[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

243238

 
 

909

 
 

192833

 
 

277

Paid content will be excluded from the download.


Download | Alert*


CCE-95504-7
Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to ...

CCE-95519-5
Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The /var/run/failock directory maint ...

CCE-95490-9
Description: The rsyncd service can be used to synchronize files between systems over network links. Rationale: The rsyncd service presents a security risk as it uses unencrypted protocols for communication. Audit: Run the following command to verify rsyncd is not enabled: # systemctl is-enable ...

CCE-95503-9
Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribu ...

CCE-95400-8
Description Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and ...

CCE-95482-6
The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network. If the system does not export NFS shares or act as an NFS client, it is recommended that ...

CCE-95406-5
Description SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening bac ...

CCE-95429-7
Description: The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system. Audi ...

CCE-95470-1
Description: Any account with UID 0 has superuser privileges on the system. Rationale: This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ens ...

CCE-95493-3
Description: nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the /etc/sysconfig/nftables.conf file for a nftables file or files to include in the nftables ruleset. A nftables ruleset containing the i ...

CCE-95417-2
Over time, system administration errors and changes can lead to groups being defined in /etc/passwd but not in /etc/group. Rationale Groups defined in the /etc/passwd file but not in the /etc/group file pose a threat to system security since group permissions are not properly managed. Audit Run ...

CCE-95419-8
Description: All users should have a password change date in the past. Rationale: If a users recorded password change date is in the future then they could bypass any set password expiration. Remediation: Investigate any users with a password change date in the future and co ...

CCE-95460-2
Description: While the system administrator can establish secure permissions for users home directories, the users can easily override these. Rationale: Group or world-writable user home directories may enable malicious users to steal or modify other users data or to gain another user's system p ...

CCE-95483-4
Description: The nftables service allows for the loading of nftables rulesets during boot, or starting of the nftables service Rationale: /etc/sysconfig/nftables.conf file durring boot or the starting of the nftables service Audit: Run the following command and verify that the nftables service ...

CCE-95407-3
Description The INFO parameter specifies that login and logout activity will be logged. Rationale SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that i ...

CCE-95494-1
Description: rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files. Rationale: It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and p ...

CCE-95471-9
Description: Although the groupadd program will not let you create a duplicate Group ID (GID), it is possible for an administrator to manually edit the /etc/group file and change the GID field. Rationale: User groups must be assigned unique GIDs for accountability and to ensure appropriate acces ...

CCE-95418-0
Description: Users can be defined in /etc/passwd without a home directory or with a home directory that does not actually exist. Rationale: If the user's home directory does not exist or is unassigned, the user will be placed in "/" and will not be able to write any files or have local environment ...

CCE-95461-0
Description: The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root. Rationale: The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users. Audit: Run the following c ...

CCE-95484-2
Description: The cron daemon is used to execute batch jobs on the system. Rationale: While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run. If another method for scheduling tasks is not being ...

CCE-95408-1
Description The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate orga ...

CCE-95472-7
Description: Although the useradd program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually edit the /etc/passwd file and change the UID field. Rationale: Users must be assigned unique UIDs for accountability and to ensure appropriate access prot ...

CCE-95462-8
Description: System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Rationale: Time synchronization is important to support time sensi ...

CCE-95485-9
Description: firewalld.service enables the enforcement of firewall rules configured through firewalld Rationale: Ensure that the firewalld.service is enabled and running to enforce firewall rules configured through firewalld Remediation: Run the following command to unmask firewalld # systemctl ...

CCE-95409-9
Description The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure. Rationale Setting the MaxAuthTries paramete ...

CCE-95473-5
Description: Although the useradd program will not let you create a duplicate user name, it is possible for an administrator to manually edit the /etc/passwd file and change the user name. Rationale: If a user is assigned a duplicate user name, it will create and have access to files with the fi ...

CCE-95450-3
Description: The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. Rationale: This file contains information on what system jobs are run by cron. Write acce ...

CCE-95496-6
Description: This variable limits the types of MAC algorithms that SSH can use during communication. The only "strong" MACs currently FIPS 140-2 approved are hmac-sha2-256 and hmac-sha2-512 The Supported MACs are: hmac-md5 hmac-md5-96 hmac-ripemd160 hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac- ...

CCE-95523-7
Description: In ip6tables the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to 'DROP' implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. F ...

CCE-95500-5
Description: Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail. ...

CCE-95402-4
Description The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database. Rationale If the system will not need to act as an LDAP client, it is recommended that the software b ...

CCE-95448-7
Description: The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information. Rationale: It is critical to ensure that the /etc/gshadow- file is protected from unauthorized acces ...

CCE-95413-1
Description The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. Rationale Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 se ...

