[Forgot Password]
Login  Register Subscribe

24128

 
 

131573

 
 

110507

 
 

909

 
 

86504

 
 

136

Paid content will be excluded from the download.


Download | Alert*


CCE-90924-2
Verify /boot/grub2/grub.cfg Group Ownership The file '/boot/grub2/grub.cfg' should be group-owned by the 'root' group to prevent destruction or modification of the file. To properly set the group owner of '/boot/grub2/grub.cfg', run the command:

CCE-90901-0
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests To set the runtime status of the 'net.ipv4.icmp_echo_ignore_broadcasts' kernel parameter, run the following command:

CCE-90947-3
Ensure gpgcheck Enabled In Main Yum Configuration The 'gpgcheck' option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in '/etc/yum.conf' in the '[main]' secti ...

CCE-90672-7
Ensure auditd Collects System Administrator Actions At a minimum the audit system should collect administrator actions for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a fi ...

CCE-90717-0
Remove SSH Server iptables Firewall exception (Unusual) By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall configuration. Edit the files '/etc/sysconfig/iptables' and '/etc/sysconfig/ip6tables' (if IPv ...

CCE-90695-8
Disable Software RAID Monitor (mdmonitor) The 'mdmonitor' service is used for monitoring a software RAID array; hardware RAID setups do not use this service. The 'mdmonitor' service can be disabled with the following command: '$ sudo systemctl disable mdmonitor'

CCE-90815-2
Disable Plaintext Authentication To prevent Dovecot from attempting plaintext authentication of clients, edit '/etc/dovecot/conf.d/10-auth.conf' and add or correct the following line: 'disable_plaintext_auth = yes'

CCE-90608-1
Manually Assign IPv6 Router Address Edit the file '/etc/sysconfig/network-scripts/ifcfg-interface', and add or correct the following line (substituting your gateway IP as appropriate): 'IPV6_DEFAULTGW=2001:0DB8::0001' Router addresses should be manually set and not accepted via any auto-configurati ...

CCE-90683-4
Disable ypbind Service The 'ypbind' service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The 'ypbind' service can be disabled with the following command: '$ sudo systemctl disable ypbind'

CCE-90891-3
Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces To set the runtime status of the 'net.ipv4.conf.all.send_redirects' kernel parameter, run the following command:

CCE-90958-0
Set SSH Client Alive Count To ensure the SSH idle timeout occurs precisely when the 'ClientAliveCountMax' is set, edit '/etc/ssh/sshd_config' as follows: 'ClientAliveCountMax 0'

CCE-90729-5
Disable Printer Browsing Entirely if Possible By default, CUPS listens on the network for printer list broadcasts on UDP port 631. This functionality is called printer browsing. To disable printer browsing entirely, edit the CUPS configuration file, located at '/etc/cups/cupsd.conf', to include the ...

CCE-90912-7
Ensure that System Accounts Do Not Run a Shell Upon Login Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell. The login shell for ea ...

CCE-90706-3
Disable Red Hat Network Service (rhnsd) The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as s ...

CCE-90660-2
Record Events that Modify the System's Discretionary Access Controls - fsetxattr At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), ...

CCE-90793-1
Disable Server Activity Status The 'status' module provides real-time access to statistics on the internal operation of the web server. This may constitute an unnecessary information leak and should be disabled unless necessary. To do so, comment out the related module: '#LoadModule status_module m ...

CCE-90804-6
Install mod_ssl Install the 'mod_ssl' module: '$ sudo yum install mod_ssl'

CCE-90902-8
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses To set the runtime status of the 'net.ipv4.icmp_ignore_bogus_error_responses' kernel parameter, run the following command:

CCE-90827-7
Ensure Default Password Is Not Used Edit '/etc/snmp/snmpd.conf', remove default community string 'public'. Upon doing that, restart the SNMP service: '$ sudo service snmpd restart'

CCE-90619-8
Ensure rsyslog is Installed Rsyslog is installed by default. The 'rsyslog' package can be installed with the following command: '$ sudo yum install rsyslog'

CCE-90673-5
Make the auditd Configuration Immutable Add the following to '/etc/audit/audit.rules' in order to make the configuration immutable: '-e 2' With this setting, a reboot will be required to change any audit rules.

CCE-90696-6
Disable D-Bus IPC Service (messagebus) D-Bus provides an IPC mechanism used by a growing list of programs, such as those used for Gnome, Bluetooth, and Avahi. Due to these dependencies, disabling D-Bus may not be practical for many systems. The 'messagebus' service can be disabled with the fo ...

CCE-90969-7
Verify Group Who Owns shadow File To properly set the group owner of '/etc/shadow', run the command:

CCE-90946-5
Set Password Strength Minimum Uppercase Characters The pam_pwquality module's 'ucredit=' parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive numbe ...

CCE-90718-8
Limit Users' SSH Access By default, the SSH configuration allows any user with an account to access the system. In order to specify the users that are allowed to login via SSH and deny all other users, add or correct the following line in the '/etc/ssh/sshd_config' file: 'DenyUsers USER1 USER2' Wh ...

CCE-90650-3
System Audit Logs Must Be Owned By Root To properly set the owner of '/var/log', run the command:

CCE-90816-0
Disable Samba The 'smb' service can be disabled with the following command: '$ sudo systemctl disable smb'

CCE-90685-9
Uninstall tftp-server Package The 'tftp-server' package can be removed with the following command: '$ sudo yum erase tftp-server'

CCE-90934-1
Set Deny For Failed Password Attempts To configure the system to lock out accounts after a number of incorrect login attempts using 'pam_faillock.so', modify the content of both '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' as follows: add the following line immediately 'before' the 'pam ...

CCE-90782-4
Disable httpd Service The 'httpd' service can be disabled with the following command: '$ sudo systemctl disable httpd'

CCE-90707-1
Disable Red Hat Subscription Manager Daemon (rhsmcertd) The Red Hat Subscription Manager (rhsmcertd) periodically checks for changes in the entitlement certificates for a registered system and updates it accordingly. The 'rhsmcertd' service can be disabled with the following command: '$ su ...

CCE-90684-2
Disable tftp Service The 'tftp' service should be disabled. The 'tftp' service can be disabled with the following command: '$ sudo systemctl disable tftp'

CCE-90957-2
Verify /boot/grub2/grub.cfg Permissions File permissions for '/boot/grub2/grub.cfg' should be set to 600. To properly set the permissions of '/boot/grub2/grub.cfg', run the command:

CCE-90892-1
Disable Kernel Parameter for IP Forwarding To set the runtime status of the 'net.ipv4.ip_forward' kernel parameter, run the following command:

CCE-90661-0
Record Events that Modify the System's Discretionary Access Controls - lchown At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), ad ...

CCE-90828-5
Set Password Maximum Age To specify password maximum age for new accounts, edit the file '/etc/login.defs' and add or correct the following line, replacing

CCE-90805-3
Install mod_security Install the 'security' module: '$ sudo yum install mod_security'

CCE-90794-9
Disable Web Server Configuration Display The 'info' module creates a web page illustrating the configuration of the web server. This can create an unnecessary security leak and should be disabled. If its functionality is unnecessary, comment out the module: '#LoadModule info_module modules/mod_info ...

