Download
| Alert*
oval:org.secpod.oval:def:87332
Emulation of the rsh command through the ssh server should be disabled (and dependencies are met) oval:org.secpod.oval:def:87299 File permissions for '/etc/group' should be set correctly. oval:org.secpod.oval:def:87297 The root account is the only system account that should have a login shell. oval:org.secpod.oval:def:87298 This test makes sure that '/etc/passwd' has proper permission. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:87293 The Set Password Warning Age should be set appropriately. oval:org.secpod.oval:def:87327 This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root ... oval:org.secpod.oval:def:87328 The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user a ... oval:org.secpod.oval:def:87323 The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. oval:org.secpod.oval:def:87324 SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. oval:org.secpod.oval:def:87288 The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure. oval:org.secpod.oval:def:87286 The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually grub.cfg stored in /boot/grub. oval:org.secpod.oval:def:87284 There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the syste ... oval:org.secpod.oval:def:87285 The grub boot loader should have password protection enabled. oval:org.secpod.oval:def:87283 The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su co ... oval:org.secpod.oval:def:87318 The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user ... oval:org.secpod.oval:def:87319 Access permission for '/etc/cron.monthly' is set to appropriate values. oval:org.secpod.oval:def:87317 Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only u ... oval:org.secpod.oval:def:87350 SOMETHING HERE oval:org.secpod.oval:def:87351 Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Rationale: AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden. Note: This re ... oval:org.secpod.oval:def:87347 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp. oval:org.secpod.oval:def:87348 sudo can be configured to run only from a psuedo-pty. Rationale: Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing. oval:org.secpod.oval:def:87345 The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp. oval:org.secpod.oval:def:87346 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp. oval:org.secpod.oval:def:87343 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp. oval:org.secpod.oval:def:87344 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp. oval:org.secpod.oval:def:87341 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them. oval:org.secpod.oval:def:87342 The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system. oval:org.secpod.oval:def:87340 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions. oval:org.secpod.oval:def:87338 sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy. Rationale: sudo supports a plugin arch ... oval:org.secpod.oval:def:87339 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. oval:org.secpod.oval:def:87376 Any account with UID 0 has superuser privileges on the system. Rationale: This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 ... oval:org.secpod.oval:def:87377 An account with an empty password field means that anybody may log in as that user without providing a password. Rationale: All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. oval:org.secpod.oval:def:87374 The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms. Rationale: Thes ... oval:org.secpod.oval:def:87375 The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group. Rationale: Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain re ... oval:org.secpod.oval:def:87372 The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms. Rationale: The ... oval:org.secpod.oval:def:87373 The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms. Rationale: The ... oval:org.secpod.oval:def:87367 The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else. Rationale: The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but nee ... oval:org.secpod.oval:def:87365 The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information Rationale: If attackers can gain read access to the /etc/gshadow file, they can easily run a password ... oval:org.secpod.oval:def:87366 The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate. Rationale: It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is pro ... oval:org.secpod.oval:def:87361 AppArmor profiles define what resources applications are able to access. oval:org.secpod.oval:def:87360 The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user. Rationale: Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users. oval:org.secpod.oval:def:87310 File permission for '/etc/ssh/sshd_config' is set to appropriate values. oval:org.secpod.oval:def:87273 Core dumps for all users should be disabled oval:org.secpod.oval:def:87390 Although the groupadd program will not let you create a duplicate group name, it is possible for an administrator to manually edit the /etc/group file and change the group name. Rationale: If a group is assigned a duplicate group name, it will create and have access to files with ... oval:org.secpod.oval:def:87391 nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the /etc/nftables.conf file for a nftables file or files to include in the nftables ruleset. A nftables ruleset containing the input, forward, and outp ... oval:org.secpod.oval:def:87309 This test makes sure that '/etc/shadow' file permission is set as appropriate. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:87306 The maximum password age policy should meet minimum requirements. oval:org.secpod.oval:def:87389 Although the useradd program will not let you create a duplicate user name, it is possible for an administrator to manually edit the /etc/passwd file and change the user name. Rationale: If a user is assigned a duplicate user name, it will create and have access to files with the ... oval:org.secpod.oval:def:87302 The accounts should be configured to expire automatically following Inactivity accounts. oval:org.secpod.oval:def:87387 Although the useradd program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually edit the /etc/passwd file and change the UID field. Rationale: Users must be assigned unique UIDs for accountability and to ensure appropriate access pro ... oval:org.secpod.oval:def:87388 Although the groupadd program will not let you create a duplicate Group ID (GID), it is possible for an administrator to manually edit the /etc/group file and change the GID field. Rationale: User groups must be assigned unique GIDs for accountability and to ensure appropriate a ... oval:org.secpod.oval:def:87300 This variable limits the types of ciphers that SSH can use during communication. oval:org.secpod.oval:def:87264 The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive ... oval:org.secpod.oval:def:87385 chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. Rationale: If chrony is in use on the system proper configuration is vital to ensuring time synchroniza ... oval:org.secpod.oval:def:87386 Over time, system administration errors and changes can lead to groups being defined in /etc/passwd but not in /etc/group. Rationale: Groups defined in the /etc/passwd file but not in the /etc/group file pose a threat to system security since group permissions are not properly ma ... oval:org.secpod.oval:def:87383 While the system administrator can establish secure permissions for users' "dot" files, the users can easily override these. Rationale: Group or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's syste ... oval:org.secpod.oval:def:87384 While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these. Rationale: .netrcfiles may contain unencrypted passwords that may be used to attack other systems. oval:org.secpod.oval:def:87381 The .netrc file contains data for logging into a remote host for file transfers via FTP. Rationale: The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from ... oval:org.secpod.oval:def:87382 The .forward file specifies an email address to forward the user's mail to. Rationale: Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execut ... oval:org.secpod.oval:def:87380 While no .rhosts files are shipped by default, users can easily create them. Rationale: This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf . Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , they may have ... oval:org.secpod.oval:def:87417 MAC algorithms being used during ssh can be limited by defining them in sshd_config file. oval:org.secpod.oval:def:87418 UsePAM Enables the Pluggable Authentication Module interface. If set to yes this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types oval:org.secpod.oval:def:87414 The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds. Rationale: Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn' ... oval:org.secpod.oval:def:87411 System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Rationale: Time synchronization is important to support time sens ... oval:org.secpod.oval:def:87379 While the system administrator can establish secure permissions for users' home directories, the users can easily override these. Rationale: Group or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system ... oval:org.secpod.oval:def:87412 Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. Rationale: Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion. |