CCE-95459-4
Description: An SSH private key is one of two files used in SSH public key authentication. In this authentication method, The possession of the private key is proof of identity. Only a private key that corresponds to a public key will be able to authenticate successfully. The private keys need to ...

CCE-95436-2
Description: The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp . Audit: Ve ...

CCE-95438-8
Description: The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp . Audit: Ve ...

CCE-95524-5
Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loop ...

CCE-95501-3
Description: Turn on the auditd daemon to record system events. Rationale: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. Audit: Run the following command to verify auditd is enabled: ...

CCE-95426-3
Description: The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user. Rationale: Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged use ...

CCE-95403-2
A properly configured firewall is one of the most important aspects of overall system security. FirewallD is a complete firewall solution that manages the systems iptables rules and provides a D-Bus interface for operating on them. Starting with CentOS 7, FirewallD replaces iptables as the default ...

CCE-95449-5
Description: The /etc/group- file contains a backup list of all the valid groups defined in the system. Rationale: It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadverten ...

CCE-95437-0
Description: The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp . Audit: Verify that the ...

CCE-95414-9
Description The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these ...

CCE-95525-2
Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback net ...

CCE-95480-0
Description: Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the rsyslog service provides a consistent means of log collection and export. Rationale: Storing log data on a remote hos ...

CCE-95404-0
Description SELinux provides Mandatory Access Controls. Rationale Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available. Audit Run the following command and verify libselinux is installed: # rpm -q libselinux libselinux ...

CCE-95427-1
The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds. Rationale: Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn' ...

CCE-95491-7
Description: The .forward file specifies an email address to forward the user's mail to. Rationale: Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute co ...

CCE-95415-6
Description The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login. Rationale Un ...

CCE-95481-8
Description User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled. Rationale Inactive accounts pose a threat to system security since the users are no ...

CCE-95405-7
Description Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters. Rationale SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden. Audit Run the following command ...

CCE-95428-9
Description: A firewall zone defines the trust level for a connection, interface or source address binding. This is a one to many relation, which means that a connection, interface or source can only be part of one zone, but a zone can be used for many network connections, interfaces and sources. ...

CCE-95439-6
Description: The /home directory is used to support disk storage needs of local users. Rationale: If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /h ...

CCE-95416-4
Description The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/ ...

CCE-95421-4
Description: The backlog limit has a default setting of 64 Rationale: The backlog limit has a default setting of 64 during boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go ...

CCE-95444-6
Description: The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. Rationale: It is critical to ensure that the /etc/shadow- file is protected from unauthorized ...

CCE-95467-7
Description: sudo can use a custom log file Rationale: A sudo log file simplifies auditing of sudo commands Audit: Verify that sudo has a custom log file configured Run the following command: # grep -Ei ^\s*Defaults\s+([^#]+,\s*)?logfile= /etc/sudoers /etc/sudoers.d/* Remediation: edit the fi ...

CCE-95432-1
Description: The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Audit: Verify that the no ...

CCE-95455-2
Description: The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, b ...

CCE-95478-4
Description:The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large. Rationale:Uncompressed large files may unexpectedly fill a filesystem leadingto resource unavailability. Compressing logs prior ...

CCE-95520-3
The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP ...

CCE-95445-3
Description: The /etc/passwd- file contains backup user account information. Rationale: It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious ...

CCE-95422-2
Description: auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk Rationale:The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurrin ...

CCE-95468-5
Description: sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy. Rationale: sudo supports a plugin arc ...

CCE-95479-2
Description: Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss. Rationale: Writing log data to disk will provide the ability to fore ...

CCE-95456-0
Description: The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually grub.cfg and grubenv stored in/boot/grub2/` Rationale: Setting the permissions to read and write for root only prevents non-root users from s ...

CCE-95410-7
Description The parameter specifies the maximum number of open sessions permitted from a given connection. Rationale To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and pre ...

CCE-95433-9
Description: The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp . Audit: Verify tha ...

CCE-95521-1
Description: In iptables the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. Fix: To set th ...

CCE-95423-0
Description: Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd Rationale:Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected. Note: This recomme ...

CCE-95469-3
Description: sudo can be configured to run only from a psuedo-pty Rationale: Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing. Audit: Verify that sudo can only run other commands from a psuedo-p ...

CCE-95434-7
Description: The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp . Audit: Verify that the noexec ...

CCE-95411-5
Description The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Rationale To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups ...

CCE-95457-8
Description: Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well. Rationale: It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. Audit: Run the follo ...

CCE-95522-9
Description: In ip6tables the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. Fix: To set t ...

CCE-95401-6
Description The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability. Rationale If the ...

CCE-95447-9
Description: The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Rationale: If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information ...

CCE-95424-8
Description: Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters Rationale: Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot param ...

