[Forgot Password]
Login  Register Subscribe

23631

 
 

126941

 
 

98503

 
 

909

 
 

79321

 
 

109

Paid content will be excluded from the download.


Download | Alert*


CCE-90627-1
Enable rsyslog to Accept Messages via TCP, if Acting As Log Server The 'rsyslog' daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to '/etc/rsyslog.conf' to enable reception of messages over T ...

CCE-90841-8
Ensure All SGID Executables Are Authorized The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically ve ...

CCE-90969-7
Verify Group Who Owns shadow File To properly set the group owner of '/etc/shadow', run the command:

CCE-90948-1
Set Password Minimum Age To specify password minimum age for new accounts, edit the file '/etc/login.defs' and add or correct the following line, replacing

CCE-90716-2
Disable SSH Server If Possible (Unusual) The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. The 'sshd' service can be disabled with the following command: '$ sudo systemctl disable sshd' This is unusual, as SSH is a common method for encrypted and auth ...

CCE-90780-8
Disable FTP Uploads if Possible Is there a mission-critical reason for users to upload files via FTP? If not, edit the vsftpd configuration file to add or correct the following configuration options: 'write_enable=NO' If FTP uploads are necessary, follow the guidance in the remainder of this sectio ...

CCE-90966-3
Verify that System Executables Have Root Ownership System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin All files in these directories should be owned by the 'root' user. If any file

CCE-90954-9
Remove telnet Clients The telnet client allows users to start connections to other systems via the telnet protocol.

CCE-90736-0
Deny BOOTP Queries Unless your network needs to support older BOOTP clients, disable support for the bootp protocol by adding or correcting the global option: 'deny bootp;'

CCE-90797-2
Disable Cache Support The 'cache' module allows 'httpd' to cache data, optimizing access to frequently accessed content. However, it introduces potential security flaws such as the possibility of circumventing 'Allow' and 'Deny' directives. If this functionality is unnecessary, comment out the mod ...

CCE-90619-8
Ensure rsyslog is Installed Rsyslog is installed by default. The 'rsyslog' package can be installed with the following command: '$ sudo yum install rsyslog'

CCE-90968-9
Set Password Hashing Algorithm in /etc/login.defs In '/etc/login.defs', add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: 'ENCRYPT_METHOD SHA512'

CCE-90865-7
Verify No netrc Files Exist The '.netrc' files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. ...

CCE-90647-9
Record Attempts to Alter Time Through clock_settime If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d': '-a always,exit -F arch=b32 ...

CCE-90668-5
Record Attempts to Alter Process and Session Initiation Information The audit system already collects process information for all users and root. To watch for attempted manual edits of files involved in storing such process information, add the following to '/etc/audit/audit.rules': -w /var/run/ut ...

CCE-90992-9
Enable the SELinux Context Restoration Service (restorecond) The restorecond service utilizes inotify to look for the creation of new files listed in the /etc/selinux/restorecond.conf configuration file. When a file is created, restorecond ensures the file receives the proper SELinux security conte ...

CCE-90773-3
Disable vsftpd Service The 'vsftpd' service can be disabled with the following command: '$ sudo systemctl disable vsftpd'

CCE-90924-2
Verify /boot/grub2/grub.cfg Group Ownership The file '/boot/grub2/grub.cfg' should be group-owned by the 'root' group to prevent destruction or modification of the file. To properly set the group owner of '/boot/grub2/grub.cfg', run the command:

CCE-90958-0
Set SSH Client Alive Count To ensure the SSH idle timeout occurs precisely when the 'ClientAliveCountMax' is set, edit '/etc/ssh/sshd_config' as follows: 'ClientAliveCountMax 0'

CCE-90839-2
Verify that All World-Writable Directories Have Sticky Bits Set When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to Adirectory may remove any file in the directory. Sett ...

CCE-90825-1
Uninstall net-snmp Package The 'net-snmp' package provides the snmpd service. The 'net-snmp' package can be removed with the following command: '$ sudo yum erase net-snmp'

CCE-90830-1
Uninstall mcstrans Package The 'mcstransd' daemon provides category label information to client processes requesting information. The label translations are defined in '/etc/selinux/targeted/setrans.conf'. The 'mcstrans' package can be removed with the following command: '$ sudo yum erase ...

CCE-90634-7
Add nodev Option to /tmp The 'nodev' mount option can be used to prevent device files from being created in '/tmp'. Legitimate character and block devices should not exist within temporary directories like '/tmp'.

CCE-90993-7
Disable Hardware Abstraction Layer Service (haldaemon) The Hardware Abstraction Layer Daemon (haldaemon) collects and maintains information about the system's hardware configuration. This service is required on a workstation running a desktop environment, and may be necessary on any system which de ...

CCE-90707-1
Disable Red Hat Subscription Manager Daemon (rhsmcertd) The Red Hat Subscription Manager (rhsmcertd) periodically checks for changes in the entitlement certificates for a registered system and updates it accordingly. The 'rhsmcertd' service can be disabled with the following command: '$ su ...

CCE-90715-4
Disable At Service (atd) The 'at' and 'batch' commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon 'atd' keeps track of tasks scheduled vi A'at' and 'batch', and execute ...

CCE-90921-8
Verify User Who Owns shadow File To properly set the owner of '/etc/shadow', run the command:

CCE-90735-2
Deny Decline Messages Edit '/etc/dhcp/dhcpd.conf' and add or correct the following global option to prevent the DHCP server from responding the DHCPDECLINE messages, if possible: 'deny declines;'

CCE-90657-8
Record Events that Modify the System's Discretionary Access Controls - fchown At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), ad ...

CCE-90972-1
Set Password Retry Prompts Permitted Per-Session To configure the number of retry prompts that are permitted per-session: Edit the 'pam_pwquality.so' statement in '/etc/pam.d/system-auth' to show 'retry=3', or a lower value if site policy is more restrictive. The DoD requirement is a maximum of ...

CCE-90686-7
Ensure tftp Daemon Uses Secure Mode If running the 'tftp' service is necessary, it should be configured to change its root directory at startup. To do so, ensure '/etc/xinetd.d/tftp' includes '-s' as a command line argument, as shown in the following example (which is also the default): 'server_arg ...

CCE-90949-9
System Audit Logs Must Have Mode 0640 or Less Permissive Change the mode of the audit log files with the following command: '$ sudo chmod 0640 audit_file'

CCE-90792-3
Disable WebDAV (Distributed Authoring and Versioning) WebDAV is an extension of the HTTP protocol that provides distributed and collaborative access to web content. If its functionality is unnecessary, comment out the related modules: #LoadModule dav_module modules/mod_dav.so #LoadModule dav_fs_mod ...

CCE-90692-5
Disable CPU Speed (cpuspeed) The 'cpuspeed' service can adjust the clock speed of supported CPUs based upon the current processing load thereby conserving power and reducing heat. The 'cpuspeed' service can be disabled with the following command: '$ sudo systemctl disable cpuspeed'

CCE-90658-6
Record Events that Modify the System's Discretionary Access Controls - fchownat At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), ...

CCE-90665-1
Record Events that Modify the System's Discretionary Access Controls - setxattr At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), ...

CCE-90662-8
Record Events that Modify the System's Discretionary Access Controls - lremovexattr At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the defaul ...

CCE-90750-1
Disable Network File System Lock Service (nfslock) The Network File System Lock (nfslock) service starts the required remote procedure call (RPC) processes which allow clients to lock files on the server. If the local machine is not configured to mount NFS filesystems then this service should be di ...

CCE-90934-1
Set Deny For Failed Password Attempts To configure the system to lock out accounts after a number of incorrect login attempts using 'pam_faillock.so', modify the content of both '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' as follows: add the following line immediately 'before' the 'pam ...

CCE-90791-5
Disable MIME Magic The 'mime_magic' module provides a second layer of MIME support that in most configurations is likely extraneous. If its functionality is unnecessary, comment out the related module: '#LoadModule mime_magic_module modules/mod_mime_magic.so'

CCE-90734-5
Disable Booting from USB Devices in Boot Firmware Configure the system boot firmware (historically called BIOS on PC systems) to disallow booting from USB drives.

CCE-90722-0
Serve Avahi Only via Required Protocol If you are using only IPv4, edit '/etc/avahi/avahi-daemon.conf' and ensure the following line exists in the '[server]' section: 'use-ipv6=no' Similarly, if you are using only IPv6, disable IPv4 sockets with the line: 'use-ipv4=no'

CCE-90944-0
Ensure /var/log/audit Located On Separate Partition Audit logs are stored in the '/var/log/audit' directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will ...

CCE-90889-7
Install Virus Scanning Software Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems. Ensure virus definition files are no older than 7 days, or thei ...

CCE-90742-8
Enable Postfix Service The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail ...

CCE-90985-3
Record Events that Modify User/Group Information If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following lines to a file with suffix '.rules' in the directory '/etc/audit/rules.d', in order to capture events tha ...

CCE-90697-4
Disable Network Console (netconsole) The 'netconsole' service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to Asyslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The 'netconsole' ...