CCE-90903-6
Enable Kernel Parameter to Use TCP Syncookies To set the runtime status of the 'net.ipv4.tcp_syncookies' kernel parameter, run the following command:

CCE-90738-6
Disable DHCP Client For each interface on the system (e.g. eth0), edit '/etc/sysconfig/network-scripts/ifcfg-interface' and make the following changes: Correct the BOOTPROTO line to read: BOOTPROTO=none Add or correct the following lines, substituting the appropriate values based on your site's ...

CCE-90715-4
Disable At Service (atd) The 'at' and 'batch' commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon 'atd' keeps track of tasks scheduled vi A'at' and 'batch', and execute ...

CCE-90926-7
Verify Group Who Owns gshadow File To properly set the group owner of '/etc/gshadow', run the command:

CCE-90949-9
System Audit Logs Must Have Mode 0640 or Less Permissive Change the mode of the audit log files with the following command: '$ sudo chmod 0640 audit_file'

CCE-90670-1
Ensure auditd Collects Information on the Use of Privileged Commands At a minimum the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition

CCE-90693-3
Enable IRQ Balance (irqbalance) The 'irqbalance' service optimizes the balance between power savings and performance through distribution of hardware interrupts across multiple processors. The 'irqbalance' service can be enabled with the following command: '$ sudo systemctl enable irqbalan ...

CCE-90801-2
Restrict Web Directory The default configuration for the web ('/var/www/html') Directory allows directory indexing ('Indexes') and the following of symbolic links ('FollowSymLinks'). Neither of these is recommended. The '/var/www/html' directory hierarchy should not be viewable via the web, and sy ...

CCE-90606-5
Manually Assign Global IPv6 Address To manually assign an IP address for an interface, edit the file '/etc/sysconfig/network-scripts/ifcfg-interface'. Add or correct the following line (substituting the correct IPv6 address): 'IPV6ADDR=2001:0DB8::ABCD/64' Manually assigning an IP address is prefera ...

CCE-90836-8
Uninstall talk Package The 'talk' package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user.

CCE-90859-0
Direct root Logins Not Allowed To further limit access to the 'root' account, administrators can disable root logins at the console by editing the '/etc/securetty' file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login thro ...

CCE-90813-7
Configure Dovecot to Use the SSL Certificate file This option tells Dovecot where to find the the mail server's SSL Certificate. Edit '/etc/dovecot/conf.d/10-ssl.conf' and add or correct the following line (

CCE-90703-0
Disable Apache Qpid (qpidd) The 'qpidd' service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The 'qpidd' service can be disa ...

CCE-90629-7
Ensure Logrotate Runs Periodically The 'logrotate' utility allows for the automatic rotation of log files. The frequency of rotation is specified in '/etc/logrotate.conf', which triggers a cron task. To configure logrotate to run daily, add or correct the following line in '/etc/logrotate.conf ...

CCE-90681-8
Remove Rsh Trust Files The files '/etc/hosts.equiv' and '~/.rhosts' (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location: '$ sudo rm /etc/hosts.e ...

CCE-90914-3
Set SSH Idle Timeout Interval SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in '/etc/ssh/sshd_config' as follows: 'ClientAliveInterval

CCE-90937-4
Verify User Who Owns group File To properly set the owner of '/etc/group', run the command:

CCE-90704-8
Disable Quota Netlink (quota_nld) The 'quota_nld' service provides notifications to users of disk space quota violations. It listens to the kernel via a netlink socket for disk quota violations and notifies the appropriate user of the violation using D-Bus or by sending a message to the terminal th ...

CCE-90727-9
Restrict Information Published by Avahi If it is necessary to publish some information to the network, it should not be joined by any extraneous information, or by information supplied by a non-trusted source on the system. Prevent user applications from using Avahi to publish services by adding or ...

CCE-90848-3
Disable Core Dumps for All Users To disable core dumps for all users, add the following line to '/etc/security/limits.conf': '* hard core 0'

CCE-90825-1
Uninstall net-snmp Package The 'net-snmp' package provides the snmpd service. The 'net-snmp' package can be removed with the following command: '$ sudo yum erase net-snmp'

CCE-90617-2
Disable TIPC Support The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in Acluster. To configure the system to prevent the 'tipc' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90791-5
Disable MIME Magic The 'mime_magic' module provides a second layer of MIME support that in most configurations is likely extraneous. If its functionality is unnecessary, comment out the related module: '#LoadModule mime_magic_module modules/mod_mime_magic.so'

CCE-90739-4
Enable the NTP Daemon The 'ntpd' service can be enabled with the following command: '$ sudo systemctl enable ntpd'

CCE-90948-1
Set Password Minimum Age To specify password minimum age for new accounts, edit the file '/etc/login.defs' and add or correct the following line, replacing

CCE-90671-9
Ensure auditd Collects Information on Exporting to Media (successful) At a minimum the audit system should collect media exportation events for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the f ...

CCE-90716-2
Disable SSH Server If Possible (Unusual) The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. The 'sshd' service can be disabled with the following command: '$ sudo systemctl disable sshd' This is unusual, as SSH is a common method for encrypted and auth ...

CCE-90925-9
Disable DCCP Support The Datagram Congestion Control Protocol (DCCP) is Arelatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the 'dccp' kernel module from being loaded, add the following line to a file in the directory '/e ...

CCE-90694-1
Disable KDump Kernel Crash Analyzer (kdump) The 'kdump' service provides a kernel crash dump analyzer. It uses the 'kexec' system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The 'kdump' service ca ...

CCE-90607-3
Use Privacy Extensions for Address To introduce randomness into the automatic generation of IPv6 addresses, add or correct the following line in '/etc/sysconfig/network-scripts/ifcfg-interface': 'IPV6_PRIVACY=rfc3041' Automatically-generated IPv6 addresses are based on the underlying hardware (e.g. ...

CCE-90837-6
Disable Mounting of udf To configure the system to prevent the 'udf' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90814-5
Configure Dovecot to Use the SSL Key file This option tells Dovecot where to find the the mail server's SSL Key. Edit '/etc/dovecot/conf.d/10-ssl.conf' and add or correct the following line (

CCE-90780-8
Disable FTP Uploads if Possible Is there a mission-critical reason for users to upload files via FTP? If not, edit the vsftpd configuration file to add or correct the following configuration options: 'write_enable=NO' If FTP uploads are necessary, follow the guidance in the remainder of this sectio ...

CCE-90682-6
Uninstall ypserv Package The 'ypserv' package can be uninstalled with the following command: '$ sudo yum erase ypserv'

CCE-90913-5
Set Password Warning Age To specify how many days prior to password expiration that a warning will be issued to users, edit the file '/etc/login.defs' and add or correct the following line, replacing

CCE-90705-5
Disable Network Router Discovery Daemon (rdisc) The 'rdisc' service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default ...

CCE-90936-6
Limit Password Reuse Do not allow users to reuse recent passwords. This can be accomplished by using the 'remember' option for the 'pam_unix' PAM module. In the file '/etc/pam.d/system-auth', append 'remember=5' to the line which refers to the 'pam_unix.so' module, as shown: 'password sufficient ...

