
Severity | medium |
Identifiers and References | |
Description | Run the following command to generate a new database: # /usr/sbin/aide --initBy default, the database will be written to the file /var/lib/aide/aide.db.new.gz .
Storing the database, the configuration file /etc/aide.conf , and the binary
/usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzTo initiate a manual check, run the following command: # /usr/sbin/aide --checkIf this check produces any unexpected output, investigate. |
Rationale | For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. |
Configure Periodic Execution of AIDE
Rule ID | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking |
Result | notselected |
Time | 2017-03-14T13:43:53 |
Severity | medium |
Identifiers and References | references: CM-3(d), CM-3(e), CM-6(d), CM-6(3), SC-28, SI-7, 374, 416, 1069, 1263, 1297, 1589 |
Description |
To implement a daily execution of AIDE at 4:05am using cron, add the following line to 05 4 * * * root /usr/sbin/aide --checkAIDE can be executed periodically through other means; this is merely one example. |
Rationale | By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. |
Verify File Hashes with RPM
Rule ID | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||
Result | fail | ||||
Time | 2017-03-14T13:47:48 | ||||
Severity | low | ||||
Identifiers and References | |||||
Description | The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: # rpm -Va | grep '^..5'A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file: # rpm -qf FILENAMEThe package can be reinstalled from a dnf repository using the command: dnf reinstall PACKAGENAMEAlternatively, the package can be reinstalled from trusted media using the command: rpm -Uvh PACKAGENAME | ||||
Rationale | The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. | ||||
Remediation Ansible snippet: (show)
|
Install Intrusion Detection Software
Rule ID | xccdf_org.ssgproject.content_rule_install_hids |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | high |
Identifiers and References | |
Description | The Red Hat platform includes a sophisticated auditing system and SELinux, which provide host-based intrusion detection capabilities. |
Rationale | Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network. |
Install Virus Scanning Software
Rule ID | xccdf_org.ssgproject.content_rule_install_antivirus |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description | Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems. Ensure virus definition files are no older than 7 days, or their last release. Configure the virus scanning software to perform scans dynamically on all accessed files. If this is not possible, configure the system to scan all altered files on the system on a daily basis. If the system processes inbound SMTP mail, configure the virus scanner to scan all received mail. |
Rationale | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. |
Disable GDM Automatic Login
Rule ID | xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | high |
Identifiers and References | |
Description | The GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the [daemon] AutomaticLoginEnable=false |
Rationale | Failure to restrict system access to authenticated users negatively impacts operating system security. |
Disable GDM Guest Login
Rule ID | xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | high |
Identifiers and References | |
Description | The GNOME Display Manager (GDM) can allow users to login without credentials
which can be useful for public kiosk scenarios. Allowing users to login without credentials
or "guest" account access has inherent security risks and should be disabled. To do disable
timed logins or guest account access, set the [daemon] TimedLoginEnable=false |
Rationale | Failure to restrict system access to authenticated users negatively impacts operating system security. |
Disable the GNOME3 Login User List
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | references: AC-23 |
Description | In the default graphical environment, users logging
directly into the system are greeted with a login screen that displays
all known users. This functionality should be disabled by setting
[org/gnome/login-screen] disable-user-list=trueOnce the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/disable-user-listAfter the settings have been set, run dconf update .
|
Rationale | Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in. |
Disable the GNOME3 Login Restart and Shutdown Buttons
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | high |
Identifiers and References | |
Description | In the default graphical environment, users logging
directly into the system are greeted with a login screen that allows
any user, known or unknown, the ability the ability to shutdown or restart
the system. This functionality should be disabled by setting
[org/gnome/login-screen] disable-restart-buttons=trueOnce the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/disable-restart-buttonsAfter the settings have been set, run dconf update .
|
Rationale | A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot. |
Enable the GNOME3 Login Smartcard Authentication
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | |
Description | In the default graphical environment, smart card authentication
can be enabled on the login screen by setting [org/gnome/login-screen] enable-smartcard-authentication=trueOnce the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/enable-smartcard-authenticationAfter the settings have been set, run dconf update .
|
Rationale | Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. |
Set the GNOME3 Login Number of Failures
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | |
Description | In the default graphical environment, the GNOME3 login
screen and be configured to restart the authentication process after
a configured number of attempts. This can be configured by setting
[org/gnome/login-screen] allowed-failures=3Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/allowed-failuresAfter the settings have been set, run dconf update .
|
Rationale | Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. |
Set GNOME3 Screensaver Inactivity Timeout
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | |
Description |
The idle time-out value for inactivity in the GNOME3 desktop is configured via the [org/gnome/desktop/session] idle-delay=900Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delayAfter the settings have been set, run dconf update .
|
Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. |
Enable GNOME3 Screensaver Idle Activation
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | |
Description |
To activate the screensaver in the GNOME3 desktop after a period of inactivity,
add or set [org/gnome/desktop/screensaver] idle_activation_enabled=trueOnce the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/idle-activation-enabledAfter the settings have been set, run dconf update .
|
Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area. |
Enable GNOME3 Screensaver Lock After Idle Period
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | |
Description |
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set [org/gnome/desktop/screensaver] lock-enabled=true lock-delay=0Once the settings have been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabled /org/gnome/desktop/screensaver/lock-delayAfter the settings have been set, run dconf update .
|
Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. |
Implement Blank Screensaver
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description |
To set the screensaver mode in the GNOME3 desktop to a blank screen,
add or set [org/gnome/desktop/screensaver] picture-uri=''Once the settings have been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/picture-uriAfter the settings have been set, run dconf update .
|
Rationale | Setting the screensaver mode to blank-only conceals the contents of the display from passersby. |
Disable Full User Name on Splash Shield
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description |
By default when the screen is locked, the splash shield will show the user's
full name. This should be disabled to prevent casual observers from seeing
who has access to the system. This can be disabled by adding or setting
[org/gnome/desktop/screensaver] show-full-name-in-top-bar=falseOnce the settings have been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/show-full-name-in-top-barAfter the settings have been set, run dconf update .