CCE-90815-2
Disable Plaintext Authentication To prevent Dovecot from attempting plaintext authentication of clients, edit '/etc/dovecot/conf.d/10-auth.conf' and add or correct the following line: 'disable_plaintext_auth = yes'

CCE-90718-8
Limit Users' SSH Access By default, the SSH configuration allows any user with an account to access the system. In order to specify the users that are allowed to login via SSH and deny all other users, add or correct the following line in the '/etc/ssh/sshd_config' file: 'DenyUsers USER1 USER2' Wh ...

CCE-90746-9
Configure SMTP Greeting Banner Edit '/etc/postfix/main.cf', and add or correct the following line, substituting some other wording for the banner information if you prefer: 'smtpd_banner = $myhostname ESMTP'

CCE-90623-0
Add nosuid Option to Removable Media Partitions The 'nosuid' mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. ...

CCE-90677-6
Disable rexec Service The 'rexec' service, which is available with the 'rsh-server' package and runs as a service through xinetd, should be disabled. The 'rexec' service can be disabled with the following command: '$ sudo systemctl disable rexec'

CCE-90816-0
Disable Samba The 'smb' service can be disabled with the following command: '$ sudo systemctl disable smb'

CCE-90926-7
Verify Group Who Owns gshadow File To properly set the group owner of '/etc/gshadow', run the command:

CCE-90925-9
Disable DCCP Support The Datagram Congestion Control Protocol (DCCP) is Arelatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the 'dccp' kernel module from being loaded, add the following line to a file in the directory '/e ...

CCE-90988-7
Enable SSH Warning Banner To enable the warning banner and ensure it is consistent across the system, add or correct the following line in '/etc/ssh/sshd_config': 'Banner /etc/issue' Another section contains information on how to create an appropriate system-wide warning banner.

CCE-90769-1
Uninstall bind Package To remove the 'bind' package, which contains the 'named' service, run the following command: '$ sudo yum erase bind'

CCE-90730-3
Disable Print Server Capabilities To prevent remote users from potentially connecting to and using locally configured printers, disable the CUPS print server sharing capabilities. To do so, limit how the server will listen for print jobs by removing the more generic port directive from /etc/cups/cu ...

CCE-90870-7
Ensure that Root's Path Does Not Include Relative Paths or Null Directories Ensure that none of the directories in root's path is equal to a single '.' character, or that it contains any instances that lead to relative path traversal, such as '..' or beginning a path without the slash ('/') charact ...

CCE-90970-5
Encrypt Partitions Red Hat Enterprise Linux 7 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the 'Encrypt' checkbox during partition c ...

CCE-90947-3
Ensure gpgcheck Enabled In Main Yum Configuration The 'gpgcheck' option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in '/etc/yum.conf' in the '[main]' secti ...

CCE-90717-0
Remove SSH Server iptables Firewall exception (Unusual) By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall configuration. Edit the files '/etc/sysconfig/iptables' and '/etc/sysconfig/ip6tables' (if IPv ...

CCE-90670-1
Ensure auditd Collects Information on the Use of Privileged Commands At a minimum the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition

CCE-90836-8
Uninstall talk Package The 'talk' package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user.

CCE-90945-7
Do Not Allow SSH Environment Options To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in '/etc/ssh/sshd_config': 'PermitUserEnvironment no'

CCE-90950-7
Prevent Log In to Accounts With Empty Password If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the 'nullok' option in '/etc/pam.d/system-auth' to prevent logins ...

CCE-90764-2
Use Root-Squashing on All Exports If a filesystem is exported using root squashing, requests from root on the client are considered to be unprivileged (mapped to a user such as nobody). This provides some mild protection against remote abuse of an NFS server. Root squashing is enabled by default, a ...

CCE-90927-5
Ensure Software Patches Installed If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: '$ sudo yum update' If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be ...

CCE-90772-5
Disable Dynamic Updates Is there a mission-critical reason to enable the risky dynamic update functionality? If not, edit '/etc/named.conf'. For each zone specification, correct the following directive if necessary: zone "example.com " IN { allow-update { none; }; ... };

CCE-90672-7
Ensure auditd Collects System Administrator Actions At a minimum the audit system should collect administrator actions for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a fi ...

CCE-90935-8
Set the GNOME3 Login Warning Banner Text To set the text shown by the GNOME3 Display Manager in the login screen, the 'banner-message-text' setting must be set under an appropriate configuration file(s) in the '/etc/dconf/db/gdm.d' directory and locked in '/etc/dconf/db/gdm.d/locks' directory to p ...

CCE-90828-5
Set Password Maximum Age To specify password maximum age for new accounts, edit the file '/etc/login.defs' and add or correct the following line, replacing

CCE-90751-9
Disable Secure RPC Client Service (rpcgssd) The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. ...

CCE-90916-8
Set Password Strength Minimum Different Characters The pam_pwquality module's 'difok' parameter controls requirements for usage of different characters during a password change. Modify the 'difok' setting in '/etc/security/pwquality.conf' to require differing characters when changing passwords. The ...

CCE-90913-5
Set Password Warning Age To specify how many days prior to password expiration that a warning will be issued to users, edit the file '/etc/login.defs' and add or correct the following line, replacing

CCE-90936-6
Limit Password Reuse Do not allow users to reuse recent passwords. This can be accomplished by using the 'remember' option for the 'pam_unix' PAM module. In the file '/etc/pam.d/system-auth', append 'remember=5' to the line which refers to the 'pam_unix.so' module, as shown: 'password sufficient ...

CCE-90857-4
Ensure No Daemons are Unconfined by SELinux Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during startup and descend from the 'init' process, they inherit the 'initrc_t' context. To check for unconfined dae ...

CCE-90733-7
Do Not Use Dynamic DNS To prevent the DHCP server from receiving DNS information from clients, edit '/etc/dhcp/dhcpd.conf', and add or correct the following global option: 'ddns-update-style none;'

CCE-90643-8
Record attempts to alter time through adjtimex If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d': '-a always,exit -F arch=b32 -S ad ...

CCE-90798-0
Disable CGI Support The 'cgi' module allows HTML to interact with the CGI web programming language. If this functionality is unnecessary, comment out the module: '#LoadModule cgi_module modules/mod_cgi.so'

CCE-90967-1
Set Password Minimum Length in login.defs To specify password length requirements for new accounts, edit the file '/etc/login.defs' and add or correct the following lines: 'PASS_MIN_LEN 14

CCE-90978-8
Verify User Who Owns gshadow File To properly set the owner of '/etc/gshadow', run the command:

CCE-90787-3
Disable HTTP mod_rewrite The 'mod_rewrite' module is very powerful and can protect against certain classes of web attacks. However, it is also very complex and has Asignificant history of vulnerabilities itself. If its functionality is unnecessary, comment out the related module: '#LoadModule rewr ...

CCE-90906-9
Disable WiFi or Bluetooth in BIOS Some systems that include built-in wireless support offer the ability to disable the device through the BIOS. This is system-specific; consult your hardware manual or explore the BIOS setup during boot.

CCE-90884-8
Install the screen Package To enable console screen locking, install the 'screen' package: '$ sudo yum install screen' Instruct users to begin new terminal sessions with the following command: '$ screen' The console can now be locked with the following key combination: 'ctrl+a x'

CCE-90971-3
Ensure auditd Collects Information on Kernel Module Loading and Unloading If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following lines to a file with suffix '.rules' in the directory '/etc/audit/rules.d' to cap ...

CCE-90761-8
Disable Secure RPC Server Service (rpcsvcgssd) The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service is the server-side of RPCSEC GSS. If the system does not require secure RPC then this service should be d ...

CCE-90640-4
Configure auditd admin_space_left Action on Low Disk Space The 'auditd' service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file '/etc/audit/auditd.conf'. Add or modify the following line, substituting

CCE-90964-8
Set Password Strength Minimum Lowercase Characters The pam_pwquality module's 'lcredit' parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number ...

CCE-90875-6
Ensure the Default Umask is Set Correctly in /etc/profile To ensure the default umask controlled by '/etc/profile' is set properly, add or correct the 'umask' setting in '/etc/profile' to read as follows: 'umask 077

CCE-90786-5
Disable HTTP Digest Authentication The 'auth_digest' module provides encrypted authentication sessions. If this functionality is unnecessary, comment out the related module: '#LoadModule auth_digest_module modules/mod_auth_digest.so'

CCE-90666-9
Record Attempts to Alter Logon and Logout Events The audit system already collects login info for all users and root. To watch for attempted manual edits of files involved in storing logon events, add the following to '/etc/audit/audit.rules': '-w /var/log/faillog -p wa -k logins -w /var/log/lastlo ...

CCE-90708-9
Disable Cyrus SASL Authentication Daemon (saslauthd) The 'saslauthd' service handles plaintext authentication requests on behalf of the SASL library. The service isolates all code requiring superuser privileges for SASL authentication into a single process, and can also be used to provide proxy aut ...