CCE-95412-3
Description UsePAM Enables the Pluggable Authentication Module interface. If set to yes this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types Rationale When usePAM i ...

CCE-95435-4
Description: The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp . Audit: Verify that the nosuid option is set ...

CCE-95458-6
Description: An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be ...

CCE-95440-4
Description: The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. Rationale: Since the /var directory may contain world-writable files and directories, there is a risk of resource exh ...

CCE-95463-6
Description: An account with an empty password field means that anybody may log in as that user without providing a password. Rationale: All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. Remediation: If any accounts in the /etc/shadow ...

CCE-95497-4
Description: The vFAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. Rationale: Removing support for unneeded filesystem types reduces t ...

CCE-95451-1
Description: The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and searc ...

CCE-95474-3
Description: Although the groupadd program will not let you create a duplicate group name, it is possible for an administrator to manually edit the /etc/group file and change the group name. Rationale: If a group is assigned a duplicate group name, it will create and have access to files with the ...

CCE-95441-2
Description: The /var/log directory is used by system services to store log data . Rationale: There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data. Au ...

CCE-95464-4
Description: The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group. Rationale: Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read ...

CCE-95498-2
Description autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives. Rationale With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves. ...

CCE-95475-0
Description: nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. nftables are installed as a dependency with firewalld. Rationale: Running firewalld and nftables concurrently may lead to conflict, ...

CCE-95452-9
Description: The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and sea ...

CCE-95442-0
Description: The auditing daemon, auditd , stores log data in the /var/log/audit directory. Rationale: There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) ...

CCE-95488-3
Description: Once the rsyslog package is installed it needs to be activated. Rationale: If the rsyslog service is not activated the system may default to the syslogd service or lack logging instead. Audit: Run the following command to verify rsyslog is enabled: # systemctl is-enabled rsyslog en ...

CCE-95465-1
Description: While the system administrator can establish secure permissions for users "dot" files, the users can easily override these. Rationale: Group or world-writable user configuration files may enable malicious users to steal or modify other users data or to gain another user's system pri ...

CCE-95499-0
Description: Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands. Rationale: Execution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorize ...

CCE-95430-5
Description: The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions. Audit: Verify that ...

CCE-95453-7
Description: This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to use ...

CCE-95476-8
Description iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables. Rationale iptables is required for firewall management and configuration. Audit Run the following command ...

CCE-95489-1
Description: The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RP ...

CCE-95420-6
Description: Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the ...

CCE-95466-9
Description: While the system administrator can establish secure permissions for users .netrc files, the users can easily override these. Rationale: .netrcfiles may contain unencrypted passwords that may be used to attack other systems Remediation: Making global modifications to users files wit ...

CCE-95443-8
Description: The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Rationale: Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In additio ...

CCE-95454-5
Description: The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search ...

CCE-95431-3
Description: The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them. Audit: Verify that the nosuid option i ...

CCE-95477-6
Description Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. Rationale Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion. Audit Run the following comma ...

CCE-90901-0
To set the runtime status of the 'net.ipv4.icmp_echo_ignore_broadcasts' kernel parameter, run the following command:

CCE-90947-3
The 'gpgcheck' option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in '/etc/yum.conf' in the '[main]' section: 'gpgcheck=1'

CCE-90672-7
At a minimum the audit system should collect administrator actions for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/ ...

CCE-90717-0
By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall configuration. Edit the files '/etc/sysconfig/iptables' and '/etc/sysconfig/ip6tables' (if IPv6 is in use). In each file, locate and delete the line: ' ...

CCE-90815-2
To prevent Dovecot from attempting plaintext authentication of clients, edit '/etc/dovecot/conf.d/10-auth.conf' and add or correct the following line: 'disable_plaintext_auth = yes'

CCE-90891-3
To set the runtime status of the 'net.ipv4.conf.all.send_redirects' kernel parameter, run the following command:

CCE-90958-0
To ensure the SSH idle timeout occurs precisely when the 'ClientAliveCountMax' is set, edit '/etc/ssh/sshd_config' as follows: 'ClientAliveCountMax 0'

CCE-90912-7
Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell. The login shell for each local account is stored in the last field of each line i ...

CCE-90660-2
At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audi ...

CCE-90902-8
To set the runtime status of the 'net.ipv4.icmp_ignore_bogus_error_responses' kernel parameter, run the following command:

CCE-90827-7
Edit '/etc/snmp/snmpd.conf', remove default community string 'public'. Upon doing that, restart the SNMP service: '$ sudo service snmpd restart'

CCE-90619-8
Rsyslog is installed by default. The 'rsyslog' package can be installed with the following command: '$ sudo yum install rsyslog'

CCE-90673-5
Add the following to '/etc/audit/audit.rules' in order to make the configuration immutable: '-e 2' With this setting, a reboot will be required to change any audit rules.