|
Rationale | Setting the splash screen to not reveal the logged in user's name conceals who has access to the system from passersby. |
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | high |
Identifiers and References | |
Description |
By default, [org/gnome/settings-daemon/plugins/media-keys] logout=''Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/settings-daemon/plugins/media-keys/logoutAfter the settings have been set, run dconf update .
|
Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. |
Disable User Administration in GNOME3
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_admin |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | high |
Identifiers and References | |
Description |
By default, [org/gnome/desktop/lockdown] user-administration-disabled=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/lockdown/user-administration-disabledAfter the settings have been set, run dconf update .
|
Rationale | Allowing all users to have some administratrive capabilities to the system through the Graphical User Interface (GUI) when they would not have them otherwise could allow unintended configuration changes as well as a nefarious user the capability to make system changes such as adding new accounts, etc. |
Disable Power Settings in GNOME3
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_power_settings |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | |
Description |
By default, [org/gnome/settings-daemon/plugins/power] active=falseOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/settings-daemon/plugins/powerAfter the settings have been set, run dconf update .
|
Rationale | Power settings should not be enabled on systems that are not mobile devices. Enabling power settings on non-mobile devices could have unintended processing consequences on standard systems. |
Disable Geolocation in GNOME3
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_geolocation |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | |
Description |
[org/gnome/system/location] enabled=falseTo configure the clock to disable location tracking, add or set geolocation to false in
/etc/dconf/db/local.d/00-security-settings . For example:
[org/gnome/clocks] geolocation=falseOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/system/location/enabled /org/gnome/clocks/geolocationAfter the settings have been set, run dconf update .
|
Rationale | Power settings should not be enabled on systems that are not mobile devices. Enabling power settings on non-mobile devices could have unintended processing consequences on standard systems. |
Disable WIFI Network Connection Creation in GNOME3
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_create |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | |
Description |
[org/gnome/nm-applet] disable-wifi-create=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/nm-applet/disable-wifi-createAfter the settings have been set, run dconf update .
|
Rationale | Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. |
Disable WIFI Network Notification in GNOME3
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_notification |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | |
Description |
By default, [org/gnome/nm-applet] suppress-wireless-networks-available=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/nm-applet/suppress-wireless-networks-availableAfter the settings have been set, run dconf update .
|
Rationale | Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. |
Require Credential Prompting for Remote Access in GNOME3
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | |
Description |
By default, [org/gnome/Vino] authentication-methods=['vnc']Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/authentication-methodsAfter the settings have been set, run dconf update .
|
Rationale | Username and password prompting is required for remote access. Otherwise, non-authorized and nefarious users can access the system freely. |
Require Encryption for Remote Access in GNOME3
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | references: CM-2(1)(b), 366 |
Description |
By default, [org/gnome/Vino] require-encryption=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/require-encryptionAfter the settings have been set, run dconf update .
|
Rationale | Open X displays allow an attacker to capture keystrokes and to execute commands remotely. |
Disable GNOME3 Automounting
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description | The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount and autorun within GNOME3, add or set
[org/gnome/desktop/media-handling] automount=false automount-open=false autorun-never=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount /org/gnome/desktop/media-handling/auto-open /org/gnome/desktop/media-handling/autorun-neverAfter the settings have been set, run dconf update .
|
Rationale | Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. |
Disable All GNOME3 Thumbnailers
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_thumbnailers |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | references: CM-7 |
Description | The system's default desktop environment, GNOME3, uses
a number of different thumbnailer programs to generate thumbnails
for any new or modified content in an opened folder. To disable the
execution of these thumbnail applications, add or set [org/gnome/desktop/thumbnailers] disable-all=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/thumbnailers/disable-allAfter the settings have been set, run dconf update .
This effectively prevents an attacker from gaining access to a
system through a flaw in GNOME3's Nautilus thumbnail creators.
|
Rationale | An attacker with knowledge of a flaw in a GNOME3 thumbnailer application could craft a malicious file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem (via a web upload for example) and assuming a user browses the same location using Nautilus, the malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required. |
Configure GNOME3 DConf User Profile
Rule ID | xccdf_org.ssgproject.content_rule_enable_dconf_user_profile |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | high |
Identifiers and References | |
Description |
By default, DConf provides a standard user profile. This profile contains a list
of DConf configuration databases. The user profile and database always take the
highest priority. As such the DConf User profile should always exist and be
configured correctly.
user-db:user system-db:local system-db:site system-db:distro |
Rationale | Failure to have a functional DConf profile prevents GNOME3 configuration settings from being enforced for all users and allows various security risks. |
Add nodev Option to Non-Root Local Partitions
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | references: CM-7 |
Description | The |
Rationale | The |
Add nodev Option to Removable Media Partitions
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description | The |
Rationale | The only legitimate location for device files is the |
Add noexec Option to Removable Media Partitions
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description | The |
Rationale | Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. |
Add nosuid Option to Removable Media Partitions
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description | The |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. |
Add nodev Option to /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description |
The |
Rationale | The only legitimate location for device files is the |
Add noexec Option to /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description | The |
Rationale | Allowing users to execute binaries from world-writable directories
such as |
Add nosuid Option to /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description | The |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Add nodev Option to /dev/shm
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description | The |
Rationale | The only legitimate location for device files is the |
Add noexec Option to /dev/shm
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description | The |
Rationale | Allowing users to execute binaries from world-writable directories
such as |
Add nosuid Option to /dev/shm
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description | The |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Bind Mount /var/tmp To /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | references: CM-7 |
Description | The /tmp /var/tmp none rw,nodev,noexec,nosuid,bind 0 0See the mount(8) man page for further explanation of bind mounting.