CCE-90691-7
Disable Control Group Rules Engine (cgred) The 'cgred' service moves tasks into control groups according to parameters set in the '/etc/cgrules.conf' configuration file. The 'cgred' service can be disabled with the following command: '$ sudo systemctl disable cgred'

CCE-90843-4
Ensure All Files Are Owned by a User If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user.

CCE-90602-4
Disable Interface Usage of IPv6 To disable interface usage of IPv6, add or correct the following lines in '/etc/sysconfig/network': NETWORKING_IPV6=no IPV6INIT=no

CCE-90961-4
Verify Permissions on shadow File To properly set the permissions of '/etc/shadow', run the command:

CCE-90688-3
Disable Certmonger Service (certmonger) Certmonger is a D-Bus based service that attempts to simplify interaction with certifying authorities on networks which use public-key infrastructure. It is often combined with Red Hat's IPA (Identity Policy Audit) security information management solution to ...

CCE-90917-6
Verify Group Who Owns passwd File To properly set the group owner of '/etc/passwd', run the command:

CCE-90629-7
Ensure Logrotate Runs Periodically The 'logrotate' utility allows for the automatic rotation of log files. The frequency of rotation is specified in '/etc/logrotate.conf', which triggers a cron task. To configure logrotate to run daily, add or correct the following line in '/etc/logrotate.conf ...

CCE-90728-7
Disable the CUPS Service The 'cups' service can be disabled with the following command: '$ sudo systemctl disable cups'

CCE-90846-7
Ensure All World-Writable Directories Are Owned by a System Account All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the ...

CCE-90922-6
Ensure SELinux State is Enforcing The SELinux state should be set to 'enforcing' at system boot time. In the file '/etc/selinux/config', add or correct the following line to configure the system to boot into enforcing mode: 'SELINUX=enforcing'

CCE-90745-1
Assign Password to Prevent Changes to Boot Firmware Configuration Assign a password to the system boot firmware (historically called BIOS on PC systems) to require a password for any configuration changes.

CCE-90822-8
Build and Test AIDE Database Run the following command to generate a new database: '$ sudo /usr/sbin/aide --init' By default, the database will be written to the file '/var/lib/aide/aide.db.new.gz'. Storing the database, the configuration file '/etc/aide.conf', and the binary '/usr/sbin/aide' (or h ...

CCE-90895-4
Disable Kernel Parameter for Accepting Secure Redirects for All Interfaces To set the runtime status of the 'net.ipv4.conf.all.secure_redirects' kernel parameter, run the following command:

CCE-90923-4
Set Boot Loader Password The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. To do so, select a superuser account and password and add them into the appropriate grub2 configuration file(s) under '/etc/grub.d'. Since plaintext passwor ...

CCE-90681-8
Remove Rsh Trust Files The files '/etc/hosts.equiv' and '~/.rhosts' (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location: '$ sudo rm /etc/hosts.e ...

CCE-90755-0
Configure lockd to use static UDP port Configure the 'lockd' daemon to use a static UDP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file '/etc/sysconfig/nfs'. Add or correct the following line: 'LOCKD_UDPPORT=lockd-port' Where 'lockd-port' is a port which is ...

CCE-90696-6
Disable D-Bus IPC Service (messagebus) D-Bus provides an IPC mechanism used by a growing list of programs, such as those used for Gnome, Bluetooth, and Avahi. Due to these dependencies, disabling D-Bus may not be practical for many systems. The 'messagebus' service can be disabled with the fo ...

CCE-90704-8
Disable Quota Netlink (quota_nld) The 'quota_nld' service provides notifications to users of disk space quota violations. It listens to the kernel via a netlink socket for disk quota violations and notifies the appropriate user of the violation using D-Bus or by sending a message to the terminal th ...

CCE-90802-0
Restrict Other Critical Directories All accessible web directories should be configured with similarly restrictive settings. The 'Options' directive should be limited to necessary functionality and the 'AllowOverride' directive should be used only if needed. The 'Order' and 'Deny' access control ta ...

CCE-90878-0
Install Intrusion Detection Software The base Red Hat platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become comp ...

CCE-90732-9
Uninstall DHCP Server Package If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The 'dhcp' package can be removed with the following command: '$ sudo yum erase dhcp'

CCE-90941-6
Verify that Shared Library Files Have Restrictive Permissions System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel ...

CCE-90851-7
Enable Randomized Layout of Virtual Address Space To set the runtime status of the 'kernel.randomize_va_space' kernel parameter, run the following command:

CCE-90631-3
Configure Logwatch SplitHosts Line If 'SplitHosts' is set, Logwatch will separate entries by hostname. This makes the report longer but significantly more usable. If it is not set, then Logwatch will not report which host generated a given log entry, and that information is almost always necessar ...

CCE-90636-2
Configure auditd Number of Logs Retained Determine how many log files 'auditd' should retain when it rotates logs. Edit the file '/etc/audit/auditd.conf'. Add or modify the following line, substituting

CCE-90850-9
Enable ExecShield By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in '/etc/default/grub'. For Red Hat Enterprise Linux 7 32-bit systems, 'sysctl' can be used to enable ExecShield.

CCE-90674-3
Disable xinetd Service The 'xinetd' service can be disabled with the following command: '$ sudo systemctl disable xinetd'

CCE-90805-3
Install mod_security Install the 'security' module: '$ sudo yum install mod_security'

CCE-90813-7
Configure Dovecot to Use the SSL Certificate file This option tells Dovecot where to find the the mail server's SSL Certificate. Edit '/etc/dovecot/conf.d/10-ssl.conf' and add or correct the following line (

CCE-90823-6
Disable Mounting of hfsplus To configure the system to prevent the 'hfsplus' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90626-3
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server The 'rsyslog' daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are

CCE-90601-6
Add nodev Option to Removable Media Partitions The 'nodev' mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the '/dev' directory on the root partition or within chroot jails built for system services.

CCE-90644-6
Record attempts to alter time through settimeofday If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d': '-a always,exit -F arch=b32 - ...

CCE-90653-7
Record Events that Modify the System's Discretionary Access Controls - chown At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add ...

CCE-90641-2
Configure auditd mail_acct Action on Low Disk Space The 'auditd' service can be configured to send email to a designated account in certain situations. Add or correct the following line in '/etc/audit/auditd.conf' to ensure that administrators are notified via email for those situations: 'action_ma ...

CCE-90675-0
Uninstall xinetd Package The 'xinetd' package can be uninstalled with the following command: '$ sudo yum erase xinetd'

CCE-90838-4
Disable All GNOME3 Thumbnailers The system's default desktop environment, GNOME3, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. To disable the execution of these thumbnail applications, the 'disable-all' setting must be s ...

CCE-90902-8
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses To set the runtime status of the 'net.ipv4.icmp_ignore_bogus_error_responses' kernel parameter, run the following command:

CCE-90890-5
Disable Kernel Parameter for Sending ICMP Redirects by Default To set the runtime status of the 'net.ipv4.conf.default.send_redirects' kernel parameter, run the following command:

CCE-90942-4
Ensure /var/log Located On Separate Partition System logs are stored in the '/var/log' directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.

CCE-90639-6
Configure auditd space_left Action on Low Disk Space The 'auditd' service can be configured to take an action when disk space

CCE-90973-9
Configure SELinux Policy The SELinux 'targeted' policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in '/etc/selinux/config': 'SELINUXTYPE=targeted' Other policies, such ...

CCE-90799-8
Restrict Root Directory The 'httpd' root directory should always have the most restrictive configuration enabled. <Directory / > Options None AllowOverride None Order allow,deny </Directory>

CCE-90765-9
Restrict NFS Clients to Privileged Ports By default, the server NFS implementation requires that all client requests be made from ports less than 1024. If your organization has control over machines connected to its network, and if NFS requests are prohibited at the border firewall, this offers som ...

CCE-90788-1
Disable LDAP Support The 'ldap' module provides HTTP authentication via an LDAP directory. If its functionality is unnecessary, comment out the related modules: #LoadModule ldap_module modules/mod_ldap.so #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so If LDAP is to be used, SSL encryptio ...

CCE-90974-7
Verify User Who Owns passwd File To properly set the owner of '/etc/passwd', run the command:

CCE-90754-3
Configure lockd to use static TCP port Configure the 'lockd' daemon to use a static TCP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file '/etc/sysconfig/nfs'. Add or correct the following line: 'LOCKD_TCPPORT=lockd-port' Where 'lockd-port' is a port which is ...

CCE-90608-1
Manually Assign IPv6 Router Address Edit the file '/etc/sysconfig/network-scripts/ifcfg-interface', and add or correct the following line (substituting your gateway IP as appropriate): 'IPV6_DEFAULTGW=2001:0DB8::0001' Router addresses should be manually set and not accepted via any auto-configurati ...