CCE-90728-7
Disable the CUPS Service The 'cups' service can be disabled with the following command: '$ sudo systemctl disable cups'

CCE-90890-5
Disable Kernel Parameter for Sending ICMP Redirects by Default To set the runtime status of the 'net.ipv4.conf.default.send_redirects' kernel parameter, run the following command:

CCE-90792-3
Disable WebDAV (Distributed Authoring and Versioning) WebDAV is an extension of the HTTP protocol that provides distributed and collaborative access to web content. If its functionality is unnecessary, comment out the related modules: #LoadModule dav_module modules/mod_dav.so #LoadModule dav_fs_mod ...

CCE-90849-1
Disable Core Dumps for SUID programs To set the runtime status of the 'fs.suid_dumpable' kernel parameter, run the following command:

CCE-90618-0
Install libreswan Package The Libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The 'libreswan' package can be installed with the following command: '$ sudo yum install libreswan'

CCE-90826-9
Configure SNMP Service to Use Only SNMPv3 or Newer Edit '/etc/snmp/snmpd.conf', removing any references to 'rocommunity', 'rwcommunity', or 'com2sec'. Upon doing that, restart the SNMP service: '$ sudo service snmpd restart'

CCE-90691-7
Disable Control Group Rules Engine (cgred) The 'cgred' service moves tasks into control groups according to parameters set in the '/etc/cgrules.conf' configuration file. The 'cgred' service can be disabled with the following command: '$ sudo systemctl disable cgred'

CCE-90713-9
Enable cron Service The 'crond' service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The 'crond' service can be enabled with the following command: '$ sudo systemc ...

CCE-90966-3
Verify that System Executables Have Root Ownership System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin All files in these directories should be owned by the 'root' user. If any file

CCE-90759-2
Specify UID and GID for Anonymous NFS Connections To specify the UID and GID for remote root users, edit the '/etc/exports' file and add the following for each export: anonuid='value greater than UID_MAX from /etc/login.defs' anongid='value greater than GID_MAX from /etc/login.defs' Alternativel ...

CCE-90868-1
Set Password to Maximum of Three Consecutive Repeating Characters The pam_pwquality module's 'maxrepeat' parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modif ...

CCE-90834-3
Disable Mounting of squashfs To configure the system to prevent the 'squashfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90857-4
Ensure No Daemons are Unconfined by SELinux Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during startup and descend from the 'init' process, they inherit the 'initrc_t' context. To check for unconfined dae ...

CCE-90627-1
Enable rsyslog to Accept Messages via TCP, if Acting As Log Server The 'rsyslog' daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to '/etc/rsyslog.conf' to enable reception of messages over T ...

CCE-90977-0
Disable telnet Service The 'telnet' service configuration file '/etc/xinetd.d/telnet' is not created automatically. If it was created manually, check the '/etc/xinetd.d/telnet' file and ensure that 'disable = no' is changed to read 'disable = yes' as follows below: # description: The telnet server ...

CCE-90748-5
Configure Certificate Directives for LDAP Use of TLS Ensure a copy of a trusted CA certificate has been placed in the file '/etc/pki/tls/CA/cacert.pem'. Configure LDAP to enforce TLS use and to trust certificates signed by that CA. First, edit the file '/etc/pam_ldap.conf', and add or correct eit ...

CCE-90931-7
Disable Automatic Bug Reporting Tool (abrtd) The Automatic Bug Reporting Tool ('abrtd') daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash repo ...

CCE-90725-3
Prevent Other Programs from Using Avahi's Port To prevent other mDNS stacks from running, edit '/etc/avahi/avahi-daemon.conf' and ensure the following line appears in the '[server]' section: 'disallow-other-stacks=yes'

CCE-90954-9
Remove telnet Clients The telnet client allows users to start connections to other systems via the telnet protocol.

CCE-90603-2
Disable Support for RPC IPv6 RPC services for NFSv4 try to load transport modules for 'udp6' and 'tcp6' by default, even if IPv6 has been disabled in '/etc/modprobe.d'. To prevent RPC services such as 'rpc.mountd' from attempting to start IPv6 network listeners, remove or comment out the following ...

CCE-90811-1
Disable Mounting of hfs To configure the system to prevent the 'hfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90800-4
Disable Mounting of jffs2 To configure the system to prevent the 'jffs2' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90823-6
Disable Mounting of hfsplus To configure the system to prevent the 'hfsplus' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90638-8
Configure auditd max_log_file_action Upon Reaching Maximum Log Size The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by 'auditd', add or correct the line in '/etc/audit/auditd.conf': 'max_log_file ...

CCE-90615-6
Set Default iptables Policy for Forwarded Packets To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in '/etc/sysconfig/iptables': ':FORWARD DROP [0:0]'

CCE-90736-0
Deny BOOTP Queries Unless your network needs to support older BOOTP clients, disable support for the bootp protocol by adding or correcting the global option: 'deny bootp;'

CCE-90869-9
Set Lockout Time For Failed Password Attempts To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using 'pam_faillock.so', modify the content of both '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' as fol ...

CCE-90714-7
Disable anacron Service The 'cronie-anacron' package, which provides 'anacron' functionality, is installed by default. The 'cronie-anacron' package can be removed with the following command: '$ sudo yum erase cronie-anacron'

CCE-90692-5
Disable CPU Speed (cpuspeed) The 'cpuspeed' service can adjust the clock speed of supported CPUs based upon the current processing load thereby conserving power and reducing heat. The 'cpuspeed' service can be disabled with the following command: '$ sudo systemctl disable cpuspeed'

CCE-90737-8
Configure Logging Ensure that the following line exists in '/etc/rsyslog.conf': 'daemon.* /var/log/daemon.log' Configure logwatch or other log monitoring tools to summarize error conditions reported by the dhcpd process.

CCE-90988-7
Enable SSH Warning Banner To enable the warning banner and ensure it is consistent across the system, add or correct the following line in '/etc/ssh/sshd_config': 'Banner /etc/issue' Another section contains information on how to create an appropriate system-wide warning banner.

CCE-90605-7
Disable Accepting IPv6 Redirects This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic.

CCE-90812-9
Enable the SSL flag in /etc/dovecot.conf To allow clients to make encrypted connections the 'ssl' flag in Dovecot's configuration file needs to be set to 'yes'. Edit '/etc/dovecot/conf.d/10-ssl.conf' and add or correct the following line: 'ssl = yes'

CCE-90702-2
Enable Process Accounting (psacct) The process accounting service, 'psacct', works with programs including 'acct' and 'ac' to allow system administrators to view user activity, such as commands issued by users of the system. The 'psacct' service can be enabled with the following command: ' ...

CCE-90976-2
Set Password Strength Minimum Special Characters The pam_pwquality module's 'ocredit=' parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a posi ...

CCE-90953-1
Allow Only SSH Protocol 2 Only SSH protocol version 2 connections should be permitted. The default setting in '/etc/ssh/sshd_config' is correct, and can be verified by ensuring that the following line appears: 'Protocol 2'

CCE-90628-9
Enable rsyslog to Accept Messages via UDP, if Acting As Log Server The 'rsyslog' daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to '/etc/rsyslog.conf' to enable reception of messages over U ...

CCE-90930-9
Disable Host-Based Authentication SSH's cryptographic host-based authentication is more secure than '.rhosts' authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following li ...

CCE-90726-1
Disable Avahi Publishing To prevent other mDNS stacks from running, edit '/etc/avahi/avahi-daemon.conf' and ensure the following line appears in the '[server]' section: 'disallow-other-stacks=yes'

CCE-90749-3
Uninstall openldap-servers Package The 'openldap-servers' package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package. '$ sudo yum erase openldap-servers' The openldap-servers RPM is not installed by default on RHEL 7 machines. It is needed only by the O ...