|
Rationale | Having multiple locations for temporary storage is not required. Unless absolutely
necessary to meet requirements, the storage location |
Disable Modprobe Loading of USB Storage Driver
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description |
To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the install usb-storage /bin/trueThis will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually. |
Rationale | USB storage devices such as thumb drives can be used to introduce malicious software. |
Disable Kernel Support for USB via Bootloader Configuration
Rule ID | xccdf_org.ssgproject.content_rule_bootloader_nousb_argument | ||||||
Result | fail | ||||||
Time | 2017-03-14T13:47:48 | ||||||
Severity | low | ||||||
Identifiers and References | |||||||
Description |
All USB support can be disabled by adding the kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousbWARNING: Disabling all kernel support for USB will cause problems for systems with USB-based keyboards, mice, or printers. This configuration is infeasible for systems which require USB devices, which is common. | ||||||
Rationale | Disabling the USB subsystem within the Linux kernel at system boot will protect against potentially malicious USB devices, although it is only practical in specialized systems. | ||||||
Remediation Shell script: (show)
|
Disable Booting from USB Devices in Boot Firmware
Rule ID | xccdf_org.ssgproject.content_rule_bios_disable_usb_boot |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description | Configure the system boot firmware (historically called BIOS on PC systems) to disallow booting from USB drives. |
Rationale | Booting a system from a USB device would allow an attacker to circumvent any security measures provided by the operating system. Attackers could mount partitions and modify the configuration of the OS. |
Assign Password to Prevent Changes to Boot Firmware Configuration
Rule ID | xccdf_org.ssgproject.content_rule_bios_assign_password |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description | Assign a password to the system boot firmware (historically called BIOS on PC systems) to require a password for any configuration changes. |
Rationale | Assigning a password to the system boot firmware prevents anyone with physical access from configuring the system to boot from local media and circumvent the operating system's access controls. For systems in physically secure locations, such as a data center or Sensitive Compartmented Information Facility (SCIF), this risk must be weighed against the risk of administrative personnel being unable to conduct recovery operations in a timely fashion. |
Disable the Automounter
Rule ID | xccdf_org.ssgproject.content_rule_service_autofs_disabled |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | |
Description | The $ sudo systemctl disable autofs.service |
Rationale | Disabling the automounter permits the administrator to
statically control filesystem mounting through |
Disable Mounting of cramfs
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | references: CM-7 |
Description |
To configure the system to prevent the install cramfs /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
Disable Mounting of freevxfs
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | references: CM-7 |
Description |
To configure the system to prevent the install freevxfs /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
Disable Mounting of jffs2
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | references: CM-7 |
Description |
To configure the system to prevent the install jffs2 /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
Disable Mounting of hfs
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | references: CM-7 |
Description |
To configure the system to prevent the install hfs /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
Disable Mounting of hfsplus
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | references: CM-7 |
Description |
To configure the system to prevent the install hfsplus /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
Disable Mounting of squashfs
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | references: CM-7 |
Description |
To configure the system to prevent the install squashfs /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
Disable Mounting of udf
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | low |
Identifiers and References | references: CM-7 |
Description |
To configure the system to prevent the install udf /bin/trueThis effectively prevents usage of this uncommon filesystem. |
Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. |
Verify User Who Owns shadow File
Rule ID | xccdf_org.ssgproject.content_rule_userowner_shadow_file |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8.7.c |
Description |
To properly set the owner of $ sudo chown root /etc/shadow |
Rationale | The |
Verify Group Who Owns shadow File
Rule ID | xccdf_org.ssgproject.content_rule_groupowner_shadow_file |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8.7.c |
Description |
To properly set the group owner of $ sudo chgrp root /etc/shadow |
Rationale | The |
Verify User Who Owns group File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_group |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | |
Description |
To properly set the owner of $ sudo chown root /etc/group |
Rationale | The |
Verify Group Who Owns group File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8.7.c |
Description |
To properly set the group owner of $ sudo chgrp root /etc/group |
Rationale | The |
Verify User Who Owns gshadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description |
To properly set the owner of $ sudo chown root /etc/gshadow |
Rationale | The |
Verify Group Who Owns gshadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description |
To properly set the group owner of $ sudo chgrp root /etc/gshadow |
Rationale | The |
Verify User Who Owns passwd File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8.7.c |
Description |
To properly set the owner of $ sudo chown root /etc/passwd |
Rationale | The |
Verify Group Who Owns passwd File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd |
Result | notselected |
Time | 2017-03-14T13:47:48 |
Severity | medium |
Identifiers and References | references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx, Req-8.7.c |
Description |
To properly set the group owner of $ sudo chgrp root /etc/passwd |
Rationale | The |
Verify that Shared Library Files Have Root Ownership
Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_library_dirs | ||||||
Result | fail | ||||||
Time | 2017-03-14T13:48:35 | ||||||
Severity | medium | ||||||
Identifiers and References | references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx | ||||||
Description | System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules . All files in these directories should be
owned by the root user. If the directory, or any file in these
directories, is found to be owned by a user other than root correct its
ownership with the following command:
$ sudo chown root FILE | ||||||
Rationale | Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. | ||||||
Remediation Shell script: (show)
| |||||||
Remediation Ansible snippet: (show)
|
Verify that System Executables Have Root Ownership
Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs | ||||||
Result | fail | ||||||
Time | 2017-03-14T13:48:36 | ||||||
Severity | medium | ||||||
Identifiers and References | references: AC-6, http://iase.disa.mil/stigs/cci/Pages/index.aspx | ||||||
Description | System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbinAll files in these directories should be owned by the root user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
$ sudo chown root FILE | ||||||
Rationale | System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. | ||||||
Remediation Ansible snippet: (show)
|
Verify that All World-Writable Directories Have Sticky Bits Set
Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description | When the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
$ sudo chmod +t DIR |
Rationale |
Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.