CCE-90827-7
Ensure Default Password Is Not Used Edit '/etc/snmp/snmpd.conf', remove default community string 'public'. Upon doing that, restart the SNMP service: '$ sudo service snmpd restart'

CCE-90801-2
Restrict Web Directory The default configuration for the web ('/var/www/html') Directory allows directory indexing ('Indexes') and the following of symbolic links ('FollowSymLinks'). Neither of these is recommended. The '/var/www/html' directory hierarchy should not be viewable via the web, and sy ...

CCE-90694-1
Disable KDump Kernel Crash Analyzer (kdump) The 'kdump' service provides a kernel crash dump analyzer. It uses the 'kexec' system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The 'kdump' service ca ...

CCE-90737-8
Configure Logging Ensure that the following line exists in '/etc/rsyslog.conf': 'daemon.* /var/log/daemon.log' Configure logwatch or other log monitoring tools to summarize error conditions reported by the dhcpd process.

CCE-90976-2
Set Password Strength Minimum Special Characters The pam_pwquality module's 'ocredit=' parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a posi ...

CCE-90835-0
Uninstall talk-server Package The 'talk-server' package can be removed with the following command: '$ sudo yum erase talk-server'

CCE-90940-8
Ensure Red Hat GPG Key Installed To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: '$ sudo rhn_register' If the sy ...

CCE-90953-1
Allow Only SSH Protocol 2 Only SSH protocol version 2 connections should be permitted. The default setting in '/etc/ssh/sshd_config' is correct, and can be verified by ensuring that the following line appears: 'Protocol 2'

CCE-90778-2
Disable Mounting of cramfs To configure the system to prevent the 'cramfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90743-6
Uninstall Sendmail Package Sendmail is not the default mail transfer agent and is not installed by default. The 'sendmail' package can be removed with the following command: '$ sudo yum erase sendmail'

CCE-90819-4
Require Client SMB Packet Signing, if using mount.cifs Require packet signing of clients who mount Samb Ashares using the 'mount.cifs' program (e.g., those who specify shares in '/etc/fstab'). To do so, ensure signing options (either 'sec=krb5i' or 'sec=ntlmv2i') are used. See the 'mount.cifs(8)' ...

CCE-90654-5
Record Events that Modify the System's Discretionary Access Controls - fchmod At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), ad ...

CCE-90861-6
Restrict Serial Port Root Logins To restrict root logins on serial ports, ensure lines of this form do not appear in '/etc/securetty': ttyS0 ttyS1

CCE-90982-0
Require Authentication for Single User Mode Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. By default, single-user mode is ...

CCE-90695-8
Disable Software RAID Monitor (mdmonitor) The 'mdmonitor' service is used for monitoring a software RAID array; hardware RAID setups do not use this service. The 'mdmonitor' service can be disabled with the following command: '$ sudo systemctl disable mdmonitor'

CCE-90706-3
Disable Red Hat Network Service (rhnsd) The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as s ...

CCE-90952-3
Verify Group Who Owns group File To properly set the group owner of '/etc/group', run the command:

CCE-90679-2
Disable rsh Service The 'rsh' service, which is available with the 'rsh-server' package and runs as a service through xinetd, should be disabled. The 'rsh' service can be disabled with the following command: '$ sudo systemctl disable rsh'

CCE-90871-5
Ensure that Root's Path Does Not Include World or Group-Writable Directories For each element in root's path, run: '# ls -ld

CCE-90703-0
Disable Apache Qpid (qpidd) The 'qpidd' service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The 'qpidd' service can be disa ...

CCE-90837-6
Disable Mounting of udf To configure the system to prevent the 'udf' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90814-5
Configure Dovecot to Use the SSL Key file This option tells Dovecot where to find the the mail server's SSL Key. Edit '/etc/dovecot/conf.d/10-ssl.conf' and add or correct the following line (

CCE-90645-3
Add noexec Option to /tmp The 'noexec' mount option can be used to prevent binaries from being executed out of '/tmp'.

CCE-90984-6
Verify Only Root Has UID 0 If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.

CCE-90904-4
Enable Kernel Parameter to Use Reverse Path Filtering for All Interfaces To set the runtime status of the 'net.ipv4.conf.all.rp_filter' kernel parameter, run the following command:

CCE-90901-0
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests To set the runtime status of the 'net.ipv4.icmp_echo_ignore_broadcasts' kernel parameter, run the following command:

CCE-90693-3
Enable IRQ Balance (irqbalance) The 'irqbalance' service optimizes the balance between power savings and performance through distribution of hardware interrupts across multiple processors. The 'irqbalance' service can be enabled with the following command: '$ sudo systemctl enable irqbalan ...

CCE-90607-3
Use Privacy Extensions for Address To introduce randomness into the automatic generation of IPv6 addresses, add or correct the following line in '/etc/sysconfig/network-scripts/ifcfg-interface': 'IPV6_PRIVACY=rfc3041' Automatically-generated IPv6 addresses are based on the underlying hardware (e.g. ...

CCE-90711-3
Disable Prelinking The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line inside the file '/etc/sysconfig/prelink': 'PRELINKING=no' Next, run the following command to return binaries to a normal, non-prelinked ...

CCE-90690-9
Disable Control Group Config (cgconfig) Control groups allow an administrator to allocate system resources (such as CPU, memory, network bandwidth, etc) among a defined group (or groups) of processes executing on a system. The 'cgconfig' daemon starts at boot and establishes the predefined control ...

CCE-90776-6
Enable Logging of All FTP Transactions Add or correct the following configuration options within the 'vsftpd' configuration file, located at '/etc/vsftpd/vsftpd.conf': xferlog_enable=YES xferlog_std_format=NO log_ftp_protocol=YES

CCE-90951-5
Disable SSH Support for .rhosts Files SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via '.rhosts' files. To ensure this behavior is disabled, add or correct the following line in '/etc/ssh/sshd_config': 'IgnoreRhosts yes'

CCE-90809-5
Disable Dovecot Service The 'dovecot' service can be disabled with the following command: '$ sudo systemctl disable dovecot'

CCE-90918-4
Verify that Shared Library Files Have Root Ownership System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during r ...

CCE-90650-3
System Audit Logs Must Be Owned By Root To properly set the owner of '/var/log', run the command:

CCE-90859-0
Direct root Logins Not Allowed To further limit access to the 'root' account, administrators can disable root logins at the console by editing the '/etc/securetty' file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login thro ...

CCE-90989-5
Set Account Expiration Following Inactivity To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately: INACTIVE= A value of 35 is recom ...

CCE-90869-9
Set Lockout Time For Failed Password Attempts To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using 'pam_faillock.so', modify the content of both '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' as fol ...

CCE-90790-7
Disable Server Side Includes Server Side Includes provide a method of dynamically generating web pages through the insertion of server-side code. However, the technology is also deprecated and introduces significant security concerns. If this functionality is unnecessary, comment out the related mo ...

CCE-90613-1
Verify iptables Enabled The 'iptables' service can be enabled with the following command: '$ sudo systemctl enable iptables'

CCE-90762-6
Mount Remote Filesystems with nodev

CCE-90983-8
Ensure /tmp Located On Separate Partition The '/tmp' directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

CCE-90660-2
Record Events that Modify the System's Discretionary Access Controls - fsetxattr At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), ...

CCE-90832-7
Remove NIS Client The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ('ypbind') was used to bind a machine to an NIS server and receive the distributed configuration files ...

CCE-90933-3
Verify Permissions on passwd File To properly set the permissions of '/etc/passwd', run the command:

CCE-90611-5
Set Default ip6tables Policy for Incoming Packets To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in '/etc/sysconfig/ip6tables': ':INPUT DROP [0:0]' If changes were required, reload the ip6tables ...

CCE-90721-2
Disable Avahi Server Software The 'avahi-daemon' service can be disabled with the following command: '$ sudo systemctl disable avahi-daemon'

CCE-90655-2
Record Events that Modify the System's Discretionary Access Controls - fchmodat At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), ...

CCE-90852-5
Install PAE Kernel on Supported 32-bit x86 Systems Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined ...

CCE-90939-0
Verify Permissions on group File To properly set the permissions of '/etc/group', run the command:

CCE-90907-7
Deactivate Wireless Network Interfaces Deactivating wireless network interfaces should prevent normal usage of the wireless capability. First, identify the interfaces available with the command: '$ ifconfig -a' Additionally, the following command may be used to determine whether wireless support i ...

CCE-90605-7
Disable Accepting IPv6 Redirects This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic.

CCE-90726-1
Disable Avahi Publishing To prevent other mDNS stacks from running, edit '/etc/avahi/avahi-daemon.conf' and ensure the following line appears in the '[server]' section: 'disallow-other-stacks=yes'

CCE-90701-4
Disable Portreserve (portreserve) The 'portreserve' service is a TCP port reservation utility that can be used to prevent portmap from binding to well known TCP ports that are required for other services. The 'portreserve' service can be disabled with the following command: '$ sudo systemc ...

CCE-90720-4
Remove the X Windows Package Group Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command: '$ sudo yum groupremove "X Window System"'

CCE-90853-3
Enable NX or XD Support in the BIOS Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execu ...