CCE-90946-5
The pam_pwquality module's 'ucredit=' parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length cre ...

CCE-90969-7
To properly set the group owner of '/etc/shadow', run the command:

CCE-90718-8
By default, the SSH configuration allows any user with an account to access the system. In order to specify the users that are allowed to login via SSH and deny all other users, add or correct the following line in the '/etc/ssh/sshd_config' file: 'DenyUsers USER1 USER2' Where 'USER1' and 'USER2' ar ...

CCE-95505-4
Description: chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. chrony can be configured to be a client and/or a server. Rationale: If chrony is in use on the system ...

CCE-95517-9
Description: Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages ...

CCE-90685-9
The 'tftp-server' package can be removed with the following command: '$ sudo yum erase tftp-server'

CCE-90934-1
To configure the system to lock out accounts after a number of incorrect login attempts using 'pam_faillock.so', modify the content of both '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' as follows: add the following line immediately 'before' the 'pam_unix.so' statement in the 'AUTH' sect ...

CCE-90892-1
To set the runtime status of the 'net.ipv4.ip_forward' kernel parameter, run the following command:

CCE-90661-0
At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audi ...

CCE-90805-3
Install the 'security' module: '$ sudo yum install mod_security'

CCE-90903-6
To set the runtime status of the 'net.ipv4.tcp_syncookies' kernel parameter, run the following command:

CCE-90926-7
To properly set the group owner of '/etc/gshadow', run the command:

CCE-90836-8
The 'talk' package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user.

CCE-90813-7
This option tells Dovecot where to find the the mail server's SSL Certificate. Edit '/etc/dovecot/conf.d/10-ssl.conf' and add or correct the following line (

CCE-90937-4
To properly set the owner of '/etc/group', run the command:

CCE-90848-3
To disable core dumps for all users, add the following line to '/etc/security/limits.conf': '* hard core 0'

CCE-90825-1
The 'net-snmp' package provides the snmpd service. The 'net-snmp' package can be removed with the following command: '$ sudo yum erase net-snmp'

CCE-90617-2
The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in Acluster. To configure the system to prevent the 'tipc' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90671-9
At a minimum the audit system should collect media exportation events for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/aud ...

CCE-90925-9
The Datagram Congestion Control Protocol (DCCP) is Arelatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the 'dccp' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90837-6
To configure the system to prevent the 'udf' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90814-5
This option tells Dovecot where to find the the mail server's SSL Key. Edit '/etc/dovecot/conf.d/10-ssl.conf' and add or correct the following line (

CCE-90780-8
Is there a mission-critical reason for users to upload files via FTP? If not, edit the vsftpd configuration file to add or correct the following configuration options: 'write_enable=NO' If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions as ...

CCE-90682-6
The 'ypserv' package can be uninstalled with the following command: '$ sudo yum erase ypserv'

CCE-90936-6
Do not allow users to reuse recent passwords. This can be accomplished by using the 'remember' option for the 'pam_unix' PAM module. In the file '/etc/pam.d/system-auth', append 'remember=5' to the line which refers to the 'pam_unix.so' module, as shown: 'password sufficient pam_unix.so

CCE-90890-5
To set the runtime status of the 'net.ipv4.conf.default.send_redirects' kernel parameter, run the following command:

CCE-90849-1
To set the runtime status of the 'fs.suid_dumpable' kernel parameter, run the following command:

CCE-90618-0
The Libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The 'libreswan' package can be installed with the following command: '$ sudo yum install libreswan'

CCE-90966-3
System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin All files in these directories should be owned by the 'root' user. If any file

CCE-90759-2
To specify the UID and GID for remote root users, edit the '/etc/exports' file and add the following for each export: anonuid='value greater than UID_MAX from /etc/login.defs' anongid='value greater than GID_MAX from /etc/login.defs' Alternatively, functionally equivalent values of 60001, 65534, ...

CCE-90868-1
The pam_pwquality module's 'maxrepeat' parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the 'maxrepeat' setting in '/etc/security/pwquality.conf' to prev ...

CCE-90834-3
To configure the system to prevent the 'squashfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90627-1
The 'rsyslog' daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to '/etc/rsyslog.conf' to enable reception of messages over TCP: $ModLoad imtcp $InputTCPServerRun 514

CCE-90748-5
Ensure a copy of a trusted CA certificate has been placed in the file '/etc/pki/tls/CA/cacert.pem'. Configure LDAP to enforce TLS use and to trust certificates signed by that CA. First, edit the file '/etc/pam_ldap.conf', and add or correct either of the following lines: 'tls_cacertdir /etc/pki/tl ...

