[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*


CCE-27224-5
Disable All GNOME Thumbnailers setting should be configured appropriately.

CCE-26457-2
Ensure auditd Collects Information on the Use of Privileged Commands setting should be configured appropriately.

CCE-26444-0
Set Default iptables Policy for Incoming Packets setting should be configured appropriately.

CCE-26828-4
Set GNOME Login Inactivity Timeout setting should be configured appropriately.

CCE-26991-0
Enable the SELinux Context Restoration Service (restorecond) setting should be configured appropriately.

CCE-27017-3
Set GUI Warning Banner Text setting should be configured appropriately.

CCE-27104-9
Disable Network File System Lock Service (nfslock) setting should be configured appropriately.

CCE-26235-2
Enable Screen Lock Activation After Idle Period setting should be configured appropriately.

CCE-27119-7
Disable X Windows Startup By Setting Runlevel setting should be configured appropriately.

CCE-27195-7
Enable GUI Warning Banner setting should be configured appropriately.

CCE-27086-8
Disable Hardware Abstraction Layer Service (haldaemon) setting should be configured appropriately.

CCE-26638-7
Implement Blank Screen Saver setting should be configured appropriately.

CCE-27317-7
Set Default ip6tables Policy for Incoming Packets setting should be configured appropriately.

CCE-27186-6
Set Default iptables Policy for Forwarded Packets setting should be configured appropriately.

CCE-27035-5
Disable GNOME Automounting setting should be configured appropriately.

CCE-27230-2
Disable the User List setting should be configured appropriately.

CCE-26600-7
GNOME Desktop Screensaver Mandatory Use setting should be configured appropriately.

CCE-27037-1
Disable Kernel Parameter for Accepting Source-Routed Packets for All Interfaces setting should be configured appropriately.

CCE-27120-5
Uninstall DHCP Server Package setting should be configured appropriately.

CCE-27062-9
Uninstall rsh-server Package setting should be configured appropriately.

CCE-26958-9
Specify Additional Remote NTP Servers setting should be configured appropriately.

CCE-26994-4
The rsh service, which is available with the rsh-server package and runs as a service through xinetd, should be disabled. The rsh service can be disabled with the following command: # chkconfig rsh off

CCE-26669-2
Ensure the Default Umask is Set Correctly in /etc/profile setting should be configured appropriately.

CCE-26611-4
Ensure auditd Collects Information on Kernel Module Loading and Unloading setting should be configured appropriately.

CCE-27300-3
Restrict Information Published by Avahi setting should be configured appropriately.

CCE-26696-5
Disable TIPC Support setting should be configured appropriately.

CCE-27235-1
Enable rsyslog to Accept Messages via TCP, if Acting As Log Server setting should be configured appropriately.

CCE-26662-7
Ensure auditd Collects System Administrator Actions setting should be configured appropriately.

CCE-27232-8
Disable Support for RPC IPv6 setting should be configured appropriately.

CCE-27234-4
Manually Assign IPv6 Router Address setting should be configured appropriately.

CCE-27362-3
Disable CGI Support setting should be configured appropriately.

CCE-27182-5
Record Events that Modify the System's Discretionary Access Controls - lremovexattr setting should be configured appropriately.

CCE-26741-9
Limit Password Reuse setting should be configured appropriately.

CCE-26836-7
The telnet service can be disabled with the following command: # chkconfig telnet off

CCE-27054-6
The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. The sshd service can be disabled with the following command: # chkconfig sshd off This is unusual, as SSH is a common method for encrypted and authenticated remote access.

CCE-26873-0
The named service can be disabled with the following command: # chkconfig named off

CCE-26983-7
Disable Kernel Parameter for Accepting Source-Routed Packets By Default setting should be configured appropriately.

CCE-26801-1
Ensure Logs Sent To Remote Host setting should be configured appropriately.

CCE-27178-3
Record Events that Modify the System's Discretionary Access Controls - fchownat setting should be configured appropriately.