CCE-90888-9
Ensure System is Not Acting as a Network Sniffer The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: '$ ip link | grep PROMISC'

CCE-90860-8
Restrict Virtual Console Root Logins To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in '/etc/securetty': vc/1 vc/2 vc/3 vc/4

CCE-90873-1
Ensure the Default Bash Umask is Set Correctly To ensure the default umask for users of the Bash shell is set properly, add or correct the 'umask' setting in '/etc/bashrc' to read as follows: 'umask 077

CCE-90659-4
Record Events that Modify the System's Discretionary Access Controls - fremovexattr At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the defaul ...

CCE-90845-9
Configure Periodic Execution of AIDE To implement a daily execution of AIDE at 4:05am using cron, add the following line to '/etc/crontab': '05 4 * * * root /usr/sbin/aide --check' AIDE can be executed periodically through other means; this is merely one example.

CCE-90864-0
All GIDs referenced in /etc/passwd must be defined in /etc/group Add a group to the system for each GID referenced without a corresponding group.

CCE-90767-5
Disable GNOME3 Automounting The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount and autorun within GNOME3, the 'automount', 'automount-open', and 'autorun-n ...

CCE-90898-8
Disable Kernel Parameter for Accepting ICMP Redirects By Default To set the runtime status of the 'net.ipv4.conf.default.accept_redirects' kernel parameter, run the following command:

CCE-90909-3
Disable Bluetooth Kernel Modules The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate '/etc/modprobe.d' configuration file to prevent the loading of the Bluetooth module: 'install bluetooth /bin/true'

CCE-90883-0
Implement Blank Screensaver To set the screensaver mode in the GNOME3 desktop to a blank screen, the 'picture-uri' setting must be set under an appropriate configuration file(s) in the '/etc/dconf/db/local.d' directory and locked in '/etc/dconf/db/local.d/locks' directory to prevent user modifica ...

CCE-90808-7
Set Permissions on All Configuration Files Inside /etc/httpd/conf/ Set permissions on the web server configuration files to 640: '$ sudo chmod 640 /etc/httpd/conf/*'

CCE-90882-2
Enable GNOME3 Screensaver Lock After Idle Period To activate locking of the screensaver in the GNOME3 desktop when it is activated, the 'lock-enabled' and 'lock-delay' setting must be set under an appropriate configuration file(s) in the '/etc/dconf/db/local.d' directory and locked in '/etc/dconf ...

CCE-90946-5
Set Password Strength Minimum Uppercase Characters The pam_pwquality module's 'ucredit=' parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive numbe ...

CCE-90725-3
Prevent Other Programs from Using Avahi's Port To prevent other mDNS stacks from running, edit '/etc/avahi/avahi-daemon.conf' and ensure the following line appears in the '[server]' section: 'disallow-other-stacks=yes'

CCE-90702-2
Enable Process Accounting (psacct) The process accounting service, 'psacct', works with programs including 'acct' and 'ac' to allow system administrators to view user activity, such as commands issued by users of the system. The 'psacct' service can be enabled with the following command: ' ...

CCE-90749-3
Uninstall openldap-servers Package The 'openldap-servers' package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package. '$ sudo yum erase openldap-servers' The openldap-servers RPM is not installed by default on RHEL 7 machines. It is needed only by the O ...

CCE-90824-4
Disable snmpd Service The 'snmpd' service can be disabled with the following command: '$ sudo systemctl disable snmpd'

CCE-90919-2
Install AIDE Install the AIDE package with the command: '$ sudo yum install aide'

CCE-90866-5
Set Last Logon/Access Notification To configure the system to notify users of last logon/access using 'pam_lastlog', add the following line immediately after 'session required pam_limits.so': 'session required pam_lastlog.so showfailed'

CCE-90621-4
Ensure Log Files Are Owned By Appropriate User The owner of all log files written by 'rsyslog' should be root. These log files are determined by the second part of each Rule line in '/etc/rsyslog.conf' and typically all appear in '/var/log'. For each log file

CCE-90806-1
Set Permissions on the /var/log/httpd/ Directory Ensure that the permissions on the web server log directory is set to 700: '$ sudo chmod 700 /var/log/httpd/' This is its default setting.

CCE-90738-6
Disable DHCP Client For each interface on the system (e.g. eth0), edit '/etc/sysconfig/network-scripts/ifcfg-interface' and make the following changes: Correct the BOOTPROTO line to read: BOOTPROTO=none Add or correct the following lines, substituting the appropriate values based on your site's ...

CCE-90759-2
Specify UID and GID for Anonymous NFS Connections To specify the UID and GID for remote root users, edit the '/etc/exports' file and add the following for each export: anonuid='value greater than UID_MAX from /etc/login.defs' anongid='value greater than GID_MAX from /etc/login.defs' Alternativel ...

CCE-90638-8
Configure auditd max_log_file_action Upon Reaching Maximum Log Size The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by 'auditd', add or correct the line in '/etc/audit/auditd.conf': 'max_log_file ...

CCE-90649-5
Record Events that Modify the System's Network Environment If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following lines to a file with suffix '.rules' in the directory '/etc/audit/rules.d', setting ARCH to eith ...

CCE-90831-9
Uninstal rsh Package The 'rsh' package contains the client commands for the rsh services

CCE-90987-9
Modify the System Login Banner To configure the system login banner: Edit '/etc/issue'. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: 'You are accessing a U.S. Government (USG) Information System (IS) that is ...

CCE-90632-1
Disable Logwatch on Clients if a Logserver Exists Does your site have a central logserver which has been configured to report on logs received from all systems? If so: $ sudo rm /etc/cron.daily/0logwatch If no logserver exists, it will be necessary for each machine to run Logwatch individual ...

CCE-90886-3
Disable the GNOME3 Login User List In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled. The 'disable-user-list' setting must be set under an appropriate configuration fil ...

CCE-90840-0
Ensure No World-Writable Files Exist It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a ...

CCE-90771-7
Authenticate Zone Transfers If it is necessary for a secondary nameserver to receive zone dat Avia zone transfer from the primary server, follow the instructions here. Use dnssec-keygen to create a symmetric key file in the current directory: $ cd /tmp $ sudo dnssec-keygen -a HMAC-MD5 -b 128 -n HO ...

CCE-90803-8
Limit Available Methods Web server methods are defined in section 9 of RFC 2616 (http://www.ietf.org/rfc/rfc2616.txt). If a web server does not require the implementation of all available methods, they should be disabled. Note: 'GET' and 'POST' are the most common methods. A majority of the others ...

CCE-90713-9
Enable cron Service The 'crond' service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The 'crond' service can be enabled with the following command: '$ sudo systemc ...

CCE-90833-5
Remove tftp Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between machines. TFTP does not support authentication and can be easily hacked. The package 'tftp' is a client program that allows for connecti ...

CCE-90899-6
Disable Kernel Parameter for Accepting Secure Redirects By Default To set the runtime status of the 'net.ipv4.conf.default.secure_redirects' kernel parameter, run the following command:

CCE-90642-0
Configure auditd to use audispd plugin To configure the 'auditd' service to use the 'audispd' plugin, set the 'active' line in '/etc/audisp/plugins.d/syslog.conf' to 'yes'. Restart the 'auditd'service: '$ sudo service auditd restart'

CCE-90752-7
Disable RPC ID Mapping Service (rpcidmapd) The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The 'rpcidmapd' service can be disabled with the following command: ' ...

CCE-90651-1
Record Events that Modify the System's Mandatory Access Controls If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d': '-w /etc/selinu ...

CCE-90663-6
Record Events that Modify the System's Discretionary Access Controls - lsetxattr At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), ...

CCE-90903-6
Enable Kernel Parameter to Use TCP Syncookies To set the runtime status of the 'net.ipv4.tcp_syncookies' kernel parameter, run the following command:

CCE-90618-0
Install libreswan Package The Libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The 'libreswan' package can be installed with the following command: '$ sudo yum install libreswan'

CCE-90847-5
Set Daemon Umask The file '/etc/init.d/functions' includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for

CCE-90669-3
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) At a minimum the audit system should collect unauthorized file accesses for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), a ...

CCE-90710-5
Disable System Statistics Reset Service (sysstat) The 'sysstat' service resets various I/O and CPU performance statistics to zero in order to begin counting from a fresh state at boot time. The 'sysstat' service can be disabled with the following command: '$ sudo systemctl disable sysstat'

CCE-90774-1
Uninstall vsftpd Package The 'vsftpd' package can be removed with the following command: '$ sudo yum erase vsftpd'

CCE-90929-1
Disable SSH Access via Empty Passwords To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in '/etc/ssh/sshd_config': 'PermitEmptyPasswords no' Any accounts with empty passwords should be disabled immediately, and PAM configuration should preven ...

CCE-90796-4
Disable Proxy Support The 'proxy' module provides proxying support, allowing 'httpd' to forward requests and serve as a gateway for other servers. If its functionality is unnecessary, comment out the module: '#LoadModule proxy_module modules/mod_proxy.so'

CCE-90900-2
Add nodev Option to Non-Root Local Partitions The 'nodev' mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the '/dev' directory on the root partition or within chroot jails built for system services. Add t ...