CCE-90604-0
Disable Accepting IPv6 Router Advertisements To set the runtime status of the 'net.ipv6.conf.default.accept_ra' kernel parameter, run the following command:

CCE-90680-0
Disable rlogin Service The 'rlogin' service, which is available with the 'rsh-server' package and runs as a service through xinetd, should be disabled. The 'rlogin' service can be disabled with the following command: '$ sudo systemctl disable rlogin'

CCE-90835-0
Uninstall talk-server Package The 'talk-server' package can be removed with the following command: '$ sudo yum erase talk-server'

CCE-90824-4
Disable snmpd Service The 'snmpd' service can be disabled with the following command: '$ sudo systemctl disable snmpd'

CCE-90639-6
Configure auditd space_left Action on Low Disk Space The 'auditd' service can be configured to take an action when disk space

CCE-90616-4
Disable RDS Support The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the 'rds' kernel module from being loaded, add the following line t ...

CCE-90847-5
Set Daemon Umask The file '/etc/init.d/functions' includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for

CCE-90790-7
Disable Server Side Includes Server Side Includes provide a method of dynamically generating web pages through the insertion of server-side code. However, the technology is also deprecated and introduces significant security concerns. If this functionality is unnecessary, comment out the related mo ...

CCE-90922-6
Ensure SELinux State is Enforcing The SELinux state should be set to 'enforcing' at system boot time. In the file '/etc/selinux/config', add or correct the following line to configure the system to boot into enforcing mode: 'SELINUX=enforcing'

CCE-90945-7
Do Not Allow SSH Environment Options To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in '/etc/ssh/sshd_config': 'PermitUserEnvironment no'

CCE-90757-6
Configure statd to use static port Configure the 'statd' daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file '/etc/sysconfig/nfs'. Add or correct the following line: 'STATD_PORT=statd-port' Where 'statd-port' is a port which is not used by ...

CCE-90636-2
Configure auditd Number of Logs Retained Determine how many log files 'auditd' should retain when it rotates logs. Edit the file '/etc/audit/auditd.conf'. Add or modify the following line, substituting

CCE-90968-9
Set Password Hashing Algorithm in /etc/login.defs In '/etc/login.defs', add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: 'ENCRYPT_METHOD SHA512'

CCE-90613-1
Verify iptables Enabled The 'iptables' service can be enabled with the following command: '$ sudo systemctl enable iptables'

CCE-90820-2
Disable Squid The 'squid' service can be disabled with the following command: '$ sudo systemctl disable squid'

CCE-90832-7
Remove NIS Client The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ('ypbind') was used to bind a machine to an NIS server and receive the distributed configuration files ...

CCE-90648-7
Record Attempts to Alter the localtime File If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d': '-w /etc/localtime -p wa -k audit_ti ...

CCE-90625-5
Ensure Logs Sent To Remote Host To configure rsyslog to send logs to a remote log server, open '/etc/rsyslog.conf' and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be ...

CCE-90602-4
Disable Interface Usage of IPv6 To disable interface usage of IPv6, add or correct the following lines in '/etc/sysconfig/network': NETWORKING_IPV6=no IPV6INIT=no

CCE-90910-1
Disable IPv6 Networking Support Automatic Loading To disable support for ('ipv6') add the following line to '/etc/sysctl.d/ipv6.conf' (or another file in '/etc/sysctl.d'): 'net.ipv6.conf.all.disable_ipv6 = 1' This disables IPv6 on all network interfaces as other services and system functionality re ...

CCE-90722-0
Serve Avahi Only via Required Protocol If you are using only IPv4, edit '/etc/avahi/avahi-daemon.conf' and ensure the following line exists in the '[server]' section: 'use-ipv6=no' Similarly, if you are using only IPv6, disable IPv4 sockets with the line: 'use-ipv4=no'

CCE-90956-4
Set Password Hashing Algorithm in /etc/libuser.conf In '/etc/libuser.conf', add or correct the following line in its '[defaults]' section to ensure the system will use the SHA-512 algorithm for password hashing: 'crypt_style = sha512'

CCE-90933-3
Verify Permissions on passwd File To properly set the permissions of '/etc/passwd', run the command:

CCE-90746-9
Configure SMTP Greeting Banner Edit '/etc/postfix/main.cf', and add or correct the following line, substituting some other wording for the banner information if you prefer: 'smtpd_banner = $myhostname ESMTP'

CCE-90979-6
Verify Permissions on gshadow File To properly set the permissions of '/etc/gshadow', run the command:

CCE-90659-4
Record Events that Modify the System's Discretionary Access Controls - fremovexattr At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the defaul ...

CCE-90711-3
Disable Prelinking The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line inside the file '/etc/sysconfig/prelink': 'PRELINKING=no' Next, run the following command to return binaries to a normal, non-prelinked ...

CCE-90967-1
Set Password Minimum Length in login.defs To specify password length requirements for new accounts, edit the file '/etc/login.defs' and add or correct the following lines: 'PASS_MIN_LEN 14

CCE-90690-9
Disable Control Group Config (cgconfig) Control groups allow an administrator to allocate system resources (such as CPU, memory, network bandwidth, etc) among a defined group (or groups) of processes executing on a system. The 'cgconfig' daemon starts at boot and establishes the predefined control ...

CCE-90921-8
Verify User Who Owns shadow File To properly set the owner of '/etc/shadow', run the command:

CCE-90758-4
Configure mountd to use static port Configure the 'mountd' daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file '/etc/sysconfig/nfs'. Add or correct the following line: 'MOUNTD_PORT=statd-port' Where 'mountd-port' is a port which is not use ...

CCE-90637-0
Configure auditd Max Log File Size Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file '/etc/audit/auditd.conf'. Add or modify the following line, substituting the correct value for

CCE-90821-0
Uninstall squid Package The 'squid' package can be removed with the following command: '$ sudo yum erase squid'

CCE-90833-5
Remove tftp Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between machines. TFTP does not support authentication and can be easily hacked. The package 'tftp' is a client program that allows for connecti ...

CCE-90649-5
Record Events that Modify the System's Network Environment If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following lines to a file with suffix '.rules' in the directory '/etc/audit/rules.d', setting ARCH to eith ...

CCE-90879-8
Disable Interactive Boot To disable the ability for users to perform interactive startups, edit the file '/etc/sysconfig/init'. Add or correct the line: 'PROMPT=no' The 'PROMPT' option allows the console user to perform an interactive system startup, in which it is possible to select the set of ser ...

CCE-90626-3
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server The 'rsyslog' daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are

CCE-90769-1
Uninstall bind Package To remove the 'bind' package, which contains the 'named' service, run the following command: '$ sudo yum erase bind'

CCE-90747-7
Configure LDAP Client to Use TLS For All Transactions Configure LDAP to enforce TLS use. First, edit the file '/etc/pam_ldap.conf', and add or correct the following lines: 'ssl start_tls' Then review the LDAP server and ensure TLS has been configured.