CCE-26993-6
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses setting should be configured appropriately.

CCE-27208-8
Disable rexec Service setting should be configured appropriately.

CCE-27239-3
Configure auditd admin_space_left Action on Low Disk Space setting should be configured appropriately.

CCE-27241-9
Configure auditd mail_acct Action on Low Disk Space setting should be configured appropriately.

CCE-27154-4
Use Privacy Extensions for Address setting should be configured appropriately.

CCE-26610-6
Record Attempts to Alter Process and Session Initiation Information setting should be configured appropriately.

CCE-27046-2
The xinetd service can be disabled with the following command: # chkconfig xinetd off

CCE-27571-9
Enable the SSL flag in /etc/dovecot.conf setting should be configured appropriately.

CCE-27072-8
Allow Only SSH Protocol 2 setting should be configured appropriately.

CCE-27181-7
Record Events that Modify the System's Discretionary Access Controls - lchown setting should be configured appropriately.

CCE-27550-3
Configure auditd Max Log File Size setting should be configured appropriately.

CCE-26977-9
Uninstall squid Package setting should be configured appropriately.

CCE-27047-0
Restrict Serial Port Root Logins setting should be configured appropriately.

CCE-27403-5
Install mod_ssl setting should be configured appropriately.

CCE-27541-2
Disable MIME Magic setting should be configured appropriately.

CCE-26282-4
Set SSH Client Alive Count setting should be configured appropriately.

CCE-27005-8
Uninstall xinetd Package setting should be configured appropriately.

CCE-26906-8
The snmpd service can be disabled with the following command: # chkconfig snmpd off

CCE-27166-8
Disable Accepting IPv6 Redirects setting should be configured appropriately.

CCE-27228-6
Set Password Hashing Algorithm in /etc/login.defs setting should be configured appropriately.

CCE-27197-3
Configure Logwatch HostLimit Line setting should be configured appropriately.

CCE-26976-1
The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is ...

CCE-27002-5
Set Password Minimum Length in login.defs setting should be configured appropriately.

CCE-26954-8
Verify Permissions on group File setting should be configured appropriately.

CCE-26894-6
The ypbind service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The ypbind service can be disabled with the following command: # chkconfig ypbind off

CCE-26990-2
The irqbalance service optimizes the balance between power savings and performance through distribution of hardware interrupts across multiple processors. The irqbalance service can be enabled with the following command: # chkconfig --level 2345 irqbalance on

CCE-26850-8
The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command: ...

CCE-26803-7
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server setting should be configured appropriately.

CCE-26974-6
Modify the System Login Banner setting should be configured appropriately.

CCE-26870-6
The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The rpcidmapd service can be disabled with the following command: # chkconfig rpcidmapd off

CCE-27263-3
Disable Cyrus SASL Authentication Daemon (saslauthd) setting should be configured appropriately.

CCE-26975-3
Verify Group Who Owns gshadow File setting should be configured appropriately.

CCE-26631-2
Set Password Strength Minimum Lowercase Characters setting should be configured appropriately.

CCE-26374-9
Set Password Strength Minimum Digit Characters setting should be configured appropriately.

CCE-27133-8
Uninstall httpd Package setting should be configured appropriately.

CCE-26332-7
Uninstall net-snmp Package setting should be configured appropriately.

CCE-26709-6
Ensure gpgcheck Enabled In Main Yum Configuration setting should be configured appropriately.

CCE-26999-3
Enable Randomized Layout of Virtual Address Space setting should be configured appropriately.

CCE-27124-7
Disable SSH Support for .rhosts Files setting should be configured appropriately.

CCE-26691-6
Record Attempts to Alter Logon and Logout Events setting should be configured appropriately.

CCE-26951-4
Verify Permissions on gshadow File setting should be configured appropriately.

CCE-27024-9
In some installations, AIDE is not installed automatically. Rationale: Ensure AIDE is installed to make use of the file integrity features to monitor critical files for changes that could affect the security of the system.