CCE-95511-2
Additional NTP servers can be specified for time synchronization in the file '/etc/ntp.conf'. To do so, add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for

CCE-90954-9
The telnet client allows users to start connections to other systems via the telnet protocol.

CCE-90811-1
To configure the system to prevent the 'hfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90638-8
The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by 'auditd', add or correct the line in '/etc/audit/auditd.conf': 'max_log_file_action = ACTION' Possible values for

CCE-90800-4
To configure the system to prevent the 'jffs2' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90823-6
To configure the system to prevent the 'hfsplus' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90615-6
To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in '/etc/sysconfig/iptables': ':FORWARD DROP [0:0]'

CCE-90869-9
To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using 'pam_faillock.so', modify the content of both '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' as follows: add the following line immediately 'be ...

CCE-90714-7
The 'cronie-anacron' package, which provides 'anacron' functionality, is installed by default. The 'cronie-anacron' package can be removed with the following command: '$ sudo yum erase cronie-anacron'

CCE-90737-8
Ensure that the following line exists in '/etc/rsyslog.conf': 'daemon.* /var/log/daemon.log' Configure logwatch or other log monitoring tools to summarize error conditions reported by the dhcpd process.

CCE-90988-7
To enable the warning banner and ensure it is consistent across the system, add or correct the following line in '/etc/ssh/sshd_config': 'Banner /etc/issue' Another section contains information on how to create an appropriate system-wide warning banner.

CCE-90605-7
To set the runtime status of the 'net.ipv6.conf.default.accept_redirects' kernel parameter, run the following command:

CCE-90812-9
To allow clients to make encrypted connections the 'ssl' flag in Dovecot's configuration file needs to be set to 'yes'. Edit '/etc/dovecot/conf.d/10-ssl.conf' and add or correct the following line: 'ssl = yes'

CCE-90976-2
The pam_pwquality module's 'ocredit=' parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquali ...

CCE-90953-1
Only SSH protocol version 2 connections should be permitted. The default setting in '/etc/ssh/sshd_config' is correct, and can be verified by ensuring that the following line appears: 'Protocol 2'

CCE-90628-9
The 'rsyslog' daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to '/etc/rsyslog.conf' to enable reception of messages over UDP: $ModLoad imudp $UDPServerRun 514

CCE-90930-9
SSH's cryptographic host-based authentication is more secure than '.rhosts' authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following line in '/etc/ssh/sshd_config': 'Host ...

CCE-90726-1
To prevent other mDNS stacks from running, edit '/etc/avahi/avahi-daemon.conf' and ensure the following line appears in the '[server]' section: 'disallow-other-stacks=yes'

CCE-90749-3
The 'openldap-servers' package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package. '$ sudo yum erase openldap-servers' The openldap-servers RPM is not installed by default on CentOS 7 machines. It is needed only by the OpenLDAP server, not by the clients ...

CCE-90604-0
To set the runtime status of the 'net.ipv6.conf.default.accept_ra' kernel parameter, run the following command:

CCE-90835-0
The 'talk-server' package can be removed with the following command: '$ sudo yum erase talk-server'

CCE-90639-6
The 'auditd' service can be configured to take an action when disk space

CCE-94443-9
Description: Instruct users to begin new terminal sessions with the following command: '$ tmux' The console can now be locked with the following key combination: 'ctrl+a x' To enable console screen locking, install the 'tmux' package: '$ sudo yum install tmux'

CCE-90616-4
The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the 'rds' kernel module from being loaded, add the following line to a file in the direc ...

CCE-90847-5
The file '/etc/init.d/functions' includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for

CCE-90922-6
The SELinux state should be set to 'enforcing' at system boot time. In the file '/etc/selinux/config', add or correct the following line to configure the system to boot into enforcing mode: 'SELINUX=enforcing'

CCE-90945-7
To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in '/etc/ssh/sshd_config': 'PermitUserEnvironment no'

CCE-90636-2
Determine how many log files 'auditd' should retain when it rotates logs. Edit the file '/etc/audit/auditd.conf'. Add or modify the following line, substituting

CCE-90968-9
In '/etc/login.defs', add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: 'ENCRYPT_METHOD SHA512'

CCE-90832-7
The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ('ypbind') was used to bind a machine to an NIS server and receive the distributed configuration files.

CCE-90648-7
If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d': '-w /etc/localtime -p wa -k audit_time_rules' If the 'auditd' daemon is configure ...

CCE-90625-5
To configure rsyslog to send logs to a remote log server, open '/etc/rsyslog.conf' and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs t ...

CCE-90602-4
Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6. Rationale: If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system. Fix: Create or edit the file /etc/sysctl.conf and add the following lines: net.ipv6.conf.all ...

CCE-95502-1
GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. Rationale: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system ...