|
Ensure All Files Are Owned by a User
Rule ID | xccdf_org.ssgproject.content_rule_no_files_unowned_by_user |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | references: AC-6, CM-6(b), 366, SRG-OS-000480-GPOS-00227, 020360 |
Description | If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. |
Rationale | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. |
Ensure All World-Writable Directories Are Owned by a System Account
Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: AC-6 |
Description | All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. |
Rationale | Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. |
Set Daemon Umask
Rule ID | xccdf_org.ssgproject.content_rule_umask_for_daemons |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: AC-6 |
Description | The file umask 022Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts. |
Rationale | The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions. |
Disable Core Dumps for All Users
Rule ID | xccdf_org.ssgproject.content_rule_disable_users_coredumps |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: SC-5 |
Description | To disable core dumps for all users, add the following line to
* hard core 0 |
Rationale | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. |
Disable Core Dumps for SUID programs
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: SI-11 |
Description |
To set the runtime status of the $ sudo sysctl -w fs.suid_dumpable=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
fs.suid_dumpable = 0 |
Rationale | The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. |
Enable ExecShield
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | By default on Fedora 64-bit systems, ExecShield
is enabled and can only be disabled if the hardware does not support ExecShield
or is disabled in |
Rationale | ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware. |
Enable Randomized Layout of Virtual Address Space
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | references: SC-30(2) |
Description |
To set the runtime status of the $ sudo sysctl -w kernel.randomize_va_space=2If this is not the system's default value, add the following line to /etc/sysctl.conf :
kernel.randomize_va_space = 2 |
Rationale | Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. |
Install PAE Kernel on Supported 32-bit x86 Systems
Rule ID | xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32 |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: CM-6(b) |
Description | Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package should be installed to enable XD or NX support: $ sudo dnf install kernel-PAEThe installation process should also have configured the bootloader to load the new kernel at boot. Verify this at reboot and modify /etc/default/grub if necessary. |
Rationale | On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support. |
Warnings | warning
The kernel-PAE package should not be
installed on older systems that do not support the XD or NX bit, as
this may prevent them from booting. |
Enable NX or XD Support in the BIOS
Rule ID | xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: CM-6(b) |
Description | Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems. |
Rationale | Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will. |
Restrict Access to Kernel Message Buffer
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w kernel.dmesg_restrict=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
kernel.dmesg_restrict = 1 |
Rationale | Unprivileged access to the kernel syslog can expose sensitive kernel address information. |
Ensure SELinux Not Disabled in /etc/default/grub
Rule ID | xccdf_org.ssgproject.content_rule_enable_selinux_bootloader |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | SELinux can be disabled at boot time by an argument in
|
Rationale | Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. |
Ensure SELinux State is Enforcing
Rule ID | xccdf_org.ssgproject.content_rule_selinux_state |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | references: AC-3, AC-3(3), AC-4, AC-6, AU-9, http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description | The SELinux state should be set to SELINUX=enforcing |
Rationale | Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. |
Configure SELinux Policy
Rule ID | xccdf_org.ssgproject.content_rule_selinux_policytype |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: AC-3, AC-3(3), AC-4, AC-6, AU-9, http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description | The SELinux SELINUXTYPE=targetedOther policies, such as mls , provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
|
Rationale |
Setting the SELinux policy to |
Uninstall setroubleshoot Package
Rule ID | xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | identifiers: CCE- |
Description | The SETroubleshoot service notifies desktop users of SELinux
denials. The service provides information around configuration errors,
unauthorized intrusions, and other potential errors.
The $ sudo dnf erase setroubleshoot |
Rationale | The SETroubleshoot service is an unnecessary daemon to have running on a server |
Uninstall mcstrans Package
Rule ID | xccdf_org.ssgproject.content_rule_package_mcstrans_removed |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | identifiers: CCE- |
Description | The $ sudo dnf erase mcstrans |
Rationale | Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system. NOTE: This rule was added in support of the CIS RHEL6 v1.2.0 benchmark. Please note that Red Hat does not feel this rule is security relevant. |
Ensure No Daemons are Unconfined by SELinux
Rule ID | xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the $ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'It should produce no output in a well-configured system. |
Rationale |
Daemons which run with the |
Ensure No Device Files are Unknown to SELinux
Rule ID | xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description | Device files, which are used for communication with important
system resources, should be labeled with proper SELinux types. If any device
files carry the SELinux type |
Rationale |
If a device file carries the SELinux type |
Direct root Logins Not Allowed
Rule ID | xccdf_org.ssgproject.content_rule_no_direct_root_logins | ||||||
Result | fail | ||||||
Time | 2017-03-14T13:48:36 | ||||||
Severity | medium | ||||||
Identifiers and References | references: IA-2(1) | ||||||
Description | To further limit access to the echo > /etc/securetty | ||||||
Rationale | Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This scenario is nowadays required by security standards. | ||||||
Remediation Shell script: (show)
|
Virtual Console Root Logins Restricted
Rule ID | xccdf_org.ssgproject.content_rule_securetty_root_login_console_only |
Result | pass |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in vc/1 vc/2 vc/3 vc/4 |
Rationale | Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. |
Serial Port Root Logins Restricted
Rule ID | xccdf_org.ssgproject.content_rule_restrict_serial_port_logins |
Result | pass |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description | To restrict root logins on serial ports,
ensure lines of this form do not appear in ttyS0 ttyS1 |
Rationale | Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. |
Web Browser Use for Administrative Accounts Restricted
Rule ID | xccdf_org.ssgproject.content_rule_no_root_webbrowsing |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description | Enforce policy requiring administrative accounts use web browsers only for local service administration. |
Rationale | If a browser vulnerability is exploited while running with administrative privileges, the entire system could be compromised. Specific exceptions for local service administration should be documented in site-defined policy. |
System Accounts Do Not Run a Shell Upon Login
Rule ID | xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
Some accounts are not associated with a human user of the system, and exist to
perform some administrative function. Should an attacker be able to log into
these accounts, they should not be granted access to a shell.
# usermod -s /sbin/nologin SYSACCT |
Rationale | Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. |
Warnings | warning
Do not perform the steps in this section on the root account. Doing so might
cause the system to become inaccessible.
|
Only Root Has UID 0
Rule ID | xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero |
Result | pass |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. |
Rationale | An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. |
Root Path Is Vendor Default
Rule ID | xccdf_org.ssgproject.content_rule_root_path_default |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description | Assuming root shell is bash, edit the following files: ~/.profile ~/.bashrcChange any PATH variables to the vendor default for root and remove any
empty PATH entries or references to relative paths.