CCE-27243-5
System Audit Logs Must Have Mode 0640 or Less Permissive setting should be configured appropriately.

CCE-27440-7
Enable Smart Card Login setting should be configured appropriately.

CCE-27006-6
The ip6tables service can be enabled with the following command: # chkconfig --level 2345 ip6tables on

CCE-27626-1
Install openswan Package setting should be configured appropriately.

CCE-27107-2
Disable Print Server Capabilities setting should be configured appropriately.

CCE-26615-5
Set Password Strength Minimum Different Characters setting should be configured appropriately.

CCE-27316-9
Set Permissions on All Configuration Files Inside /etc/httpd/conf/ setting should be configured appropriately.

CCE-26887-0
Disable SSH Access via Empty Passwords setting should be configured appropriately.

CCE-26544-7
Disable Mounting of freevxfs setting should be configured appropriately.

CCE-27112-2
Enable SSH Warning Banner setting should be configured appropriately.

CCE-27508-1
Configure SMTP Greeting Banner setting should be configured appropriately.

CCE-27175-9
Record Events that Modify the System's Discretionary Access Controls - fchmodat setting should be configured appropriately.

CCE-27173-4
Record Events that Modify the System's Discretionary Access Controls - chown setting should be configured appropriately.

CCE-27044-7
Disable Core Dumps for SUID programs setting should be configured appropriately.

CCE-26891-2
To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on th ...

CCE-27225-2
Verify No netrc Files Exist setting should be configured appropriately.

CCE-27049-6
To prevent the DHCP server from receiving DNS information from clients, edit /etc/dhcp/dhcpd.conf, and add or correct the following global option: ddns-update-style none;

CCE-27526-3
Disable Avahi Publishing setting should be configured appropriately.

CCE-27193-2
Disable Software RAID Monitor (mdmonitor) setting should be configured appropriately.

CCE-26969-6
Ensure SELinux State is Enforcing setting should be configured appropriately.

CCE-27066-0
Enable Kernel Parameter to Log Martian Packets setting should be configured appropriately.

CCE-27515-6
Uninstall Sendmail Package setting should be configured appropriately.

CCE-27073-6
Uninstall telnet-server Package setting should be configured appropriately.

CCE-27260-9
Disable Quota Netlink (quota_nld) setting should be configured appropriately.

CCE-26601-5
Set Password Strength Minimum Uppercase Characters setting should be configured appropriately.

CCE-27633-7
Configure Dovecot to Use the SSL Key file setting should be configured appropriately.

CCE-27221-1
Disable Prelinking setting should be configured appropriately.

CCE-26242-8
Record attempts to alter time through adjtimex setting should be configured appropriately.

CCE-27179-1
Record Events that Modify the System's Discretionary Access Controls - fremovexattr setting should be configured appropriately.

CCE-26807-8
The rsyslog service provides syslog-style logging by default on CentOS 6. The rsyslog service can be enabled with the following command: # chkconfig --level 2345 rsyslog on

CCE-27252-6
Disable Control Group Rules Engine (cgred) setting should be configured appropriately.

CCE-26913-4
D-Bus provides an IPC mechanism used by a growing list of programs, such as those used for Gnome, Bluetooth, and Avahi. Due to these dependencies, disabling D-Bus may not be practical for many systems. The messagebus service can be disabled with the following command: # chkconfig messagebus off

CCE-27340-9
Check Avahi Responses' TTL Field setting should be configured appropriately.

CCE-26410-1
Disable SCTP Support setting should be configured appropriately.

CCE-27250-0
Disable Control Group Config (cgconfig) setting should be configured appropriately.

CCE-27055-3
The tftp service should be disabled. The tftp service can be disabled with the following command: # chkconfig tftp off

CCE-27256-7
Disable ntpdate Service (ntpdate) setting should be configured appropriately.

CCE-27146-0
Disable Squid setting should be configured appropriately.