CCE-90956-4
In '/etc/libuser.conf', add or correct the following line in its '[defaults]' section to ensure the system will use the SHA-512 algorithm for password hashing: 'crypt_style = sha512'

CCE-90933-3
To properly set the permissions of '/etc/passwd', run the command:

CCE-90746-9
Edit '/etc/postfix/main.cf', and add or correct the following line, substituting some other wording for the banner information if you prefer: 'smtpd_banner = $myhostname ESMTP'

CCE-90979-6
To properly set the permissions of '/etc/gshadow', run the command:

CCE-90659-4
At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audi ...

CCE-90711-3
The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line inside the file '/etc/sysconfig/prelink': 'PRELINKING=no' Next, run the following command to return binaries to a normal, non-prelinked state: '$ sudo /usr/ ...

CCE-90967-1
To specify password length requirements for new accounts, edit the file '/etc/login.defs' and add or correct the following lines: 'PASS_MIN_LEN 14

CCE-90921-8
To properly set the owner of '/etc/shadow', run the command:

CCE-90637-0
Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file '/etc/audit/auditd.conf'. Add or modify the following line, substituting the correct value for

CCE-90821-0
The 'squid' package can be removed with the following command: '$ sudo yum erase squid'

CCE-90833-5
Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between machines. TFTP does not support authentication and can be easily hacked. The package 'tftp' is a client program that allows for connections to a 'tft ...

CCE-90649-5
If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following lines to a file with suffix '.rules' in the directory '/etc/audit/rules.d', setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit ...

CCE-90626-3
The 'rsyslog' daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are

CCE-90769-1
To remove the 'bind' package, which contains the 'named' service, run the following command: '$ sudo yum erase bind'

CCE-90955-6
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in '/etc/ssh/sshd_config' demonstrates use of FIPS-approved ciphers: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc, ...

CCE-90978-8
To properly set the owner of '/etc/gshadow', run the command:

CCE-90810-3
The 'dovecot' package can be uninstalled with the following command: '$ sudo yum erase dovecot'

CCE-90614-9
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in '/etc/sysconfig/iptables': ':INPUT DROP [0:0]'

CCE-90712-1
To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the 'usb-storage' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe. ...

CCE-90920-0
Utilizing 'pam_faillock.so', the 'fail_interval' directive configures the system to lock out accounts after a number of incorrect login attempts. Modify the content of both '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' as follows: add the following line immediately 'before' the 'pam_uni ...

CCE-90732-9
If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The 'dhcp' package can be removed with the following command: '$ sudo yum erase dhcp'

CCE-90611-5
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in '/etc/sysconfig/ip6tables': ':INPUT DROP [0:0]' If changes were required, reload the ip6tables rules: '$ sudo service ip6tables reload'

CCE-90899-6
To set the runtime status of the 'net.ipv4.conf.default.secure_redirects' kernel parameter, run the following command:

CCE-90669-3
At a minimum the audit system should collect unauthorized file accesses for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following lines to a file with suffix '.rules' in the directory '/etc/ ...

CCE-90973-9
The SELinux 'targeted' policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in '/etc/selinux/config': 'SELINUXTYPE=targeted' Other policies, such as 'mls', provide additio ...

CCE-90830-1
The 'mcstransd' daemon provides category label information to client processes requesting information. The label translations are defined in '/etc/selinux/targeted/setrans.conf'. The 'mcstrans' package can be removed with the following command: '$ sudo yum erase mcstrans'

CCE-90876-4
To ensure the default umask controlled by '/etc/login.defs' is set properly, add or correct the 'UMASK' setting in '/etc/login.defs' to read as follows: 'UMASK 077

CCE-90657-8
At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audi ...

CCE-90865-7
The '.netrc' files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any '.netrc' files should be ...

CCE-90778-2
To configure the system to prevent the 'cramfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90961-4
To properly set the permissions of '/etc/shadow', run the command:

CCE-90831-9
The 'rsh' package contains the client commands for the rsh services

CCE-90647-9
If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d': '-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules' If the system i ...

CCE-90744-4
Edit the file '/etc/postfix/main.cf' to ensure that only the following 'inet_interfaces' line appears: 'inet_interfaces = localhost'

CCE-90972-1
To configure the number of retry prompts that are permitted per-session: Edit the 'pam_pwquality.so' statement in '/etc/pam.d/system-auth' to show 'retry=3', or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session.

CCE-90919-2
In some installations, AIDE is not installed automatically. Rationale: Ensure AIDE is installed to make use of the file integrity features to monitor critical files for changes that could affect the security of the system.

CCE-90658-6
At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audi ...

CCE-90779-0
Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option: 'local_enable=NO' If non-anonymous FTP logins are nec ...

CCE-90960-6
Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. The DoD requirement is 10. To set the number of co ...