CCE-90932-5
Ensure gpgcheck Enabled For All Yum Package Repositories To ensure signature checking is not disabled for any repos, remove any lines from files in '/etc/yum.repos.d' of the form: 'gpgcheck=0'

CCE-90955-6
Use Only Approved Ciphers Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in '/etc/ssh/sshd_config' demonstrates use of FIPS-approved ciphers: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes1 ...

CCE-90701-4
Disable Portreserve (portreserve) The 'portreserve' service is a TCP port reservation utility that can be used to prevent portmap from binding to well known TCP ports that are required for other services. The 'portreserve' service can be disabled with the following command: '$ sudo systemc ...

CCE-90978-8
Verify User Who Owns gshadow File To properly set the owner of '/etc/gshadow', run the command:

CCE-90724-6
Check Avahi Responses' TTL Field To make Avahi ignore packets unless the TTL field is 255, edit '/etc/avahi/avahi-daemon.conf' and ensure the following line appears in the '[server]' section: 'check-response-ttl=yes'

CCE-90810-3
Uninstall dovecot Package The 'dovecot' package can be uninstalled with the following command: '$ sudo yum erase dovecot'

CCE-90614-9
Set Default iptables Policy for Incoming Packets To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in '/etc/sysconfig/iptables': ':INPUT DROP [0:0]'

CCE-90845-9
Configure Periodic Execution of AIDE To implement a daily execution of AIDE at 4:05am using cron, add the following line to '/etc/crontab': '05 4 * * * root /usr/sbin/aide --check' AIDE can be executed periodically through other means; this is merely one example.

CCE-90712-1
Disable Modprobe Loading of USB Storage Driver To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the 'usb-storage' kernel module from being loaded, add the following ...

CCE-90735-2
Deny Decline Messages Edit '/etc/dhcp/dhcpd.conf' and add or correct the following global option to prevent the DHCP server from responding the DHCPDECLINE messages, if possible: 'deny declines;'

CCE-90920-0
Set Interval For Counting Failed Password Attempts Utilizing 'pam_faillock.so', the 'fail_interval' directive configures the system to lock out accounts after a number of incorrect login attempts. Modify the content of both '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' as follows: add t ...

CCE-90732-9
Uninstall DHCP Server Package If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The 'dhcp' package can be removed with the following command: '$ sudo yum erase dhcp'

CCE-90887-1
Disable Zeroconf Networking Zeroconf networking allows the system to assign itself an IP address and engage in IP communication without a statically-assigned address or even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not recommended. To disable Zeroconf automatic route as ...

CCE-90611-5
Set Default ip6tables Policy for Incoming Packets To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in '/etc/sysconfig/ip6tables': ':INPUT DROP [0:0]' If changes were required, reload the ip6tables ...

CCE-90899-6
Disable Kernel Parameter for Accepting Secure Redirects By Default To set the runtime status of the 'net.ipv4.conf.default.secure_redirects' kernel parameter, run the following command:

CCE-90669-3
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) At a minimum the audit system should collect unauthorized file accesses for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), a ...

CCE-90950-7
Prevent Log In to Accounts With Empty Password If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the 'nullok' option in '/etc/pam.d/system-auth' to prevent logins ...

CCE-90973-9
Configure SELinux Policy The SELinux 'targeted' policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in '/etc/selinux/config': 'SELINUXTYPE=targeted' Other policies, such ...

CCE-90830-1
Uninstall mcstrans Package The 'mcstransd' daemon provides category label information to client processes requesting information. The label translations are defined in '/etc/selinux/targeted/setrans.conf'. The 'mcstrans' package can be removed with the following command: '$ sudo yum erase ...

CCE-90876-4
Ensure the Default Umask is Set Correctly in login.defs To ensure the default umask controlled by '/etc/login.defs' is set properly, add or correct the 'UMASK' setting in '/etc/login.defs' to read as follows: 'UMASK 077

CCE-90657-8
Record Events that Modify the System's Discretionary Access Controls - fchown At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), ad ...

CCE-90865-7
Verify No netrc Files Exist The '.netrc' files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. ...

CCE-90778-2
Disable Mounting of cramfs To configure the system to prevent the 'cramfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90961-4
Verify Permissions on shadow File To properly set the permissions of '/etc/shadow', run the command:

CCE-90755-0
Configure lockd to use static UDP port Configure the 'lockd' daemon to use a static UDP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file '/etc/sysconfig/nfs'. Add or correct the following line: 'LOCKD_UDPPORT=lockd-port' Where 'lockd-port' is a port which is ...

CCE-90756-8
Disable the Automounter The 'autofs' daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as '/misc/cd'. However, this method of providing a ...

CCE-90733-7
Do Not Use Dynamic DNS To prevent the DHCP server from receiving DNS information from clients, edit '/etc/dhcp/dhcpd.conf', and add or correct the following global option: 'ddns-update-style none;'

CCE-90831-9
Uninstal rsh Package The 'rsh' package contains the client commands for the rsh services

CCE-90647-9
Record Attempts to Alter Time Through clock_settime If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d': '-a always,exit -F arch=b32 ...

CCE-90721-2
Disable Avahi Server Software The 'avahi-daemon' service can be disabled with the following command: '$ sudo systemctl disable avahi-daemon'

CCE-90744-4
Disable Postfix Network Listening Edit the file '/etc/postfix/main.cf' to ensure that only the following 'inet_interfaces' line appears: 'inet_interfaces = localhost'

CCE-90972-1
Set Password Retry Prompts Permitted Per-Session To configure the number of retry prompts that are permitted per-session: Edit the 'pam_pwquality.so' statement in '/etc/pam.d/system-auth' to show 'retry=3', or a lower value if site policy is more restrictive. The DoD requirement is a maximum of ...

CCE-90768-3
Disable DNS Server The 'named' service can be disabled with the following command: '$ sudo systemctl disable named'

CCE-90919-2
Install AIDE Install the AIDE package with the command: '$ sudo yum install aide'

CCE-90854-1
Restrict Access to Kernel Message Buffer To set the runtime status of the 'kernel.dmesg_restrict' kernel parameter, run the following command:

CCE-90646-1
Record Attempts to Alter Time Through stime If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d' for both 32 bit and 64 bit systems: ' ...

CCE-90877-2
Disable Ctrl-Alt-Del Reboot Activation By default, the system includes the following line in '/etc/init/control-alt-delete.conf' to reboot the system when the Ctrl-Alt-Del key sequence is pressed: 'exec /sbin/shutdown -r now "Control-Alt-Delete pressed"' To configure the system to log a message in ...

CCE-90658-6
Record Events that Modify the System's Discretionary Access Controls - fchownat At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), ...

CCE-90866-5
Set Last Logon/Access Notification To configure the system to notify users of last logon/access using 'pam_lastlog', add the following line immediately after 'session required pam_limits.so': 'session required pam_lastlog.so showfailed'

CCE-90779-0
Restrict Access to Anonymous Users if Possible Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option: 'loca ...

CCE-90710-5
Disable System Statistics Reset Service (sysstat) The 'sysstat' service resets various I/O and CPU performance statistics to zero in order to begin counting from a fresh state at boot time. The 'sysstat' service can be disabled with the following command: '$ sudo systemctl disable sysstat'

CCE-90960-6
Limit the Number of Concurrent Login Sessions Allowed Per User Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multi ...

CCE-90941-6
Verify that Shared Library Files Have Restrictive Permissions System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel ...

CCE-90964-8
Set Password Strength Minimum Lowercase Characters The pam_pwquality module's 'lcredit' parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number ...