|
Rationale | The root account's executable search path must be the vendor default, and must contain only absolute paths. |
Log In to Accounts With Empty Password Impossible
Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords | ||||||
Result | fail | ||||||
Time | 2017-03-14T13:48:36 | ||||||
Severity | high | ||||||
Identifiers and References | references: IA-5(b), IA-5(c), IA-5(1)(a) | ||||||
Description | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the | ||||||
Rationale | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. | ||||||
Remediation Shell script: (show)
| |||||||
Remediation Ansible snippet: (show)
|
Password Hashes For Each Account Shadowed
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed |
Result | pass |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
If any password hashes are stored in |
Rationale |
The hashes for all user account passwords should be stored in
the file |
All GIDs referenced in /etc/passwd Defined in /etc/group
Rule ID | xccdf_org.ssgproject.content_rule_gid_passwd_group_same |
Result | pass |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: 366 |
Description | Add a group to the system for each GID referenced without a corresponding group. |
Rationale |
Inconsistency in GIDs between |
netrc Files Do Not Exist
Rule ID | xccdf_org.ssgproject.content_rule_no_netrc_files |
Result | pass |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | The |
Rationale |
Unencrypted passwords for remote FTP servers may be stored in |
Password Minimum Length
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs | ||||||
Result | fail | ||||||
Time | 2017-03-14T13:48:36 | ||||||
Severity | medium | ||||||
Identifiers and References | references: IA-5(f), IA-5(1)(a), 205 | ||||||
Description | To specify password length requirements for new accounts,
edit the file PASS_MIN_LEN LENGTHand correct it to have the form of: PASS_MIN_LEN 12 Nowadays recommended values, considered as secure by various organizations focused on topic of computer security, range from 12 (FISMA) up to
14 (DoD) characters for password length requirements.
If a program consults /etc/login.defs and also another PAM module
(such as pam_pwquality ) during a password change operation,
then the most restrictive must be satisfied. See PAM section
for more information about enforcing password quality requirements.
| ||||||
Rationale | Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. | ||||||
Remediation Shell script: (show)
|
Password Minimum Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs | ||||||
Result | fail | ||||||
Time | 2017-03-14T13:48:36 | ||||||
Severity | medium | ||||||
Identifiers and References | references: IA-5(f), IA-5(1)(d), 198 | ||||||
Description | To specify password minimum age for new accounts,
edit the file PASS_MIN_DAYS DAYSand correct it to have the form of: PASS_MIN_DAYS 7 A value greater than 1 day is considered to be sufficient for many environments. | ||||||
Rationale | Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. | ||||||
Remediation Shell script: (show)
|
Password Maximum Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs | ||||||
Result | fail | ||||||
Time | 2017-03-14T13:48:36 | ||||||
Severity | medium | ||||||
Identifiers and References | references: IA-5(f), IA-5(g), IA-5(1)(d), 180, 199 | ||||||
Description | To specify password maximum age for new accounts,
edit the file PASS_MAX_DAYS DAYSand correct it to have the form of: PASS_MAX_DAYS 90 A value less than 180 days is sufficient for many environments. | ||||||
Rationale | Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. | ||||||
Remediation Shell script: (show)
|
Password Warning Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs |
Result | pass |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: IA-5(f) |
Description | To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file PASS_WARN_AGE DAYSand correct it to have the form of: PASS_WARN_AGE 7 A value of 7 days would be nowadays considered to be a standard. |
Rationale | Setting the password warning age enables users to make the change at a practical time. |
Set Account Expiration Following Inactivity
Rule ID | xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | identifiers: CCE-TBD |
Description | To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in INACTIVE=(N/A)A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity
timeout must be done with careful consideration of the length of a "normal"
period of inactivity for users in the particular environment. Setting
the timeout too low incurs support costs and also has the potential to impact
availability of the system to legitimate users.
|
Rationale | Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. |
Ensure All Accounts on the System Have Unique Names
Assign Expiration Date to Temporary Accounts
Rule ID | xccdf_org.ssgproject.content_rule_account_temp_expire_date |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | identifiers: CCE-27498-5 |
Description |
Temporary accounts are established as part of normal account activation procedures
when there is a need for short-term accounts. In the event temporary
or emergency accounts are required, configure the system to terminate
them after a documented time period. For every temporary and
emergency account, run the following command to set an expiration date on it,
substituting $ sudo chage -E YYYY-MM-DD USER YYYY-MM-DD indicates the documented expiration date for the account.
For U.S. Government systems, the operating system must be configured to automatically terminate
these types of accounts after a period of 72 hours.
|
Rationale |
If temporary user accounts remain active when no longer needed or for
an excessive period, these accounts may be used to gain unauthorized access.
To mitigate this risk, automated termination of all temporary accounts
must be set upon account creation.
|
Set Password Retry Prompts Permitted Per-Session
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_retry |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: IA-5(c), http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description | To configure the number of retry prompts that are permitted per-session:
|
Rationale | Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. |
Set Password to Maximum of Three Consecutive Repeating Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description | The pam_pwquality module's |
Rationale | Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. |
Set Password to Maximum of Consecutive Repeating Characters from Same Character Class
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | identifiers: CCE- |
Description | The pam_pwquality module's |
Rationale | Passwords with excessive repeating characters from the same character class may be more vulnerable to password-guessing attacks. |
Set Password Strength Minimum Digit Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: IA-5(b), IA-5(c), 194, http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description | The pam_pwquality module's |
Rationale | Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. |
Set Password Minimum Length
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: IA-5(1)(a), 205, 78 |
Description | The pam_pwquality module's |
Rationale | Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. |
Set Password Strength Minimum Uppercase Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: IA-5(b), IA-5(c), IA-5(1)(a), http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description | The pam_pwquality module's |
Rationale | Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space. |
Set Password Strength Minimum Special Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: IA-5(b), IA-5(c), IA-5(1)(a), http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description | The pam_pwquality module's |
Rationale | Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. |
Set Password Strength Minimum Lowercase Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: IA-5(b), IA-5(c), IA-5(1)(a), http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description | The pam_pwquality module's |
Rationale | Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. |
Set Password Strength Minimum Different Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_difok |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: IA-5(b), IA-5(c), IA-5(1)(b), http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description | The pam_pwquality module's |
Rationale | Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. |
Set Password Strength Minimum Different Categories
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description | The pam_pwquality module's * Upper-case characters * Lower-case characters * Digits * Special characters (for example, punctuation)Modify the minclass setting in /etc/security/pwquality.conf entry to require 3
differing categories of characters when changing passwords. The minimum requirement is 3 .