CCE-27254-2
Disable Network Console (netconsole) setting should be configured appropriately.

CCE-27081-9
The bluetooth service can be disabled with the following command: # chkconfig bluetooth off # service bluetooth stop

CCE-27425-8
Set httpd ServerTokens Directive to Prod setting should be configured appropriately.

CCE-27247-6
Disable Automatic Bug Reporting Tool (abrtd) setting should be configured appropriately.

CCE-26361-6
Disable Mounting of hfsplus setting should be configured appropriately.

CCE-27201-3
Do Not Allow SSH Environment Options setting should be configured appropriately.

CCE-26856-5
Verify Group Who Owns passwd File setting should be configured appropriately.

CCE-26371-5
Ensure the Default Umask is Set Correctly in login.defs setting should be configured appropriately.

CCE-26866-4
Disable Kernel Parameter for IP Forwarding setting should be configured appropriately.

CCE-26915-9
Enable Kernel Parameter to Use Reverse Path Filtering by Default setting should be configured appropriately.

CCE-26875-5
Configure SELinux Policy setting should be configured appropriately.

CCE-26612-2
Make the auditd Configuration Immutable setting should be configured appropriately.

CCE-27110-6
Set Lockout Time For Failed Password Attempts setting should be configured appropriately.

CCE-27108-0
Disable Printer Browsing Entirely if Possible setting should be configured appropriately.

CCE-27180-9
Record Events that Modify the System's Discretionary Access Controls - fsetxattr setting should be configured appropriately.

CCE-27144-5
Disable Plaintext Authentication setting should be configured appropriately.

CCE-26889-6
Configure the statd daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: STATD_PORT=statd-port Where statd-port is a port which is not used by any other service on your network.

CCE-27586-7
Set httpd ServerSignature Directive to Off setting should be configured appropriately.

CCE-27170-0
Record Attempts to Alter Time Through clock_settime setting should be configured appropriately.

CCE-27238-5
Configure auditd space_left Action on Low Disk Space setting should be configured appropriately.

CCE-26712-0
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) setting should be configured appropriately.

CCE-26899-5
The cups service can be disabled with the following command: # chkconfig cups off

CCE-27158-5
Disable anacron Service setting should be configured appropriately.

CCE-27276-5
Disable URL Correction on Misspelled Entries setting should be configured appropriately.

CCE-27635-2
Ensure Software Patches Installed setting should be configured appropriately.

CCE-27106-4
Deny Decline Messages setting should be configured appropriately.

CCE-26948-0
The vsftpd service can be disabled with the following command: # chkconfig vsftpd off

CCE-26854-0
Disable Kernel Parameter for Accepting Secure Redirects for All Interfaces setting should be configured appropriately.

CCE-26280-8
Record Events that Modify the System's Discretionary Access Controls - chmod setting should be configured appropriately.

CCE-27100-7
Disable SSH Root Login setting should be configured appropriately.

CCE-26404-4
Disable Mounting of squashfs setting should be configured appropriately.

CCE-27004-1
Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces setting should be configured appropriately.

CCE-26858-1
Uninstall openldap-servers Package setting should be configured appropriately.

CCE-26992-8
Verify Permissions on shadow File setting should be configured appropriately.

CCE-27177-5
Record Events that Modify the System's Discretionary Access Controls - fchown setting should be configured appropriately.

CCE-27395-3
Disable LDAP Support setting should be configured appropriately.

CCE-26573-6
Ensure auditd Collects Information on Exporting to Media (successful) setting should be configured appropriately.

CCE-27365-6
Configure SNMP Service to Use Only SNMPv3 or Newer setting should be configured appropriately.

CCE-27249-2
Disable At Service (atd) setting should be configured appropriately.

CCE-27215-3
Set Interval For Counting Failed Password Attempts setting should be configured appropriately.

CCE-27227-8
Set Password to Maximum of Three Consecutive Repeating Characters setting should be configured appropriately.