CCE-90799-8
Restrict Root Directory The 'httpd' root directory should always have the most restrictive configuration enabled. <Directory / > Options None AllowOverride None Order allow,deny </Directory>

CCE-90987-9
Modify the System Login Banner To configure the system login banner: Edit '/etc/issue'. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: 'You are accessing a U.S. Government (USG) Information System (IS) that is ...

CCE-90776-6
Enable Logging of All FTP Transactions Add or correct the following configuration options within the 'vsftpd' configuration file, located at '/etc/vsftpd/vsftpd.conf': xferlog_enable=YES xferlog_std_format=NO log_ftp_protocol=YES

CCE-90655-2
Record Events that Modify the System's Discretionary Access Controls - fchmodat At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), ...

CCE-90885-5
Enable Smart Card Login To enable smart card authentication, consult the documentation at:

CCE-90632-1
Disable Logwatch on Clients if a Logserver Exists Does your site have a central logserver which has been configured to report on logs received from all systems? If so: $ sudo rm /etc/cron.daily/0logwatch If no logserver exists, it will be necessary for each machine to run Logwatch individual ...

CCE-90874-9
Ensure the Default C Shell Umask is Set Correctly To ensure the default umask for users of the C shell is set properly, add or correct the 'umask' setting in '/etc/csh.cshrc' to read as follows: 'umask 077

CCE-90644-6
Record attempts to alter time through settimeofday If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d': '-a always,exit -F arch=b32 - ...

CCE-90787-3
Disable HTTP mod_rewrite The 'mod_rewrite' module is very powerful and can protect against certain classes of web attacks. However, it is also very complex and has Asignificant history of vulnerabilities itself. If its functionality is unnecessary, comment out the related module: '#LoadModule rewr ...

CCE-90975-4
Verify All Account Password Hashes are Shadowed If any password hashes are stored in '/etc/passwd' (in the second field, instead of an 'x'), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account ...

CCE-90764-2
Use Root-Squashing on All Exports If a filesystem is exported using root squashing, requests from root on the client are considered to be unprivileged (mapped to a user such as nobody). This provides some mild protection against remote abuse of an NFS server. Root squashing is enabled by default, a ...

CCE-90741-0
Specify Additional Remote NTP Servers Additional NTP servers can be specified for time synchronization in the file '/etc/ntp.conf'. To do so, add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for

CCE-90952-3
Verify Group Who Owns group File To properly set the group owner of '/etc/group', run the command:

CCE-90742-8
Enable Postfix Service The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail ...

CCE-90765-9
Restrict NFS Clients to Privileged Ports By default, the server NFS implementation requires that all client requests be made from ports less than 1024. If your organization has control over machines connected to its network, and if NFS requests are prohibited at the border firewall, this offers som ...

CCE-90620-6
Enable rsyslog Service The 'rsyslog' service provides syslog-style logging by default on RHEL 7. The 'rsyslog' service can be enabled with the following command: '$ sudo systemctl enable rsyslog'

CCE-90851-7
Enable Randomized Layout of Virtual Address Space To set the runtime status of the 'kernel.randomize_va_space' kernel parameter, run the following command:

CCE-90897-0
Disable Kernel Parameter for Accepting Source-Routed Packets By Default To set the runtime status of the 'net.ipv4.conf.default.accept_source_route' kernel parameter, run the following command:

CCE-90908-5
Disable Bluetooth Service The 'bluetooth' service can be disabled with the following command: '$ sudo systemctl disable bluetooth' '$ sudo service bluetooth stop'

CCE-90963-0
Disable SCTP Support The Stream Control Transmission Protocol (SCTP) is Atransport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the 'sctp' kernel module from being loaded, ...

CCE-90753-5
Disable Network File Systems (netfs) The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or mali ...

CCE-90730-3
Disable Print Server Capabilities To prevent remote users from potentially connecting to and using locally configured printers, disable the CUPS print server sharing capabilities. To do so, limit how the server will listen for print jobs by removing the more generic port directive from /etc/cups/cu ...

CCE-90986-1
Ensure auditd Collects File Deletion Events by User At a minimum the audit system should collect file deletion events for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a fil ...

CCE-90679-2
Disable rsh Service The 'rsh' service, which is available with the 'rsh-server' package and runs as a service through xinetd, should be disabled. The 'rsh' service can be disabled with the following command: '$ sudo systemctl disable rsh'

CCE-90875-6
Ensure the Default Umask is Set Correctly in /etc/profile To ensure the default umask controlled by '/etc/profile' is set properly, add or correct the 'umask' setting in '/etc/profile' to read as follows: 'umask 077

CCE-90898-8
Disable Kernel Parameter for Accepting ICMP Redirects By Default To set the runtime status of the 'net.ipv4.conf.default.accept_redirects' kernel parameter, run the following command:

CCE-90668-5
Record Attempts to Alter Process and Session Initiation Information The audit system already collects process information for all users and root. To watch for attempted manual edits of files involved in storing such process information, add the following to '/etc/audit/audit.rules': -w /var/run/ut ...

CCE-90788-1
Disable LDAP Support The 'ldap' module provides HTTP authentication via an LDAP directory. If its functionality is unnecessary, comment out the related modules: #LoadModule ldap_module modules/mod_ldap.so #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so If LDAP is to be used, SSL encryptio ...

CCE-90951-5
Disable SSH Support for .rhosts Files SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via '.rhosts' files. To ensure this behavior is disabled, add or correct the following line in '/etc/ssh/sshd_config': 'IgnoreRhosts yes'

CCE-90974-7
Verify User Who Owns passwd File To properly set the owner of '/etc/passwd', run the command:

CCE-90789-9
Disable Mounting of freevxfs To configure the system to prevent the 'freevxfs' kernel module from being loaded, add the following line to a file in the directory '/etc/modprobe.d':

CCE-90766-7
Ensure Insecure File Locking is Not Allowed By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when ...

CCE-90743-6
Uninstall Sendmail Package Sendmail is not the default mail transfer agent and is not installed by default. The 'sendmail' package can be removed with the following command: '$ sudo yum erase sendmail'

CCE-90852-5
Install PAE Kernel on Supported 32-bit x86 Systems Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined ...

CCE-90633-9
Enable auditd Service The 'auditd' service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The 'auditd' service can be enabled with the following command: '$ sudo systemctl enable auditd'

CCE-90909-3
Disable Bluetooth Kernel Modules The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate '/etc/modprobe.d' configuration file to prevent the loading of the Bluetooth module: 'install bluetooth /bin/true'

CCE-90754-3
Configure lockd to use static TCP port Configure the 'lockd' daemon to use a static TCP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file '/etc/sysconfig/nfs'. Add or correct the following line: 'LOCKD_TCPPORT=lockd-port' Where 'lockd-port' is a port which is ...

CCE-90777-4
Create Warning Banners for All FTP Users Edit the vsftpd configuration file, which resides at '/etc/vsftpd/vsftpd.conf' by default. Add or correct the following configuration options: 'banner_file=/etc/issue'

CCE-90962-2
Set Password Hashing Algorithm in /etc/pam.d/system-auth In '/etc/pam.d/system-auth', the 'password' section of the file controls which PAM modules execute during a password change. Set the 'pam_unix.so' module in the 'password' section to include the argument 'sha512', as shown below: 'password ...