CCE-90959-8
Verify that System Executables Have Restrictive Permissions System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin All files in these directories should not be group-writable or world-writable. If any file

CCE-90868-1
Set Password to Maximum of Three Consecutive Repeating Characters The pam_pwquality module's 'maxrepeat' parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modif ...

CCE-90635-4
Enable Auditing for Processes Which Start Prior to the Audit Daemon To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument 'audit=1' to the kernel line in '/etc/grub.conf', in the manner below: 'kernel /vmlinuz-version ro vga=ext root=/dev/VolGrou ...

CCE-90991-1
Ensure All Accounts on the System Have Unique Names Change usernames, or delete accounts, so each has a unique name.

CCE-90748-5
Configure Certificate Directives for LDAP Use of TLS Ensure a copy of a trusted CA certificate has been placed in the file '/etc/pki/tls/CA/cacert.pem'. Configure LDAP to enforce TLS use and to trust certificates signed by that CA. First, edit the file '/etc/pam_ldap.conf', and add or correct eit ...

CCE-90960-6
Limit the Number of Concurrent Login Sessions Allowed Per User Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multi ...

CCE-90753-5
Disable Network File Systems (netfs) The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or mali ...

CCE-90986-1
Ensure auditd Collects File Deletion Events by User At a minimum the audit system should collect file deletion events for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a fil ...

CCE-90863-2
Root Path Must Be Vendor Default Assuming root shell is bash, edit the following files: '~/.profile' '~/.bashrc' Change any 'PATH' variables to the vendor default for root and remove any empty 'PATH' entries or references to relative paths.

CCE-90766-7
Ensure Insecure File Locking is Not Allowed By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when ...

CCE-90731-1
Disable DHCP Service The 'dhcpd' service should be disabled on any system that does not need to act as a DHCP server. The 'dhcpd' service can be disabled with the following command: '$ sudo systemctl disable dhcpd'

CCE-90729-5
Disable Printer Browsing Entirely if Possible By default, CUPS listens on the network for printer list broadcasts on UDP port 631. This functionality is called printer browsing. To disable printer browsing entirely, edit the CUPS configuration file, located at '/etc/cups/cupsd.conf', to include the ...

CCE-90937-4
Verify User Who Owns group File To properly set the owner of '/etc/group', run the command:

CCE-90603-2
Disable Support for RPC IPv6 RPC services for NFSv4 try to load transport modules for 'udp6' and 'tcp6' by default, even if IPv6 has been disabled in '/etc/modprobe.d'. To prevent RPC services such as 'rpc.mountd' from attempting to start IPv6 network listeners, remove or comment out the following ...

CCE-90858-2
Ensure No Device Files are Unlabeled by SELinux Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type 'unlabeled_t', investigate the cause and correct the file's context.

CCE-90712-1
Disable Modprobe Loading of USB Storage Driver To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the 'usb-storage' kernel module from being loaded, add the following ...

CCE-90943-2
Enable GNOME3 Login Warning Banner To enable displaying a login warning banner in the GNOME Display Manager's login screen, the 'banner-message-enable' setting must be set under an appropriate configuration file(s) in the '/etc/dconf/db/gdm.d' directory and locked in '/etc/dconf/db/gdm.d/locks' d ...

CCE-90779-0
Restrict Access to Anonymous Users if Possible Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option: 'loca ...

CCE-90620-6
Enable rsyslog Service The 'rsyslog' service provides syslog-style logging by default on RHEL 7. The 'rsyslog' service can be enabled with the following command: '$ sudo systemctl enable rsyslog'

CCE-90897-0
Disable Kernel Parameter for Accepting Source-Routed Packets By Default To set the runtime status of the 'net.ipv4.conf.default.accept_source_route' kernel parameter, run the following command:

CCE-90747-7
Configure LDAP Client to Use TLS For All Transactions Configure LDAP to enforce TLS use. First, edit the file '/etc/pam_ldap.conf', and add or correct the following lines: 'ssl start_tls' Then review the LDAP server and ensure TLS has been configured.

CCE-90854-1
Restrict Access to Kernel Message Buffer To set the runtime status of the 'kernel.dmesg_restrict' kernel parameter, run the following command:

CCE-90667-7
Add nodev Option to /dev/shm The 'nodev' mount option can be used to prevent creation of device files in '/dev/shm'. Legitimate character and block devices should not exist within temporary directories like '/dev/shm'.

CCE-90739-4
Enable the NTP Daemon The 'ntpd' service can be enabled with the following command: '$ sudo systemctl enable ntpd'

CCE-90812-9
Enable the SSL flag in /etc/dovecot.conf To allow clients to make encrypted connections the 'ssl' flag in Dovecot's configuration file needs to be set to 'yes'. Edit '/etc/dovecot/conf.d/10-ssl.conf' and add or correct the following line: 'ssl = yes'

CCE-90628-9
Enable rsyslog to Accept Messages via UDP, if Acting As Log Server The 'rsyslog' daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to '/etc/rsyslog.conf' to enable reception of messages over U ...

CCE-90757-6
Configure statd to use static port Configure the 'statd' daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file '/etc/sysconfig/nfs'. Add or correct the following line: 'STATD_PORT=statd-port' Where 'statd-port' is a port which is not used by ...

CCE-90637-0
Configure auditd Max Log File Size Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file '/etc/audit/auditd.conf'. Add or modify the following line, substituting the correct value for

CCE-90879-8
Disable Interactive Boot To disable the ability for users to perform interactive startups, edit the file '/etc/sysconfig/init'. Add or correct the line: 'PROMPT=no' The 'PROMPT' option allows the console user to perform an interactive system startup, in which it is possible to select the set of ser ...

CCE-90932-5
Ensure gpgcheck Enabled For All Yum Package Repositories To ensure signature checking is not disabled for any repos, remove any lines from files in '/etc/yum.repos.d' of the form: 'gpgcheck=0'

CCE-90876-4
Ensure the Default Umask is Set Correctly in login.defs To ensure the default umask controlled by '/etc/login.defs' is set properly, add or correct the 'UMASK' setting in '/etc/login.defs' to read as follows: 'UMASK 077

CCE-90768-3
Disable DNS Server The 'named' service can be disabled with the following command: '$ sudo systemctl disable named'

CCE-90689-1
Add nosuid Option to /dev/shm The 'nosuid' mount option can be used to prevent execution of setuid programs in '/dev/shm'. The SUID and SGID permissions should not be required in these world-writable directories.

CCE-90893-9
Disable Kernel Parameter for Accepting Source-Routed Packets for All Interfaces To set the runtime status of the 'net.ipv4.conf.all.accept_source_route' kernel parameter, run the following command:

CCE-90793-1
Disable Server Activity Status The 'status' module provides real-time access to statistics on the internal operation of the web server. This may constitute an unnecessary information leak and should be disabled unless necessary. To do so, comment out the related module: '#LoadModule status_module m ...

CCE-90804-6
Install mod_ssl Install the 'mod_ssl' module: '$ sudo yum install mod_ssl'

CCE-90685-9
Uninstall tftp-server Package The 'tftp-server' package can be removed with the following command: '$ sudo yum erase tftp-server'

CCE-90782-4
Disable httpd Service The 'httpd' service can be disabled with the following command: '$ sudo systemctl disable httpd'

CCE-90872-3
Ensure that User Home Directories are not Group-Writable or World-Readable For each human user of the system, view the permissions of the user's home directory: '# ls -ld /home/

CCE-90763-4
Mount Remote Filesystems with nosuid

CCE-90795-6
Disable URL Correction on Misspelled Entries The 'speling' module attempts to find a document match by allowing one misspelling in an otherwise failed request. If this functionality is unnecessary, comment out the module: '#LoadModule speling_module modules/mod_speling.so' This functionality weaken ...

CCE-90818-6
Require Client SMB Packet Signing, if using smbclient To require samba clients running 'smbclient' to use packet signing, add the following to the '[global]' section of the Samba configuration file, '/etc/samba/smb.conf': 'client signing = mandatory' Requiring samba clients such as 'smbclient' to u ...

CCE-90905-1
Enable Kernel Parameter to Use Reverse Path Filtering by Default To set the runtime status of the 'net.ipv4.conf.default.rp_filter' kernel parameter, run the following command:

CCE-90684-2
Disable tftp Service The 'tftp' service should be disabled. The 'tftp' service can be disabled with the following command: '$ sudo systemctl disable tftp'

CCE-90957-2
Verify /boot/grub2/grub.cfg Permissions File permissions for '/boot/grub2/grub.cfg' should be set to 600. To properly set the permissions of '/boot/grub2/grub.cfg', run the command:

CCE-90606-5
Manually Assign Global IPv6 Address To manually assign an IP address for an interface, edit the file '/etc/sysconfig/network-scripts/ifcfg-interface'. Add or correct the following line (substituting the correct IPv6 address): 'IPV6ADDR=2001:0DB8::ABCD/64' Manually assigning an IP address is prefera ...