CCE-90964-8
The pam_pwquality module's 'lcredit' parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length cred ...

CCE-90941-6
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are stored in '/lib/modules'. All files in the ...

CCE-90987-9
To configure the system login banner: Edit '/etc/issue'. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use ...

CCE-90776-6
Add or correct the following configuration options within the 'vsftpd' configuration file, located at '/etc/vsftpd/vsftpd.conf': xferlog_enable=YES xferlog_std_format=NO log_ftp_protocol=YES

CCE-90655-2
At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audi ...

CCE-90874-9
To ensure the default umask for users of the C shell is set properly, add or correct the 'umask' setting in '/etc/csh.cshrc' to read as follows: 'umask 077

CCE-90644-6
If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d': '-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules' If the system is ...

CCE-90975-4
If any password hashes are stored in '/etc/passwd' (in the second field, instead of an 'x'), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

CCE-90952-3
To properly set the group owner of '/etc/group', run the command:

CCE-90851-7
To set the runtime status of the 'kernel.randomize_va_space' kernel parameter, run the following command:

CCE-90897-0
To set the runtime status of the 'net.ipv4.conf.default.accept_source_route' kernel parameter, run the following command:

CCE-90963-0
The Stream Control Transmission Protocol (SCTP) is Atransport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the 'sctp' kernel module from being loaded, add the following lin ...

CCE-90986-1
At a minimum the audit system should collect file deletion events for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/r ...

CCE-90875-6
To ensure the default umask controlled by '/etc/profile' is set properly, add or correct the 'umask' setting in '/etc/profile' to read as follows: 'umask 077

CCE-90898-8
To set the runtime status of the 'net.ipv4.conf.default.accept_redirects' kernel parameter, run the following command:

CCE-90668-5
The audit system already collects process information for all users and root. To watch for attempted manual edits of files involved in storing such process information, add the following to '/etc/audit/audit.rules': -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp ...

CCE-90951-5
SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via '.rhosts' files. To ensure this behavior is disabled, add or correct the following line in '/etc/ssh/sshd_config': 'IgnoreRhosts yes'

CCE-90789-9
To configure the system to prevent the 'freevxfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90974-7
To properly set the owner of '/etc/passwd', run the command:

CCE-90766-7
By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client t ...

CCE-90743-6
Sendmail is not the default mail transfer agent and is not installed by default. The 'sendmail' package can be removed with the following command: '$ sudo yum erase sendmail'

CCE-95510-4
To specify a remote NTP server for time synchronization, edit the file '/etc/ntp.conf'. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for

CCE-90852-5
Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package sho ...

CCE-90909-3
The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate '/etc/modprobe.d' configuration file to prevent the loading of the Bluetooth module: 'install bluetooth /bin/true'

CCE-90962-2
In '/etc/pam.d/system-auth', the 'password' section of the file controls which PAM modules execute during a password change. Set the 'pam_unix.so' module in the 'password' section to include the argument 'sha512', as shown below: 'password sufficient pam_unix.so sha512 other arguments...' This ...

CCE-90777-4
Edit the vsftpd configuration file, which resides at '/etc/vsftpd/vsftpd.conf' by default. Add or correct the following configuration options: 'banner_file=/etc/issue'

CCE-90985-3
If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following lines to a file with suffix '.rules' in the directory '/etc/audit/rules.d', in order to capture events that modify account changes: -w /etc/group -p wa -k a ...

CCE-90653-7
At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audi ...

CCE-90939-0
To properly set the permissions of '/etc/group', run the command:

CCE-90664-4
At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audi ...

CCE-90895-4
To set the runtime status of the 'net.ipv4.conf.all.secure_redirects' kernel parameter, run the following command:

CCE-90916-8
The pam_pwquality module's 'difok' parameter controls requirements for usage of different characters during a password change. Modify the 'difok' setting in '/etc/security/pwquality.conf' to require differing characters when changing passwords. The DoD requirement is '4'.

CCE-90641-2
The 'auditd' service can be configured to send email to a designated account in certain situations. Add or correct the following line in '/etc/audit/auditd.conf' to ensure that administrators are notified via email for those situations: 'action_mail_acct = root'

CCE-90676-8
The 'rsh-server' package can be uninstalled with the following command: '$ sudo yum erase rsh-server'

CCE-90980-4
The pam_pwquality module's 'dcredit' parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify ...

CCE-90774-1
The 'vsftpd' package can be removed with the following command: '$ sudo yum erase vsftpd'

CCE-90654-5
At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audi ...

CCE-90861-6
To restrict root logins on serial ports, ensure lines of this form do not appear in '/etc/securetty': ttyS0 ttyS1

CCE-90643-8
If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d': '-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules' If the system is 64 ...