CCE-26687-4
Uninstall vsftpd Package setting should be configured appropriately.

CCE-27123-9
Set Password Retry Prompts Permitted Per-Session setting should be configured appropriately.

CCE-27142-9
Enable Logging of All FTP Transactions setting should be configured appropriately.

CCE-27039-7
Uninstall dovecot Package setting should be configured appropriately.

CCE-26325-1
Enable Postfix Service setting should be configured appropriately.

CCE-27459-7
Configure Dovecot to Use the SSL Certificate file setting should be configured appropriately.

CCE-26657-7
Record Events that Modify the System's Mandatory Access Controls setting should be configured appropriately.

CCE-27237-7
Configure auditd max_log_file_action Upon Reaching Maximum Log Size setting should be configured appropriately.

CCE-27043-9
To disable the ability for users to perform interactive startups, edit the file /etc/sysconfig/init. Add or correct the line: PROMPT=no The PROMPT option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boo ...

CCE-27174-2
Record Events that Modify the System's Discretionary Access Controls - fchmod setting should be configured appropriately.

CCE-26831-8
Disable Kernel Parameter for Accepting Secure Redirects By Default setting should be configured appropriately.

CCE-26953-0
Verify User Who Owns passwd File setting should be configured appropriately.

CCE-27093-4
The ntpd service can be enabled with the following command: # chkconfig --level 2345 ntpd on

CCE-27507-3
Disable Web Server Configuration Display setting should be configured appropriately.

CCE-27261-7
Disable Network Router Discovery Daemon (rdisc) setting should be configured appropriately.

CCE-27259-1
Enable Process Accounting (psacct) setting should be configured appropriately.

CCE-27233-6
Manually Assign Global IPv6 Address setting should be configured appropriately.

CCE-27007-4
To set the runtime status of the kernel.exec-shield kernel parameter, run the following command: # sysctl -w kernel.exec-shield=1 If this is not the system"s default value, add the following line to /etc/sysctl.conf : kernel.exec-shield = 1

CCE-27030-6
Uninstall bind Package setting should be configured appropriately.

CCE-27016-5
Disable Modprobe Loading of USB Storage Driver setting should be configured appropriately.

CCE-27553-7
Disable HTTP Digest Authentication setting should be configured appropriately.

CCE-27203-9
Record attempts to alter time through settimeofday setting should be configured appropriately.

CCE-26946-4
Uninstall tftp-server Package setting should be configured appropriately.

CCE-27291-4
Set Last Logon/Access Notification setting should be configured appropriately.

CCE-26328-5
Require Client SMB Packet Signing, if using smbclient setting should be configured appropriately.

CCE-27033-0
Disable Core Dumps for All Users setting should be configured appropriately.

CCE-27122-1
Disable Secure RPC Server Service (rpcsvcgssd) setting should be configured appropriately.

CCE-26555-3
Use Only Approved Ciphers setting should be configured appropriately.

CCE-27244-3
System Audit Logs Must Be Owned By Root setting should be configured appropriately.

CCE-27079-3
Uninstall ypserv Package setting should be configured appropriately.

CCE-27487-8
Set Permissions on the /etc/httpd/conf/ Directory setting should be configured appropriately.

CCE-27040-5
Require Authentication for Single User Mode setting should be configured appropriately.

CCE-26898-7
Configure Logging setting should be configured appropriately.

CCE-26239-4
Disable RDS Support setting should be configured appropriately.

CCE-27061-1
The Advanced Configuration and Power Interface Daemon ( acpid ) dispatches ACPI events (such as power/reset button depressed) to userspace programs. The acpid service can be disabled with the following command: # chkconfig acpid off

CCE-27145-2
Create Warning Banners for All FTP Users setting should be configured appropriately.

CCE-26928-2
The qpidd service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The qpidd service can be disabled with the following command: # ch ...

CCE-26947-2
Verify User Who Owns shadow File setting should be configured appropriately.