|
Rationale | Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space. |
Set Deny For Failed Password Attempts
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | references: AC-7(a), http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description |
To configure the system to lock out accounts after a number of incorrect login
attempts using
|
Rationale | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. |
Set Lockout Time For Failed Password Attempts
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using
|
Rationale | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations. |
Set Interval For Counting Failed Password Attempts
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
Utilizing
|
Rationale | Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks. |
Limit Password Reuse
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | references: IA-5(f), IA-5(1)(e), http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description | Do not allow users to reuse recent passwords. This can be
accomplished by using the
|
Rationale | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. |
Set Password Hashing Algorithm in /etc/pam.d/system-auth
Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | references: IA-5(b), IA-5(c), IA-5(1)(c), IA-7, http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description |
In password sufficient pam_unix.so sha512 other arguments...This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. |
Rationale | Using a stronger hashing algorithm makes password cracking attacks more difficult. |
Set Password Hashing Algorithm in /etc/login.defs
Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | references: IA-5(b), IA-5(c), IA-5(1)(c), IA-7, http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description |
In ENCRYPT_METHOD SHA512 |
Rationale | Using a stronger hashing algorithm makes password cracking attacks more difficult. |
Set Password Hashing Algorithm in /etc/libuser.conf
Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | references: IA-5(b), IA-5(c), IA-5(1)(c), IA-7, http://iase.disa.mil/stigs/cci/Pages/index.aspx |
Description |
In crypt_style = sha512 |
Rationale | Using a stronger hashing algorithm makes password cracking attacks more difficult. |
Set Last Logon/Access Notification
Rule ID | xccdf_org.ssgproject.content_rule_display_login_attempts |
Result | fail |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: 53 |
Description | To configure the system to notify users of last logon/access
using session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed |
Rationale | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. |
Ensure that Root's Path Does Not Include Relative Paths or Null Directories
Rule ID | xccdf_org.ssgproject.content_rule_root_path_no_dot |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description |
Ensure that none of the directories in root's path is equal to a single
PATH=:/bin PATH=/bin: PATH=/bin::/sbinThese empty elements have the same effect as a single . character.
|
Rationale | Including these entries increases the risk that root could execute code from an untrusted location. |
Ensure that Root's Path Does Not Include World or Group-Writable Directories
Rule ID | xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write |
Result | pass |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description | For each element in root's path, run: $ sudo ls -ld DIRand ensure that write permissions are disabled for group and other. |
Rationale | Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code. |
Ensure the Default Bash Umask is Set Correctly
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_bashrc |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description |
To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask 027 |
Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. |
Ensure the Default C Shell Umask is Set Correctly
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_cshrc |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description |
To ensure the default umask for users of the C shell is set properly,
add or correct the umask 027 |
Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. |
Ensure the Default Umask is Set Correctly in /etc/profile
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description |
To ensure the default umask controlled by umask 027 |
Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. |
Ensure the Default Umask is Set Correctly in login.defs
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_login_defs |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description |
To ensure the default umask controlled by UMASK 027 |
Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. |
Limit the Number of Concurrent Login Sessions Allowed Per User
Rule ID | xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description |
Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. The DoD requirement is 10. To set the number of concurrent
sessions per user add the following line in * hard maxlogins 1 |
Rationale | Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. |
Verify /boot/grub2/grub.cfg User Ownership
Rule ID | xccdf_org.ssgproject.content_rule_file_user_owner_grub2_cfg |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | The file $ sudo chown root /boot/grub2/grub.cfg |
Rationale | Only root should be able to modify important boot parameters. |
Verify /boot/grub2/grub.cfg Group Ownership
Rule ID | xccdf_org.ssgproject.content_rule_file_group_owner_grub2_cfg |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | The file $ sudo chgrp root /boot/grub2/grub.cfg |
Rationale |
The |
Set Boot Loader Password
Rule ID | xccdf_org.ssgproject.content_rule_bootloader_password |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
$ grub2-mkpasswd-pbkdf2When prompted, enter the password that was selected and insert the returned password hash into the /etc/grub.d/01_users configuration file
immediately after the superuser account.
(Use the output from grub2-mkpasswd-pbkdf2 as the value of
password-hash):
password_pbkdf2 superusers-account password-hashNOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfgNOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
|
Rationale | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to |
Set the UEFI Boot Loader Password
Rule ID | xccdf_org.ssgproject.content_rule_bootloader_uefi_password |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | The UEFI grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
$ grub2-mkpasswd-pbkdf2When prompted, enter the password that was selected and insert the returned password hash into the /etc/grub.d/01_users configuration file immediately
after the superuser account.
(Use the output from grub2-mkpasswd-pbkdf2 as the value of
password-hash):
password_pbkdf2 superusers-account password-hashNOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfgNOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
|
Rationale | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. |
Install the screen Package
Rule ID | xccdf_org.ssgproject.content_rule_package_screen_installed |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
To enable console screen locking, install the TheInstruct users to begin new terminal sessions with the following command: $ screenThe console can now be locked with the following key combination: ctrl+a x |
Rationale |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but des not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity,
operating systems need to be able to identify when a user's session has idled and take action to initiate the
session lock.
The |
Enable Smart Card Login
Rule ID | xccdf_org.ssgproject.content_rule_smartcard_auth |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | To enable smart card authentication, consult the documentation at: |
Rationale | Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. |
Require Authentication for Single User Mode
Rule ID | xccdf_org.ssgproject.content_rule_require_singleuser_auth |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
|
Rationale | This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. |
Disable debug-shell SystemD Service
Rule ID | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | SystemD's $ sudo systemctl disable debug-shell.service |
Rationale | This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. |
Disable Ctrl-Alt-Del Reboot Activation
Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | high |
Identifiers and References | |
Description |
By default, ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.targetor systemctl mask ctrl-alt-del.target Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates.