CCE-90985-3
Record Events that Modify User/Group Information If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following lines to a file with suffix '.rules' in the directory '/etc/audit/rules.d', in order to capture events tha ...

CCE-90731-1
Disable DHCP Service The 'dhcpd' service should be disabled on any system that does not need to act as a DHCP server. The 'dhcpd' service can be disabled with the following command: '$ sudo systemctl disable dhcpd'

CCE-90699-0
Disable Odd Job Daemon (oddjobd) The 'oddjobd' service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with 'oddjobd' through the system message bus. The 'oddjobd' service can ...

CCE-90751-9
Disable Secure RPC Client Service (rpcgssd) The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. ...

CCE-90928-3
Verify /boot/grub2/grub.cfg User Ownership The file '/boot/grub2/grub.cfg' should be owned by the 'root' user to prevent destruction or modification of the file. To properly set the owner of '/boot/grub2/grub.cfg', run the command:

CCE-90653-7
Record Events that Modify the System's Discretionary Access Controls - chown At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add ...

CCE-90630-5
Configure Logwatch HostLimit Line On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate on the logserver itself. The 'HostLimit' setting tells Logwatch to report on all hosts, not just the one on which it is running. ' HostLimit = no ...

CCE-90860-8
Restrict Virtual Console Root Logins To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in '/etc/securetty': vc/1 vc/2 vc/3 vc/4

CCE-90785-7
Set httpd ServerSignature Directive to Off 'ServerSignature Off' restricts 'httpd' from displaying server version number on error pages. Add or correct the following directive in '/etc/httpd/conf/httpd.conf': 'ServerSignature Off'

CCE-90939-0
Verify Permissions on group File To properly set the permissions of '/etc/group', run the command:

CCE-90664-4
Record Events that Modify the System's Discretionary Access Controls - removexattr At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default ...

CCE-90687-5
Disable Advanced Configuration and Power Interface (acpid) The Advanced Configuration and Power Interface Daemon ('acpid') dispatches ACPI events (such as power/reset button depressed) to userspace programs. The 'acpid' service can be disabled with the following command: '$ sudo systemctl ...

CCE-90895-4
Disable Kernel Parameter for Accepting Secure Redirects for All Interfaces To set the runtime status of the 'net.ipv4.conf.all.secure_redirects' kernel parameter, run the following command:

CCE-90916-8
Set Password Strength Minimum Different Characters The pam_pwquality module's 'difok' parameter controls requirements for usage of different characters during a password change. Modify the 'difok' setting in '/etc/security/pwquality.conf' to require differing characters when changing passwords. The ...

CCE-90641-2
Configure auditd mail_acct Action on Low Disk Space The 'auditd' service can be configured to send email to a designated account in certain situations. Add or correct the following line in '/etc/audit/auditd.conf' to ensure that administrators are notified via email for those situations: 'action_ma ...

CCE-90884-8
Install the screen Package To enable console screen locking, install the 'screen' package: '$ sudo yum install screen' Instruct users to begin new terminal sessions with the following command: '$ screen' The console can now be locked with the following key combination: 'ctrl+a x'

CCE-90676-8
Uninstall rsh-server Package The 'rsh-server' package can be uninstalled with the following command: '$ sudo yum erase rsh-server'

CCE-90808-7
Set Permissions on All Configuration Files Inside /etc/httpd/conf/ Set permissions on the web server configuration files to 640: '$ sudo chmod 640 /etc/httpd/conf/*'

CCE-90980-4
Set Password Strength Minimum Digit Characters The pam_pwquality module's 'dcredit' parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 ...

CCE-90797-2
Disable Cache Support The 'cache' module allows 'httpd' to cache data, optimizing access to frequently accessed content. However, it introduces potential security flaws such as the possibility of circumventing 'Allow' and 'Deny' directives. If this functionality is unnecessary, comment out the mod ...

CCE-90774-1
Uninstall vsftpd Package The 'vsftpd' package can be removed with the following command: '$ sudo yum erase vsftpd'

CCE-90927-5
Ensure Software Patches Installed If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: '$ sudo yum update' If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be ...

CCE-90654-5
Record Events that Modify the System's Discretionary Access Controls - fchmod At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), ad ...

CCE-90861-6
Restrict Serial Port Root Logins To restrict root logins on serial ports, ensure lines of this form do not appear in '/etc/securetty': ttyS0 ttyS1

CCE-90631-3
Configure Logwatch SplitHosts Line If 'SplitHosts' is set, Logwatch will separate entries by hostname. This makes the report longer but significantly more usable. If it is not set, then Logwatch will not report which host generated a given log entry, and that information is almost always necessar ...

CCE-90850-9
Enable ExecShield By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in '/etc/default/grub'. For Red Hat Enterprise Linux 7 32-bit systems, 'sysctl' can be used to enable ExecShield.

CCE-90643-8
Record attempts to alter time through adjtimex If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d': '-a always,exit -F arch=b32 -S ad ...

CCE-90786-5
Disable HTTP Digest Authentication The 'auth_digest' module provides encrypted authentication sessions. If this functionality is unnecessary, comment out the related module: '#LoadModule auth_digest_module modules/mod_auth_digest.so'

CCE-90666-9
Record Attempts to Alter Logon and Logout Events The audit system already collects login info for all users and root. To watch for attempted manual edits of files involved in storing logon events, add the following to '/etc/audit/audit.rules': '-w /var/log/faillog -p wa -k logins -w /var/log/lastlo ...

CCE-90740-2
Specify a Remote NTP Server To specify a remote NTP server for time synchronization, edit the file '/etc/ntp.conf'. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for

CCE-90915-0
Set Password Minimum Length The pam_pwquality module's 'minlen' parameter controls requirements for minimum characters required in a password. Add 'minlen=15' after pam_pwquality to set minimum password length requirements.

CCE-90665-1
Record Events that Modify the System's Discretionary Access Controls - setxattr At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), ...

CCE-90688-3
Disable Certmonger Service (certmonger) Certmonger is a D-Bus based service that attempts to simplify interaction with certifying authorities on networks which use public-key infrastructure. It is often combined with Red Hat's IPA (Identity Policy Audit) security information management solution to ...

CCE-90938-2
Disable SSH Root Login The root user should never be allowed to login to Asystem directly over a network. To disable root login via SSH, add or correct the following line in '/etc/ssh/sshd_config': 'PermitRootLogin no'

CCE-90873-1
Ensure the Default Bash Umask is Set Correctly To ensure the default umask for users of the Bash shell is set properly, add or correct the 'umask' setting in '/etc/bashrc' to read as follows: 'umask 077

CCE-90896-2
Enable Kernel Parameter to Log Martian Packets To set the runtime status of the 'net.ipv4.conf.all.log_martians' kernel parameter, run the following command:

CCE-90642-0
Configure auditd to use audispd plugin To configure the 'auditd' service to use the 'audispd' plugin, set the 'active' line in '/etc/audisp/plugins.d/syslog.conf' to 'yes'. Restart the 'auditd'service: '$ sudo service auditd restart'

CCE-90677-6
Disable rexec Service The 'rexec' service, which is available with the 'rsh-server' package and runs as a service through xinetd, should be disabled. The 'rexec' service can be disabled with the following command: '$ sudo systemctl disable rexec'

CCE-90752-7
Disable RPC ID Mapping Service (rpcidmapd) The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The 'rpcidmapd' service can be disabled with the following command: ' ...