CCE-90700-6
Bind Mount /var/tmp To /tmp The '/var/tmp' directory is a world-writable directory. Bind-mount it to '/tmp' in order to consolidate temporary storage into one location protected by the same techniques as '/tmp'. To do so, edit '/etc/fstab' and add the following line: '/tmp /var/tmp none ...

CCE-90979-6
Verify Permissions on gshadow File To properly set the permissions of '/etc/gshadow', run the command:

CCE-90614-9
Set Default iptables Policy for Incoming Packets To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in '/etc/sysconfig/iptables': ':INPUT DROP [0:0]'

CCE-90612-3
Add noexec Option to Removable Media Partitions The 'noexec' mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on s ...

CCE-90877-2
Disable Ctrl-Alt-Del Reboot Activation By default, the system includes the following line in '/etc/init/control-alt-delete.conf' to reboot the system when the Ctrl-Alt-Del key sequence is pressed: 'exec /sbin/shutdown -r now "Control-Alt-Delete pressed"' To configure the system to log a message in ...

CCE-90709-7
Disable SMART Disk Monitoring Service (smartd) SMART (Self-Monitoring, Analysis, and Reporting Technology) is Afeature of hard drives that allows them to detect symptoms of disk failure and relay an appropriate warning. The 'smartd' service can be disabled with the following command: '$ s ...

CCE-90770-9
Disable Zone Transfers from the Nameserver Is it necessary for a secondary nameserver to receive zone dat Avia zone transfer from the primary server? If not, follow the instructions in this section. If so, see the next section for instructions on protecting zone transfers. Add or correct the follo ...

CCE-90673-5
Make the auditd Configuration Immutable Add the following to '/etc/audit/audit.rules' in order to make the configuration immutable: '-e 2' With this setting, a reboot will be required to change any audit rules.

CCE-90794-9
Disable Web Server Configuration Display The 'info' module creates a web page illustrating the configuration of the web server. This can create an unnecessary security leak and should be disabled. If its functionality is unnecessary, comment out the module: '#LoadModule info_module modules/mod_info ...

CCE-90848-3
Disable Core Dumps for All Users To disable core dumps for all users, add the following line to '/etc/security/limits.conf': '* hard core 0'

CCE-90811-1
Disable Mounting of hfs To configure the system to prevent the 'hfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90980-4
Set Password Strength Minimum Digit Characters The pam_pwquality module's 'dcredit' parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 ...

CCE-90829-3
Uninstall setroubleshoot Package The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The 'setroubleshoot' package can be removed with the following command: ...

CCE-90834-3
Disable Mounting of squashfs To configure the system to prevent the 'squashfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90616-4
Disable RDS Support The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the 'rds' kernel module from being loaded, add the following line t ...

CCE-90664-4
Record Events that Modify the System's Discretionary Access Controls - removexattr At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default ...

CCE-90740-2
Specify a Remote NTP Server To specify a remote NTP server for time synchronization, edit the file '/etc/ntp.conf'. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for

CCE-90784-0
Set httpd ServerTokens Directive to Prod 'ServerTokens Prod' restricts information in page headers, returning only the word "Apache." Add or correct the following directive in '/etc/httpd/conf/httpd.conf': 'ServerTokens Prod'

CCE-90661-0
Record Events that Modify the System's Discretionary Access Controls - lchown At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), ad ...

CCE-90842-6
Ensure All SUID Executables Are Authorized The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically ver ...

CCE-90646-1
Record Attempts to Alter Time Through stime If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d' for both 32 bit and 64 bit systems: ' ...

CCE-90931-7
Disable Automatic Bug Reporting Tool (abrtd) The Automatic Bug Reporting Tool ('abrtd') daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash repo ...

CCE-90687-5
Disable Advanced Configuration and Power Interface (acpid) The Advanced Configuration and Power Interface Daemon ('acpid') dispatches ACPI events (such as power/reset button depressed) to userspace programs. The 'acpid' service can be disabled with the following command: '$ sudo systemctl ...

CCE-90910-1
Disable IPv6 Networking Support Automatic Loading To disable support for ('ipv6') add the following line to '/etc/sysctl.d/ipv6.conf' (or another file in '/etc/sysctl.d'): 'net.ipv6.conf.all.disable_ipv6 = 1' This disables IPv6 on all network interfaces as other services and system functionality re ...

CCE-90887-1
Disable Zeroconf Networking Zeroconf networking allows the system to assign itself an IP address and engage in IP communication without a statically-assigned address or even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not recommended. To disable Zeroconf automatic route as ...

CCE-90676-8
Uninstall rsh-server Package The 'rsh-server' package can be uninstalled with the following command: '$ sudo yum erase rsh-server'

CCE-90617-2
Disable TIPC Support The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in Acluster. To configure the system to prevent the 'tipc' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90956-4
Set Password Hashing Algorithm in /etc/libuser.conf In '/etc/libuser.conf', add or correct the following line in its '[defaults]' section to ensure the system will use the SHA-512 algorithm for password hashing: 'crypt_style = sha512'

CCE-90920-0
Set Interval For Counting Failed Password Attempts Utilizing 'pam_faillock.so', the 'fail_interval' directive configures the system to lock out accounts after a number of incorrect login attempts. Modify the content of both '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' as follows: add t ...

CCE-90756-8
Disable the Automounter The 'autofs' daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as '/misc/cd'. However, this method of providing a ...

CCE-90678-4
Add noexec Option to /dev/shm The 'noexec' mount option can be used to prevent binaries from being executed out of '/dev/shm'. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as '/dev/shm'.

CCE-90908-5
Disable Bluetooth Service The 'bluetooth' service can be disabled with the following command: '$ sudo systemctl disable bluetooth' '$ sudo service bluetooth stop'

CCE-90938-2
Disable SSH Root Login The root user should never be allowed to login to Asystem directly over a network. To disable root login via SSH, add or correct the following line in '/etc/ssh/sshd_config': 'PermitRootLogin no'

CCE-90881-4
Enable GNOME3 Screensaver Idle Activation To activate the screensaver in the GNOME3 desktop after a period of inactivity, the 'idle-activation-enabled' setting must be set under an appropriate configuration file(s) in the '/etc/dconf/db/local.d' directory and locked in '/etc/dconf/db/local.d/lock ...

CCE-90698-2
Disable ntpdate Service (ntpdate) The 'ntpdate' service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in '/etc/ntp/step-tickers' or '/etc/ntp.conf' and then sets the local hardware clock to the newly synchronized system time. ...

CCE-90914-3
Set SSH Idle Timeout Interval SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in '/etc/ssh/sshd_config' as follows: 'ClientAliveInterval

CCE-90849-1
Disable Core Dumps for SUID programs To set the runtime status of the 'fs.suid_dumpable' kernel parameter, run the following command:

CCE-90826-9
Configure SNMP Service to Use Only SNMPv3 or Newer Edit '/etc/snmp/snmpd.conf', removing any references to 'rocommunity', 'rwcommunity', or 'com2sec'. Upon doing that, restart the SNMP service: '$ sudo service snmpd restart'

CCE-90714-7
Disable anacron Service The 'cronie-anacron' package, which provides 'anacron' functionality, is installed by default. The 'cronie-anacron' package can be removed with the following command: '$ sudo yum erase cronie-anacron'

CCE-90955-6
Use Only Approved Ciphers Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in '/etc/ssh/sshd_config' demonstrates use of FIPS-approved ciphers: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes1 ...

CCE-90874-9
Ensure the Default C Shell Umask is Set Correctly To ensure the default umask for users of the C shell is set properly, add or correct the 'umask' setting in '/etc/csh.cshrc' to read as follows: 'umask 077

CCE-90785-7
Set httpd ServerSignature Directive to Off 'ServerSignature Off' restricts 'httpd' from displaying server version number on error pages. Add or correct the following directive in '/etc/httpd/conf/httpd.conf': 'ServerSignature Off'

CCE-90896-2
Enable Kernel Parameter to Log Martian Packets To set the runtime status of the 'net.ipv4.conf.all.log_martians' kernel parameter, run the following command:

CCE-90880-6
Set GNOME3 Screensaver Inactivity Timeout To set the idle time-out value for inactivity in the GNOME3 desktop to 5 minutes (in seconds), the 'idle-delay' setting must be set under an appropriate configuration file(s) in the '/etc/dconf/db/local.d' directory and locked in '/etc/dconf/db/local.d/lo ...

CCE-90609-9
Verify firewalld Enabled The 'firewalld' service can be enabled with the following command: '$ sudo systemctl enable firewalld'

CCE-90727-9
Restrict Information Published by Avahi If it is necessary to publish some information to the network, it should not be joined by any extraneous information, or by information supplied by a non-trusted source on the system. Prevent user applications from using Avahi to publish services by adding or ...