CCE-90915-0
The pam_pwquality module's 'minlen' parameter controls requirements for minimum characters required in a password. Add 'minlen=15' after pam_pwquality to set minimum password length requirements.

CCE-90665-1
At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audi ...

CCE-90938-2
The root user should never be allowed to login to Asystem directly over a network. To disable root login via SSH, add or correct the following line in '/etc/ssh/sshd_config': 'PermitRootLogin no'

CCE-90873-1
To ensure the default umask for users of the Bash shell is set properly, add or correct the 'umask' setting in '/etc/bashrc' to read as follows: 'umask 077

CCE-90896-2
To set the runtime status of the 'net.ipv4.conf.all.log_martians' kernel parameter, run the following command:

CCE-90809-5
The 'dovecot' service can be disabled with the following command: '$ sudo systemctl disable dovecot'

CCE-90651-1
If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d': '-w /etc/selinux/ -p wa -k MAC-policy' If the 'auditd' daemon is configured to us ...

CCE-90971-3
If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following lines to a file with suffix '.rules' in the directory '/etc/audit/rules.d' to capture kernel module loading and unloading events, setting ARCH to either b32 ...

CCE-90783-2
The 'httpd' package can be removed with the following command: '$ sudo yum erase httpd'

CCE-90662-8
At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audi ...

CCE-90918-4
System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are also stored in '/lib/modules'. All files i ...

CCE-92511-5
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. By default, single-user mode is protected by requiring a password and is set ...

CCE-90829-3
The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The 'setroubleshoot' package can be removed with the following command: '$ sudo yum erase setroubleshoot'

CCE-90904-4
To set the runtime status of the 'net.ipv4.conf.all.rp_filter' kernel parameter, run the following command:

CCE-90675-0
The 'xinetd' package can be uninstalled with the following command: '$ sudo yum erase xinetd'

CCE-90929-1
To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in '/etc/ssh/sshd_config': 'PermitEmptyPasswords no' Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themse ...

CCE-90818-6
To require samba clients running 'smbclient' to use packet signing, add the following to the '[global]' section of the Samba configuration file, '/etc/samba/smb.conf': 'client signing = mandatory' Requiring samba clients such as 'smbclient' to use packet signing ensures they can only communicate wit ...

CCE-90663-6
At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audi ...

CCE-90917-6
To properly set the group owner of '/etc/passwd', run the command:

CCE-90894-7
To set the runtime status of the 'net.ipv4.conf.all.accept_redirects' kernel parameter, run the following command:

CCE-90640-4
The 'auditd' service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file '/etc/audit/auditd.conf'. Add or modify the following line, substituting

CCE-90652-9
At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audi ...

CCE-90981-2
The 'telnet-server' package can be uninstalled with the following command: '$ sudo yum erase telnet-server'

CCE-90905-1
To set the runtime status of the 'net.ipv4.conf.default.rp_filter' kernel parameter, run the following command:

CCE-95492-5
The Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. NTP can be configured to be a client and/or a server. Rationale: It is recommended that physica ...

CCE-90828-5
The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 60 days. Rationale: The window of opportunity for an attacker to leverage compromised ...

CCE-90629-7
The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageable large. The file /etc/logrotate.d/rsyslog is the configuration file used to rotate log files created by rsyslog. Rationale: By keeping the log files smaller and ...

CCE-90914-3
The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive ...

CCE-90948-1
The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days. Rationale: By ...

CCE-90913-5
The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days. Rationale: Providing an advance warning that a password will be expiring g ...

CCE-90860-8
The file /etc/securetty contains a list of valid terminals that may be logged in directly as root. Rationale: Since the system console has special properties to handle emergency situations, it is important to ensure that the console is in a physically secure location and that unauthorized consoles ...

CCE-95446-1
Description: The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Rationale: If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading informatio ...

CCE-95486-7
Description: ip6tables.service is a utility for configuring and maintaining ip6tables Rationale: ip6tables.service will load the iptables rules saved in the file /etc/sysconfig/ip6tables at boot, otherwise the ip6tables rules will be cleared during a re-boot of the system. Remediation: Run the f ...

CCE-95487-5
Description: iptables.service is a utility for configuring and maintaining iptables Rationale: iptables.service will load the iptables rules saved in the file /etc/sysconfig/iptables at boot, otherwise the ip6tables rules will be cleared during a re-boot of the system. Remediation: Run the follo ...

CPE    1
cpe:/o:redhat:enterprise_linux:7
*XCCDF
xccdf_org.secpod_benchmark_general_RHEL_7
OVAL    297
oval:org.secpod.oval:def:72723
oval:org.secpod.oval:def:30592
oval:org.secpod.oval:def:30503
oval:org.secpod.oval:def:30455
...

© SecPod Technologies