CCE-26853-2
SMART (Self-Monitoring, Analysis, and Reporting Technology) is a feature of hard drives that allows them to detect symptoms of disk failure and relay an appropriate warning. The smartd service can be disabled with the following command: # chkconfig smartd off

CCE-26409-3
Set Password Strength Minimum Special Characters setting should be configured appropriately.

CCE-27468-8
Disable Server Activity Status setting should be configured appropriately.

CCE-27075-1
The httpd service can be disabled with the following command: # chkconfig httpd off

CCE-26846-6
The CentOS Network service automatically queries CentOS Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an CentOS server or satellite and managed as such. The rhnsd service can be disabled ...

CCE-27257-5
Disable Odd Job Daemon (oddjobd) setting should be configured appropriately.

CCE-27185-8
Record Events that Modify the System's Discretionary Access Controls - setxattr setting should be configured appropriately.

CCE-27053-8
Enable Kernel Parameter to Use TCP Syncookies setting should be configured appropriately.

CCE-27149-4
Configure lockd to use static TCP port setting should be configured appropriately.

CCE-26800-3
Disable Mounting of hfs setting should be configured appropriately.

CCE-26763-3
Disable Bluetooth Kernel Modules setting should be configured appropriately.

CCE-27169-2
Record Attempts to Alter Time Through stime setting should be configured appropriately.

CCE-27366-4
Restrict Access to Kernel Message Buffer setting should be configured appropriately.

CCE-27115-5
Restrict Access to Anonymous Users if Possible setting should be configured appropriately.

CCE-27189-0
Configure Certificate Directives for LDAP Use of TLS setting should be configured appropriately.

CCE-27018-1
The iptables service can be enabled with the following command: # chkconfig --level 2345 iptables on

CCE-26303-8
Set Password Hashing Algorithm in /etc/pam.d/system-auth setting should be configured appropriately.

CCE-27162-7
Disable Logwatch on Clients if a Logserver Exists setting should be configured appropriately.

CCE-27258-3
Disable Portreserve (portreserve) setting should be configured appropriately.

CCE-27038-9
Prevent Log In to Accounts With Empty Password setting should be configured appropriately.

CCE-26809-4
Ensure rsyslog is Installed setting should be configured appropriately.

CCE-27027-2
Disable Kernel Parameter for Accepting ICMP Redirects for All Interfaces setting should be configured appropriately.

CCE-26865-6
The rlogin service, which is available with the rsh-server package and runs as a service through xinetd, should be disabled. The rlogin service can be disabled with the following command: # chkconfig rlogin off

CCE-27138-7
Use Root-Squashing on All Exports setting should be configured appropriately.

CCE-26967-0
Verify Group Who Owns shadow File setting should be configured appropriately.

CCE-27114-8
Configure mountd to use static port setting should be configured appropriately.

CCE-26647-8
Ensure gpgcheck Enabled For All Yum Package Repositories setting should be configured appropriately.

CCE-27151-0
Disable Zeroconf Networking setting should be configured appropriately.

CCE-26448-1
Disable DCCP Support setting should be configured appropriately.

CCE-26690-8
Configure LDAP Client to Use TLS For All Transactions setting should be configured appropriately.

CCE-27121-3
Restrict NFS Clients to Privileged Ports setting should be configured appropriately.

CCE-27199-9
Disable Network File System (nfs) setting should be configured appropriately.

CCE-27329-2
Disable WebDAV (Distributed Authoring and Versioning) setting should be configured appropriately.

CCE-27570-1
Disable HTTP mod_rewrite setting should be configured appropriately.

CCE-27164-3
Disable Accepting IPv6 Router Advertisements setting should be configured appropriately.

CCE-27091-8
Disable Host-Based Authentication setting should be configured appropriately.

CCE-27150-2
Set Permissions on the /var/log/httpd/ Directory setting should be configured appropriately.