CCE-90810-3
Uninstall dovecot Package The 'dovecot' package can be uninstalled with the following command: '$ sudo yum erase dovecot'

CCE-90744-4
Disable Postfix Network Listening Edit the file '/etc/postfix/main.cf' to ensure that only the following 'inet_interfaces' line appears: 'inet_interfaces = localhost'

CCE-90928-3
Verify /boot/grub2/grub.cfg User Ownership The file '/boot/grub2/grub.cfg' should be owned by the 'root' user to prevent destruction or modification of the file. To properly set the owner of '/boot/grub2/grub.cfg', run the command:

CCE-90719-6
Disable X Windows Startup By Setting Default Target Setting the system's default target to multi-user will prevent automatic startup of the X server. To do so, run: '$ systemctl set-default multi-user.target' You should see the following output: rm '/etc/systemd/system/default.target' ln -s '/usr/l ...

CCE-90894-7
Disable Kernel Parameter for Accepting ICMP Redirects for All Interfaces To set the runtime status of the 'net.ipv4.conf.all.accept_redirects' kernel parameter, run the following command:

CCE-90807-9
Set Permissions on the /etc/httpd/conf/ Directory Set permissions on the web server configuration directory to 750: '$ sudo chmod 750 /etc/httpd/conf/'

CCE-90912-7
Ensure that System Accounts Do Not Run a Shell Upon Login Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell. The login shell for ea ...

CCE-90911-9
Ensure /var Located On Separate Partition The '/var' directory is used by daemons and other system services to store frequently-changing data. Ensure that '/var' has its own partition or logical volume at installation time, or migrate it using LVM.

CCE-90965-5
Set Password Strength Minimum Different Categories The pam_cracklib module's 'minclass' parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires ...

CCE-90758-4
Configure mountd to use static port Configure the 'mountd' daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file '/etc/sysconfig/nfs'. Add or correct the following line: 'MOUNTD_PORT=statd-port' Where 'mountd-port' is a port which is not use ...

CCE-90789-9
Disable Mounting of freevxfs To configure the system to prevent the 'freevxfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90760-0
Disable Network File System (nfs) The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local machine. If the local machine is not designated as a NFS server then this service should be disabled. The 'nfs' service can be disabled with th ...

CCE-90781-6
Place the FTP Home Directory on its Own Partition By default, the anonymous FTP root is the home directory of the FTP user account. The df command can be used to verify that this directory is on its own partition.

CCE-90671-9
Ensure auditd Collects Information on Exporting to Media (successful) At a minimum the audit system should collect media exportation events for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the f ...

CCE-90604-0
Disable Accepting IPv6 Router Advertisements To set the runtime status of the 'net.ipv6.conf.default.accept_ra' kernel parameter, run the following command:

CCE-90600-8
Ensure /home Located On Separate Partition If user home directories will be stored locally, create a separate partition for '/home' at installation time (or migrate it later using LVM). If '/home' will be mounted from another system such as an NFS server, then creating a separate partition is not n ...

CCE-90633-9
Enable auditd Service The 'auditd' service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The 'auditd' service can be enabled with the following command: '$ sudo systemctl enable auditd'

CCE-90783-2
Uninstall httpd Package The 'httpd' package can be removed with the following command: '$ sudo yum erase httpd'

CCE-90981-2
Uninstall telnet-server Package The 'telnet-server' package can be uninstalled with the following command: '$ sudo yum erase telnet-server'

CCE-90892-1
Disable Kernel Parameter for IP Forwarding To set the runtime status of the 'net.ipv4.ip_forward' kernel parameter, run the following command:

CCE-90990-3
Assign Expiration Date to Temporary Accounts Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time per ...

CCE-90682-6
Uninstall ypserv Package The 'ypserv' package can be uninstalled with the following command: '$ sudo yum erase ypserv'

CCE-90977-0
Disable telnet Service The 'telnet' service configuration file '/etc/xinetd.d/telnet' is not created automatically. If it was created manually, check the '/etc/xinetd.d/telnet' file and ensure that 'disable = no' is changed to read 'disable = yes' as follows below: # description: The telnet server ...

CCE-90930-9
Disable Host-Based Authentication SSH's cryptographic host-based authentication is more secure than '.rhosts' authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following li ...

CCE-90821-0
Uninstall squid Package The 'squid' package can be removed with the following command: '$ sudo yum erase squid'

CCE-90741-0
Specify Additional Remote NTP Servers Additional NTP servers can be specified for time synchronization in the file '/etc/ntp.conf'. To do so, add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for

CCE-90963-0
Disable SCTP Support The Stream Control Transmission Protocol (SCTP) is Atransport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the 'sctp' kernel module from being loaded, ...

CCE-90615-6
Set Default iptables Policy for Forwarded Packets To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in '/etc/sysconfig/iptables': ':FORWARD DROP [0:0]'

CCE-90648-7
Record Attempts to Alter the localtime File If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d': '-w /etc/localtime -p wa -k audit_ti ...

CCE-90723-8
Disable Kernel Support for USB via Bootloader Configuration All USB support can be disabled by adding the 'nousb' argument to the kernel's boot loader configuration. To do so, append "nousb" to the kernel line in '/etc/grub.conf' as shown: 'kernel /vmlinuz-

CCE-90867-3
Verify File Hashes with RPM The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: '$ ...

CCE-90885-5
Enable Smart Card Login To enable smart card authentication, consult the documentation at:

CCE-90962-2
Set Password Hashing Algorithm in /etc/pam.d/system-auth In '/etc/pam.d/system-auth', the 'password' section of the file controls which PAM modules execute during a password change. Set the 'pam_unix.so' module in the 'password' section to include the argument 'sha512', as shown below: 'password ...

CCE-90699-0
Disable Odd Job Daemon (oddjobd) The 'oddjobd' service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with 'oddjobd' through the system message bus. The 'oddjobd' service can ...

CCE-90817-8
Disable Root Access to SMB Shares Administrators should not use administrator accounts to access Samba file and printer shares. Disable the root user and the wheel administrator group: [

CCE-90683-4
Disable ypbind Service The 'ypbind' service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The 'ypbind' service can be disabled with the following command: '$ sudo systemctl disable ypbind'

CCE-90680-0
Disable rlogin Service The 'rlogin' service, which is available with the 'rsh-server' package and runs as a service through xinetd, should be disabled. The 'rlogin' service can be disabled with the following command: '$ sudo systemctl disable rlogin'

CCE-90724-6
Check Avahi Responses' TTL Field To make Avahi ignore packets unless the TTL field is 255, edit '/etc/avahi/avahi-daemon.conf' and ensure the following line appears in the '[server]' section: 'check-response-ttl=yes'

CCE-90862-4
Restrict Web Browser Use for Administrative Accounts Enforce policy requiring administrative accounts use web browsers only for local service administration.

CCE-90656-0
Add nosuid Option to /tmp The 'nosuid' mount option can be used to prevent execution of setuid programs in '/tmp'. The SUID and SGID permissions should not be required in these world-writable directories.

CCE-90915-0
Set Password Minimum Length The pam_pwquality module's 'minlen' parameter controls requirements for minimum characters required in a password. Add 'minlen=15' after pam_pwquality to set minimum password length requirements.

CCE-90652-9
Record Events that Modify the System's Discretionary Access Controls - chmod At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add ...

CCE-90891-3
Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces To set the runtime status of the 'net.ipv4.conf.all.send_redirects' kernel parameter, run the following command:

CCE-90705-5
Disable Network Router Discovery Daemon (rdisc) The 'rdisc' service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default ...

CCE-90625-5
Ensure Logs Sent To Remote Host To configure rsyslog to send logs to a remote log server, open '/etc/rsyslog.conf' and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be ...

CCE-90856-6
Verify and Correct File Permissions with RPM The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, run the following command to determine which pack ...

CCE-90975-4
Verify All Account Password Hashes are Shadowed If any password hashes are stored in '/etc/passwd' (in the second field, instead of an 'x'), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account ...

CCE-90777-4
Create Warning Banners for All FTP Users Edit the vsftpd configuration file, which resides at '/etc/vsftpd/vsftpd.conf' by default. Add or correct the following configuration options: 'banner_file=/etc/issue'

CCE-90630-5
Configure Logwatch HostLimit Line On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate on the logserver itself. The 'HostLimit' setting tells Logwatch to report on all hosts, not just the one on which it is running. ' HostLimit = no ...

CCE-90800-4
Disable Mounting of jffs2 To configure the system to prevent the 'jffs2' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90820-2
Disable Squid The 'squid' service can be disabled with the following command: '$ sudo systemctl disable squid'

CCE-90855-8
Ensure SELinux Not Disabled in /etc/grub.conf SELinux can be disabled at boot time by an argument in '/etc/grub.conf'. Remove any instances of 'selinux=0' from the kernel arguments in that file to prevent SELinux from being disabled at boot.

CPE    1
cpe:/o:redhat:enterprise_linux:7
*XCCDF
xccdf_org.secpod_benchmark_general_RHEL_7
OVAL    344
oval:org.secpod.oval:def:30318
oval:org.secpod.oval:def:30426
oval:org.secpod.oval:def:30407
oval:org.secpod.oval:def:30481
...

© 2013 SecPod Technologies