|
Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. |
Verify that Interactive Boot is Disabled
Rule ID | xccdf_org.ssgproject.content_rule_disable_interactive_boot |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
Fedora systems support an "interactive boot" option that can be used to prevent
services from being started. On a Fedora system, interactive boot can be
enabled by providing a systemd.confirm_spawn=(1|yes|true|on)from the kernel arguments in that file to disable interactive boot. |
Rationale | Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. |
Warnings | warning
The GRUB 2 configuration file, grub.cfg ,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -ocommand as follows:
|
Disable Kernel Parameter for Sending ICMP Redirects by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.send_redirects = 0 |
Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
|
Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.send_redirects = 0 |
Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
|
Disable Kernel Parameter for IP Forwarding
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.ip_forward=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.ip_forward = 0 |
Rationale | IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. |
Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | references: AC-4, CM-7, SC-5, 366, SRG-OS-000480-GPOS-00227, 040350, 4.2.1 |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.accept_source_route = 0 |
Rationale | Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.accept_redirects = 0 |
Rationale | ICMP redirect messages are used by routers to inform hosts that a more direct
route exists for a particular destination. These messages modify the host's route table
and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle
attack.
|
Configure Kernel Parameter for Accepting Secure Redirects for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.secure_redirects = 0 |
Rationale | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. |
Configure Kernel Parameter to Log Martian Packets
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.log_martians=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.log_martians = 1 |
Rationale | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. |
Configure Kernel Parameter to Log Martian Packets By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.log_martians=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.log_martians = 1 |
Rationale | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. |
Configure Kernel Parameter for Accepting Source-Routed Packets By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | references: AC-4, CM-7, SC-5, SC-7, 1551, SRG-OS-000480-GPOS-00227, 040350, 4.2.1 |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.accept_source_route = 0 |
Rationale | Source-routed packates allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures.
|
Configure Kernel Parameter for Accepting ICMP Redirects By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.accept_redirects = 0 |
Rationale | ICMP redirect messages are used by routers to inform hosts that a more direct
route exists for a particular destination. These messages modify the host's route table
and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle
attack.
|
Configure Kernel Parameter for Accepting Secure Redirects By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.secure_redirects = 0 |
Rationale | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. |
Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | references: AC-4, CM-7, SC-5, 366, SRG-OS-000480-GPOS-00227, 040380, 4.2.5 |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.icmp_echo_ignore_broadcasts = 1 |
Rationale | Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
|
Configure Kernel Parameter to Ignore Bogus ICMP Error Responses
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.icmp_ignore_bogus_error_responses = 1 |
Rationale | Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. |
Configure Kernel Parameter to Use Reverse Path Filtering for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.rp_filter = 1 |
Rationale | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. |
Configure Kernel Parameter to Use Reverse Path Filtering by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.rp_filter = 1 |
Rationale | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. |
Disable WiFi or Bluetooth in BIOS
Rule ID | xccdf_org.ssgproject.content_rule_wireless_disable_in_bios |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, 85 |
Description | Some systems that include built-in wireless support offer the ability to disable the device through the BIOS. This is system-specific; consult your hardware manual or explore the BIOS setup during boot. |
Rationale | Disabling wireless support in the BIOS prevents easy activation of the wireless interface, generally requiring administrators to reboot the system first. |
Deactivate Wireless Network Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_wireless_disable_interfaces |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, 85, 4.3.1 |
Description | Deactivating wireless network interfaces should prevent
normal usage of the wireless capability.
$ ifconfig -aAdditionally, the following command may be used to determine whether wireless support is included for a particular interface, though this may not always be a clear indicator: $ iwconfigAfter identifying any wireless interfaces (which may have names like wlan0 , ath0 , wifi0 , em1 or
eth0 ), deactivate the interface with the command:
$ sudo ifdown interfaceThese changes will only last until the next reboot. To disable the interface for future boots, remove the appropriate interface file from /etc/sysconfig/network-scripts :
$ sudo rm /etc/sysconfig/network-scripts/ifcfg-interface |
Rationale | Wireless networking allows attackers within physical proximity to launch network-based attacks against systems, including those against local LAN protocols which were not designed with security in mind. |
Disable Bluetooth Service
Rule ID | xccdf_org.ssgproject.content_rule_service_bluetooth_disabled |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | references: AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, 85, 1551 |
Description |
The $ sudo systemctl disable bluetooth.service $ sudo service bluetooth stop |
Rationale | Disabling the |
Disable Bluetooth Kernel Modules
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | references: AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, 85, 1551 |
Description | The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate install bluetooth /bin/true |
Rationale | If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. |
Disable IPv6 Networking Support Automatic Loading
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | To disable support for ( net.ipv6.conf.all.disable_ipv6 = 1This disables IPv6 on all network interfaces as other services and system functionality require the IPv6 stack loaded to work. |
Rationale | Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. |
Disable Interface Usage of IPv6
Rule ID | xccdf_org.ssgproject.content_rule_network_ipv6_disable_interfaces |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description | To disable interface usage of IPv6, add or correct the following lines in NETWORKING_IPV6=no IPV6INIT=no |
Disable Support for RPC IPv6
Rule ID | xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: CM-7 |
Description | RPC services for NFSv4 try to load transport modules for
udp6 tpi_clts v inet6 udp - - tcp6 tpi_cots_ord v inet6 tcp - - |
Disable Accepting IPv6 Router Advertisements
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: CM-7 |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.default.accept_ra = 0 |
Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
Disable Accepting IPv6 Redirects
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.default.accept_redirects = 0 |
Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
Manually Assign Global IPv6 Address
Rule ID | xccdf_org.ssgproject.content_rule_network_ipv6_static_address |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: 366 |
Description | To manually assign an IP address for an interface, edit the
file IPV6ADDR=2001:0DB8::ABCD/64Manually assigning an IP address is preferable to accepting one from routers or from the network otherwise. The example address here is an IPv6 address reserved for documentation purposes, as defined by RFC3849. |
Use Privacy Extensions for Address
Rule ID | xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: 366 |
Description | To introduce randomness into the automatic generation of IPv6
addresses, add or correct the following line in
IPV6_PRIVACY=rfc3041Automatically-generated IPv6 addresses are based on the underlying hardware (e.g. Ethernet) address, and so it becomes possible to track a piece of hardware over its lifetime using its traffic. If it is important for a system's IP address to not trivially reveal its hardware address, this setting should be applied. |
Manually Assign IPv6 Router Address
Rule ID | xccdf_org.ssgproject.content_rule_network_ipv6_default_gateway |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: 366 |
Description | Edit the file
IPV6_DEFAULTGW=2001:0DB8::0001Router addresses should be manually set and not accepted via any auto-configuration or router advertisement. |
Verify firewalld Enabled
Rule ID | xccdf_org.ssgproject.content_rule_service_firewalld_enabled |
Result | pass |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
The $ sudo systemctl enable firewalld.service |
Rationale |
The dynamic firewall daemon |
Set Default firewalld Zone for Incoming Packets
Rule ID | xccdf_org.ssgproject.content_rule_set_firewalld_default_zone |
Result | fail |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | To set the default zone to DefaultZone=drop |
Rationale | In |
Disable DCCP Support
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | identifiers: CCE-26828-4 |
Description |
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the install dccp /bin/true |
Rationale | Disabling DCCP protects the system against exploitation of any flaws in its implementation. |
Install libreswan Package
Rule ID | xccdf_org.ssgproject.content_rule_package_libreswan_installed |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | The Libreswan package provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks.