CCE-27111-4
Ensure No Daemons are Unconfined by SELinux setting should be configured appropriately.

CCE-27077-7
Unless your network needs to support older BOOTP clients, disable support for the bootp protocol by adding or correcting the global option: deny bootp;

CCE-27117-1
Disable FTP Uploads if Possible setting should be configured appropriately.

CCE-27590-9
Serve Avahi Only via Required Protocol setting should be configured appropriately.

CCE-27183-3
Record Events that Modify the System's Discretionary Access Controls - lsetxattr setting should be configured appropriately.

CCE-26844-1
Set Deny For Failed Password Attempts setting should be configured appropriately.

CCE-27229-4
Set Password Hashing Algorithm in /etc/libuser.conf setting should be configured appropriately.

CCE-27222-9
Configure Periodic Execution of AIDE setting should be configured appropriately.

CCE-26859-9
The cache module allows httpd to cache data, optimizing access to frequently accessed content. However, it introduces potential security flaws such as the possibility of circumventing Allow and Deny directives. If this functionality is unnecessary, comment out the module: #LoadModule cache_modul ...

CCE-26864-9
The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcgssd service can be disabled with th ...

CCE-27137-9
Disable Network File Systems (netfs) setting should be configured appropriately.

CCE-27270-8
Remove Rsh Trust Files setting should be configured appropriately.

CCE-26940-7
Install the screen Package setting should be configured appropriately.

CCE-27556-0
Limit Users' SSH Access setting should be configured appropriately.

CCE-26677-5
Disable Mounting of udf setting should be configured appropriately.

CCE-26933-2
Configure auditd to use audispd plugin setting should be configured appropriately.

CCE-27060-3
Remove SSH Server iptables Firewall exception (Unusual) setting should be configured appropriately.

CCE-27143-7
Disable Samba setting should be configured appropriately.

CCE-26648-6
Record Events that Modify the System's Network Environment setting should be configured appropriately.

CCE-27070-2
The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The crond service can be enabled with the following command: # chkconfig --level 2345 crond on

CCE-26922-5
Disable Dovecot Service setting should be configured appropriately.

CCE-27236-9
Enable rsyslog to Accept Messages via UDP, if Acting As Log Server setting should be configured appropriately.

CCE-27001-7
Disable Kernel Parameter for Sending ICMP Redirects by Default setting should be configured appropriately.

CCE-26883-9
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests setting should be configured appropriately.

CCE-26670-0
Disable Mounting of jffs2 setting should be configured appropriately.

CCE-27184-1
Record Events that Modify the System's Discretionary Access Controls - removexattr setting should be configured appropriately.

CCE-27262-5
Disable Red Hat Subscription Manager Daemon (rhsmcertd) setting should be configured appropriately.

CCE-27558-6
Disable Server Side Includes setting should be configured appropriately.

CCE-27069-4
If SplitHosts is set, Logwatch will separate entries by hostname. This makes the report longer but significantly more usable. If it is not set, then Logwatch will not report which host generated a given log entry, and that information is almost always necessary SplitHosts = yes

CCE-27026-4
Verify User Who Owns gshadow File setting should be configured appropriately.

CCE-27522-2
Configure auditd Number of Logs Retained setting should be configured appropriately.

CCE-27153-6
Disable IPv6 Networking Support Automatic Loading setting should be configured appropriately.

CCE-27098-3
Specify a Remote NTP Server setting should be configured appropriately.

CCE-26973-8
The cpuspeed service can adjust the clock speed of supported CPUs based upon the current processing load thereby conserving power and reducing heat. The cpuspeed service can be disabled with the following command: # chkconfig cpuspeed off

CCE-27058-7
The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command: # chkconfig --level 2345 auditd on

CCE-27265-8
Disable System Statistics Reset Service (sysstat) setting should be configured appropriately.

CCE-27442-3
Disable Proxy Support setting should be configured appropriately.

CCE-27593-3
Ensure Default Password Is Not Used setting should be configured appropriately.