CCE-90809-5
Disable Dovecot Service The 'dovecot' service can be disabled with the following command: '$ sudo systemctl disable dovecot'

CCE-90798-0
Disable CGI Support The 'cgi' module allows HTML to interact with the CGI web programming language. If this functionality is unnecessary, comment out the module: '#LoadModule cgi_module modules/mod_cgi.so'

CCE-90651-1
Record Events that Modify the System's Mandatory Access Controls If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following line to a file with suffix '.rules' in the directory '/etc/audit/rules.d': '-w /etc/selinu ...

CCE-90674-3
Disable xinetd Service The 'xinetd' service can be disabled with the following command: '$ sudo systemctl disable xinetd'

CCE-90697-4
Disable Network Console (netconsole) The 'netconsole' service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to Asyslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The 'netconsole' ...

CCE-90760-0
Disable Network File System (nfs) The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local machine. If the local machine is not designated as a NFS server then this service should be disabled. The 'nfs' service can be disabled with th ...

CCE-90971-3
Ensure auditd Collects Information on Kernel Module Loading and Unloading If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add the following lines to a file with suffix '.rules' in the directory '/etc/audit/rules.d' to cap ...

CCE-90783-2
Uninstall httpd Package The 'httpd' package can be removed with the following command: '$ sudo yum erase httpd'

CCE-90662-8
Record Events that Modify the System's Discretionary Access Controls - lremovexattr At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the defaul ...

CCE-90918-4
Verify that Shared Library Files Have Root Ownership System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during r ...

CCE-90893-9
Disable Kernel Parameter for Accepting Source-Routed Packets for All Interfaces To set the runtime status of the 'net.ipv4.conf.all.accept_source_route' kernel parameter, run the following command:

CCE-90708-9
Disable Cyrus SASL Authentication Daemon (saslauthd) The 'saslauthd' service handles plaintext authentication requests on behalf of the SASL library. The service isolates all code requiring superuser privileges for SASL authentication into a single process, and can also be used to provide proxy aut ...

CCE-90806-1
Set Permissions on the /var/log/httpd/ Directory Ensure that the permissions on the web server log directory is set to 700: '$ sudo chmod 700 /var/log/httpd/' This is its default setting.

CCE-90829-3
Uninstall setroubleshoot Package The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The 'setroubleshoot' package can be removed with the following command: ...

CCE-90982-0
Require Authentication for Single User Mode Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. By default, single-user mode is ...

CCE-90795-6
Disable URL Correction on Misspelled Entries The 'speling' module attempts to find a document match by allowing one misspelling in an otherwise failed request. If this functionality is unnecessary, comment out the module: '#LoadModule speling_module modules/mod_speling.so' This functionality weaken ...

CCE-90904-4
Enable Kernel Parameter to Use Reverse Path Filtering for All Interfaces To set the runtime status of the 'net.ipv4.conf.all.rp_filter' kernel parameter, run the following command:

CCE-90675-0
Uninstall xinetd Package The 'xinetd' package can be uninstalled with the following command: '$ sudo yum erase xinetd'

CCE-90698-2
Disable ntpdate Service (ntpdate) The 'ntpdate' service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in '/etc/ntp/step-tickers' or '/etc/ntp.conf' and then sets the local hardware clock to the newly synchronized system time. ...

CCE-90929-1
Disable SSH Access via Empty Passwords To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in '/etc/ssh/sshd_config': 'PermitEmptyPasswords no' Any accounts with empty passwords should be disabled immediately, and PAM configuration should preven ...

CCE-90784-0
Set httpd ServerTokens Directive to Prod 'ServerTokens Prod' restricts information in page headers, returning only the word "Apache." Add or correct the following directive in '/etc/httpd/conf/httpd.conf': 'ServerTokens Prod'

CCE-90761-8
Disable Secure RPC Server Service (rpcsvcgssd) The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service is the server-side of RPCSEC GSS. If the system does not require secure RPC then this service should be d ...

CCE-90818-6
Require Client SMB Packet Signing, if using smbclient To require samba clients running 'smbclient' to use packet signing, add the following to the '[global]' section of the Samba configuration file, '/etc/samba/smb.conf': 'client signing = mandatory' Requiring samba clients such as 'smbclient' to u ...

CCE-90663-6
Record Events that Modify the System's Discretionary Access Controls - lsetxattr At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), ...

CCE-90686-7
Ensure tftp Daemon Uses Secure Mode If running the 'tftp' service is necessary, it should be configured to change its root directory at startup. To do so, ensure '/etc/xinetd.d/tftp' includes '-s' as a command line argument, as shown in the following example (which is also the default): 'server_arg ...

CCE-90709-7
Disable SMART Disk Monitoring Service (smartd) SMART (Self-Monitoring, Analysis, and Reporting Technology) is Afeature of hard drives that allows them to detect symptoms of disk failure and relay an appropriate warning. The 'smartd' service can be disabled with the following command: '$ s ...

CCE-90917-6
Verify Group Who Owns passwd File To properly set the group owner of '/etc/passwd', run the command:

CCE-90894-7
Disable Kernel Parameter for Accepting ICMP Redirects for All Interfaces To set the runtime status of the 'net.ipv4.conf.all.accept_redirects' kernel parameter, run the following command:

CCE-90640-4
Configure auditd admin_space_left Action on Low Disk Space The 'auditd' service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file '/etc/audit/auditd.conf'. Add or modify the following line, substituting

CCE-90750-1
Disable Network File System Lock Service (nfslock) The Network File System Lock (nfslock) service starts the required remote procedure call (RPC) processes which allow clients to lock files on the server. If the local machine is not configured to mount NFS filesystems then this service should be di ...

CCE-90652-9
Record Events that Modify the System's Discretionary Access Controls - chmod At a minimum the audit system should collect file permission changes for all users and root. If the 'auditd' daemon is configured to use the 'augenrules' program to read audit rules during daemon startup (the default), add ...

CCE-90796-4
Disable Proxy Support The 'proxy' module provides proxying support, allowing 'httpd' to forward requests and serve as a gateway for other servers. If its functionality is unnecessary, comment out the module: '#LoadModule proxy_module modules/mod_proxy.so'

CCE-90981-2
Uninstall telnet-server Package The 'telnet-server' package can be uninstalled with the following command: '$ sudo yum erase telnet-server'

CCE-90773-3
Disable vsftpd Service The 'vsftpd' service can be disabled with the following command: '$ sudo systemctl disable vsftpd'

CCE-90905-1
Enable Kernel Parameter to Use Reverse Path Filtering by Default To set the runtime status of the 'net.ipv4.conf.default.rp_filter' kernel parameter, run the following command:

CCE-90807-9
Set Permissions on the /etc/httpd/conf/ Directory Set permissions on the web server configuration directory to 750: '$ sudo chmod 750 /etc/httpd/conf/'

CPE    1
cpe:/o:redhat:enterprise_linux:7
*XCCDF
xccdf_org.secpod_benchmark_general_RHEL_7
OVAL    312
oval:org.secpod.oval:def:30560
oval:org.secpod.oval:def:30440
oval:org.secpod.oval:def:30561
oval:org.secpod.oval:def:30320
...

© SecPod Technologies