The $ sudo dnf install libreswan |
Rationale | Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. |
Verify Any Configured IPSec Tunnel Connections
Rule ID | xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | references: AC-4, 336, SRG-OS-000480-GPOS-00227, 040830 |
Description | Libreswan provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks. As such, IPsec can be used to circumvent certain
network requirements such as filtering. Verify that if any IPsec connection
( |
Rationale | IP tunneling mechanisms can be used to bypass network filtering. |
Disable Zeroconf Networking
Rule ID | xccdf_org.ssgproject.content_rule_network_disable_zeroconf |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | references: CM-7 |
Description | Zeroconf networking allows the system to assign itself an IP
address and engage in IP communication without a statically-assigned address or
even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not
recommended. To disable Zeroconf automatic route assignment in the 169.254.0.0
subnet, add or correct the following line in NOZEROCONF=yes |
Rationale | Zeroconf addresses are in the network 169.254.0.0. The networking scripts add entries to the system's routing table for these addresses. Zeroconf address assignment commonly occurs when the system is configured to use DHCP but fails to receive an address assignment from the DHCP server. |
Ensure System is Not Acting as a Network Sniffer
Rule ID | xccdf_org.ssgproject.content_rule_network_sniffer_disabled |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description | The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: $ ip link | grep PROMISC |
Rationale | If any results are returned, then a sniffing process (such as tcpdump or Wireshark) is likely to be using the interface and this should be investigated. |
Ensure Log Files Are Owned By Appropriate User
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_files_ownership |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | The owner of all log files written by
$ ls -l LOGFILEIf the owner is not root , run the following command to
correct this:
$ sudo chown root LOGFILE |
Rationale | The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. |
Ensure Log Files Are Owned By Appropriate Group
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | The group-owner of all log files written by
$ ls -l LOGFILEIf the owner is not root , run the following command to
correct this:
$ sudo chgrp root LOGFILE |
Rationale | The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. |
Ensure Logrotate Runs Periodically
Rule ID | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description | The # rotate log files frequency daily |
Rationale | Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full. |
Configure Logwatch HostLimit Line
Rule ID | xccdf_org.ssgproject.content_rule_configure_logwatch_hostlimit |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description | On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate
on the logserver itself. The HostLimit = no |
Configure Logwatch SplitHosts Line
Rule ID | xccdf_org.ssgproject.content_rule_configure_logwatch_splithosts |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description |
If SplitHosts = yes |
Ensure rsyslog is Installed
Rule ID | xccdf_org.ssgproject.content_rule_package_rsyslog_installed |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description |
Rsyslog is installed by default.
The $ sudo dnf install rsyslog |
Rationale | The rsyslog package provides the rsyslog daemon, which provides system logging services. |
Enable rsyslog Service
Rule ID | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | The $ sudo systemctl enable rsyslog.service |
Rationale | The |
Disable Logwatch on Clients if a Logserver Exists
Rule ID | xccdf_org.ssgproject.content_rule_disable_logwatch_for_logserver |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description | Does your site have a central logserver which has been configured to report on logs received from all systems? If so: $ sudo rm /etc/cron.daily/0logwatchIf no logserver exists, it will be necessary for each machine to run Logwatch individually. Using a central logserver provides the security and reliability benefits discussed earlier, and also makes monitoring logs easier and less time-intensive for administrators. |
Configure auditd Number of Logs Retained
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs |
Result | fail |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | Determine how many log files
num_logs = NUMLOGSSet the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation. |
Rationale | The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. |
Configure auditd Max Log File Size
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file |
Result | fail |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
max_log_file = STOREMBSet the value to 6 (MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data. |
Rationale | The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. |
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action |
Result | fail |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by max_log_file_action = ACTIONPossible values for ACTION are described in the auditd.conf man
page. These include:
ACTION to rotate to ensure log rotation
occurs. This is the default. The setting is case-insensitive.
|
Rationale | Automatically rotating logs (by setting this to |
Configure auditd space_left Action on Low Disk Space
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action |
Result | fail |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | The space_left_action = ACTIONPossible values for ACTION are described in the auditd.conf man page.
These include:
email (instead of the default,
which is suspend ) as it is more likely to get prompt attention. Acceptable values
also include suspend , single , and halt .
|
Rationale | Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. |
Configure auditd admin_space_left Action on Low Disk Space
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action |
Result | fail |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | The admin_space_left_action = ACTIONSet this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include suspend and
halt . For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page.
|
Rationale | Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. |
Configure auditd mail_acct Action on Low Disk Space
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct |
Result | fail |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References | |
Description | The action_mail_acct = root |
Rationale | Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. |
Configure auditd flush priority
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_flush |
Result | notselected |
Time | 2017-03-14T13:48:36 |
Severity | low |
Identifiers and References | |
Description | The flush = data |
Rationale | Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk. |
Configure auditd to use audispd's syslog plugin
Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated |
Result | fail |
Time | 2017-03-14T13:48:36 |
Severity | medium |
Identifiers and References |