CCE-27031-4
Set Daemon Umask setting should be configured appropriately.

CCE-27457-1
Limit the Number of Concurrent Login Sessions Allowed Per User setting should be configured appropriately.

CCE-27167-6
Ensure Insecure File Locking is Not Allowed setting should be configured appropriately.

CCE-26340-0
Disable Mounting of cramfs setting should be configured appropriately.

CCE-27414-2
Specify UID and GID for Anonymous NFS Connections setting should be configured appropriately.

CCE-26979-5
Enable Kernel Parameter to Use Reverse Path Filtering for All Interfaces setting should be configured appropriately.

CCE-27015-7
Disable Kernel Parameter for Accepting ICMP Redirects By Default setting should be configured appropriately.

CCE-27272-4
Ensure tftp Daemon Uses Secure Mode setting should be configured appropriately.

CCE-27172-6
Record Attempts to Alter the localtime File setting should be configured appropriately.

CCE-26780-7
Disable Postfix Network Listening setting should be configured appropriately.

CCE-26822-7
Verify User Who Owns group File setting should be configured appropriately.

CCE-27010-8
Install PAE Kernel on Supported 32-bit x86 Systems setting should be configured appropriately.

CCE-26651-0
Ensure auditd Collects File Deletion Events by User setting should be configured appropriately.

CCE-27525-5
Install mod_security setting should be configured appropriately.

CCE-27074-4
The dhcpd service should be disabled on any system that does not need to act as a DHCP server. The dhcpd service can be disabled with the following command: # chkconfig dhcpd off

CCE-26664-3
Record Events that Modify User/Group Information setting should be configured appropriately.

CCE-27267-4
Disable Certmonger Service (certmonger) setting should be configured appropriately.

CCE-27161-9
Disable Interface Usage of IPv6 setting should be configured appropriately.

CCE-26868-0
Verify Permissions on passwd File setting should be configured appropriately.

CCE-27063-7
Configure the lockd daemon to use a static UDP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: LOCKD_UDPPORT=lockd-port Where lockd-port is a port which is not used by any other service on your network ...

CCE-26966-2
Ensure that System Accounts Do Not Run a Shell Upon Login setting should be configured appropriately.

CCE-27034-8
Ensure the Default C Shell Umask is Set Correctly setting should be configured appropriately.

CCE-26917-5
Ensure the Default Bash Umask is Set Correctly setting should be configured appropriately.

CCE-27308-6
Prevent Other Programs from Using Avahi's Port setting should be configured appropriately.

CCE-26930-8
Verify Group Who Owns group File setting should be configured appropriately.

CCE-27087-6
The avahi-daemon service can be disabled with the following command: # chkconfig avahi-daemon off

CCE-26919-1
The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive ...

CCE-27013-2
The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days. Rationale: By ...

CCE-26855-7
The file /etc/securetty contains a list of valid terminals that may be logged in directly as root. Rationale: Since the system console has special properties to handle emergency situations, it is important to ensure that the console is in a physically secure location and that unauthorized consoles ...

CCE-26985-2
The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 60 days. Rationale: The window of opportunity for an attacker to leverage compromised ...

CCE-26988-6
The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days. Rationale: Providing an advance warning that a password will be expiring g ...

CCE-27283-1
User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 35 or more days be disabled. Rationale: Inactive accounts pose a threat to system security since the users are not logging in to notice failed l ...

CCE-27014-0
The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageable large. The file /etc/logrotate.d/rsyslog is the configuration file used to rotate log files created by rsyslog. Rationale: By keeping the log files smaller and ...

CPE    1
cpe:/o:centos:centos:6
*XCCDF
xccdf_org.secpod_benchmark_general_CENTOS_6
OVAL    306
oval:org.secpod.oval:def:21967
oval:org.secpod.oval:def:21968
oval:org.secpod.oval:def:21965
oval:org.secpod.oval:def:21966
...

© SecPod Technologies