Download
| Alert*
oval:org.secpod.oval:def:86915
systemd-coredump file should configured properly oval:org.secpod.oval:def:86909 The system login banner text should be set correctly for remote login users. oval:org.secpod.oval:def:86908 The system login banner text should be set correctly. oval:org.secpod.oval:def:86907 The contents of the /etc/issue file are displayed to users prior to login for local terminals. oval:org.secpod.oval:def:84227 Ensure ip6tables in enabled and running oval:org.secpod.oval:def:84204 The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivil ... oval:org.secpod.oval:def:84267 If any users' home directories do not exist, create them and make sure the respective user owns the directory. Users without an assigned home directory should be removed or assigned a home directory as appropriate. oval:org.secpod.oval:def:84244 Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automat ... oval:org.secpod.oval:def:84248 All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. oval:org.secpod.oval:def:84240 iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables. oval:org.secpod.oval:def:84229 The dovecot service should be disabled if possible. oval:org.secpod.oval:def:84213 The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. oval:org.secpod.oval:def:84274 chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a ... oval:org.secpod.oval:def:84241 Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters. Rationale: SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden. oval:org.secpod.oval:def:84287 Verify that Shared Library Files Have Root Ownership (/lib, /lib64, /usr/lib or /usr/lib64) should be configured appropriately. oval:org.secpod.oval:def:84290 Ensure root is the only UID 0 account oval:org.secpod.oval:def:84260 Ensure mounting of FAT filesystems is limited oval:org.secpod.oval:def:84297 Change the default policy to DROP (from ACCEPT) for the OUTPUT built-in chain (/etc/sysconfig/iptables). oval:org.secpod.oval:def:84238 The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability. oval:org.secpod.oval:def:84228 Ensure cron daemon is enabled and running oval:org.secpod.oval:def:84254 The .netrcfile presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrcfiles from other systems which could pose a risk to those systems. oval:org.secpod.oval:def:84258 The requirement for a password to boot into single-user mode should be configured correctly. oval:org.secpod.oval:def:84239 Ensure LDAP Client is not installed oval:org.secpod.oval:def:84252 sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy. oval:org.secpod.oval:def:84247 Ensure users' home directories permissions are 750 or more restrictive oval:org.secpod.oval:def:84210 Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp oval:org.secpod.oval:def:84255 The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories ... oval:org.secpod.oval:def:84246 Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribu ... oval:org.secpod.oval:def:84200 Disable Automounting oval:org.secpod.oval:def:84256 The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login. oval:org.secpod.oval:def:84209 Since the /var/tmp partition is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. oval:org.secpod.oval:def:84224 Ensure iptables in enabled and running oval:org.secpod.oval:def:84218 Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. oval:org.secpod.oval:def:84251 Ensure sudo log file exists oval:org.secpod.oval:def:84259 Ensure rsyslog default file permissions configured oval:org.secpod.oval:def:84299 The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP ... oval:org.secpod.oval:def:84249 The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group. oval:org.secpod.oval:def:84277 A firewall zone defines the trust level for a connection, interface or source address binding. This is a one to many relation, which means that a connection, interface or source can only be part of one zone, but a zone can be used for many network connections, interfaces and sources. oval:org.secpod.oval:def:84280 The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. oval:org.secpod.oval:def:84291 Ensure no duplicate group names account oval:org.secpod.oval:def:84272 TMOUT is an environmental setting that determines the timeout of a shell in seconds. oval:org.secpod.oval:def:84205 Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. oval:org.secpod.oval:def:84293 Audit rules should detect modification to system files that hold information about users and groups. oval:org.secpod.oval:def:84236 Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. oval:org.secpod.oval:def:84289 File permissions for /bin, /usr/bin, /usr/local/bin, /sbin, /usr/sbin and /usr/local/sbin should be set correctly. oval:org.secpod.oval:def:84298 Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The /var/run/failock directory maint ... oval:org.secpod.oval:def:84275 Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters. oval:org.secpod.oval:def:84263 Ensure auditd service is enabled and running oval:org.secpod.oval:def:84203 The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. oval:org.secpod.oval:def:84281 It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. oval:org.secpod.oval:def:84294 Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain (/etc/sysconfig/ip6tables). oval:org.secpod.oval:def:84223 Ensure inactive password lock is 30 days or less oval:org.secpod.oval:def:84201 SELinux gives that extra layer of security to the resources in the system. It provides the MAC (mandatory access control) as contrary to the DAC (Discretionary access control). oval:org.secpod.oval:def:84250 System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. oval:org.secpod.oval:def:84234 Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. oval:org.secpod.oval:def:84219 Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. oval:org.secpod.oval:def:84233 The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to use ... oval:org.secpod.oval:def:84220 nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. oval:org.secpod.oval:def:84269 auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk oval:org.secpod.oval:def:84286 Verify that Shared Library Files Have Restrictive Permissions (/lib, /lib64, /usr/lib or /usr/lib64) should be configured appropriately. oval:org.secpod.oval:def:84271 Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only u ... oval:org.secpod.oval:def:84237 Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. oval:org.secpod.oval:def:84206 Since the /tmp partition is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. oval:org.secpod.oval:def:84214 There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data. oval:org.secpod.oval:def:84222 Ensure journald is configured to write logfiles to persistent disk oval:org.secpod.oval:def:84295 Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback net ... oval:org.secpod.oval:def:84276 If a users recorded password change date is in the future then they could bypass any set password expiration. oval:org.secpod.oval:def:84262 >Ensure mail transfer agent is configured for local-only mode oval:org.secpod.oval:def:84282 The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. oval:org.secpod.oval:def:84230 Ensure ntp is configured oval:org.secpod.oval:def:84257 sudo can be configured to run only from a pseudo-pty oval:org.secpod.oval:def:84285 Ensure no duplicate user names account oval:org.secpod.oval:def:84225 Ensure rsyslog Service is enabled and running oval:org.secpod.oval:def:84231 Ensure no users have .forward files oval:org.secpod.oval:def:84243 The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su co ... oval:org.secpod.oval:def:84278 The file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information. oval:org.secpod.oval:def:84300 Change the default policy to DROP (from ACCEPT) for the OUTPUT built-in chain (/etc/sysconfig/ip6tables). oval:org.secpod.oval:def:84296 Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loop ... oval:org.secpod.oval:def:84221 Ensure journald is configured to send logs to rsyslog oval:org.secpod.oval:def:84266 Groups defined in the /etc/passwd file but not in the /etc/group file pose a threat to system security since group permissions are not properly managed. oval:org.secpod.oval:def:84235 Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. oval:org.secpod.oval:def:84207 Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp oval:org.secpod.oval:def:84216 There are two important reasons to ensure that data gathered by is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based ... oval:org.secpod.oval:def:84265 The file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information. oval:org.secpod.oval:def:84208 Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp oval:org.secpod.oval:def:84273 Ensure default group for the root account is GID 0 oval:org.secpod.oval:def:84270 Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only u ... oval:org.secpod.oval:def:84242 GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. Rationale: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system ... oval:org.secpod.oval:def:84245 Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written t ... oval:org.secpod.oval:def:84253 Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user dot file permissions and determine the action to be taken in accordance with site po ... oval:org.secpod.oval:def:84211 Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp oval:org.secpod.oval:def:84288 Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them. oval:org.secpod.oval:def:84284 Ensure root is the only UID 0 account oval:org.secpod.oval:def:84202 The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unau ... oval:org.secpod.oval:def:84212 The /home directory is used to support disk storage needs of local users. oval:org.secpod.oval:def:84283 It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. Other/world should not have the ability to view this information. Group should not have the ability to modify this information. oval:org.secpod.oval:def:84261 Ensure use of privileged commands is collected oval:org.secpod.oval:def:84232 The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. oval:org.secpod.oval:def:84292 Ensure root is the only UID 0 account oval:org.secpod.oval:def:84264 All password hashes should be shadowed. oval:org.secpod.oval:def:84226 Ensure firewalld service is enabled and running oval:org.secpod.oval:def:84215 There are two important reasons to ensure that data gathered by is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based ... oval:org.secpod.oval:def:84279 The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. oval:org.secpod.oval:def:84097 The RPM package tftp should be installed. oval:org.secpod.oval:def:84019 num_logs setting in /etc/audit/auditd.conf is set to at least a certain value oval:org.secpod.oval:def:84138 The RPM package aide should be installed. oval:org.secpod.oval:def:84083 SSL capabilities should be enabled for the mail server. oval:org.secpod.oval:def:84034 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84195 SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into ... oval:org.secpod.oval:def:84057 Limit Users SSH Access should be configured appropriately. oval:org.secpod.oval:def:84122 The kernel runtime parameter "net.ipv4.conf.all.log_martians" should be set to "1". oval:org.secpod.oval:def:84012 The RPM package libreswan should be installed. oval:org.secpod.oval:def:84140 The /etc/shadow file should be owned by the appropriate user. oval:org.secpod.oval:def:84016 The 'rsyslog' to Accept Messages via TCP, if Acting As Log Server should be enabled or disabled as appropriate. oval:org.secpod.oval:def:84082 The kernel module hfs should be disabled. oval:org.secpod.oval:def:84162 The SSH ClientAliveCountMax should be set to an appropriate value (and dependencies are met) oval:org.secpod.oval:def:84139 The number of allowed failed logins should be set correctly. oval:org.secpod.oval:def:84077 The RPM package httpd should be removed. oval:org.secpod.oval:def:84124 The kernel runtime parameter "net.ipv4.conf.default.accept_redirects" should be set to "0". oval:org.secpod.oval:def:84173 The SELinux policy should be set appropriately. oval:org.secpod.oval:def:84027 Record attempts to alter time through clock_settime. oval:org.secpod.oval:def:84052 The RPM package tftp-server should be removed. oval:org.secpod.oval:def:84046 Audit rules that detect the mounting of filesystems should be enabled. oval:org.secpod.oval:def:84163 The maximum number of concurrent login sessions per user should meet minimum requirements. oval:org.secpod.oval:def:84113 The default umask for users of the csh shell oval:org.secpod.oval:def:84045 Audit rules about the Unauthorized Access Attempts to Files (unsuccessful) are enabled oval:org.secpod.oval:def:84135 The password minclass should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:84095 The RPM package rsh should be installed. oval:org.secpod.oval:def:84198 To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon. oval:org.secpod.oval:def:84064 Postfix network listening should be disabled oval:org.secpod.oval:def:84086 Plaintext authentication of mail clients should be enabled or disabled as appropriate. oval:org.secpod.oval:def:84136 The password difok should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:84069 Ensure Insecure File Locking is Not Allowed (/etc/exports) should be configured appropriately. oval:org.secpod.oval:def:84033 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84109 The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed. oval:org.secpod.oval:def:84015 rsyslogd should reject remote messages oval:org.secpod.oval:def:84066 Require the use of TLS for ldap clients. oval:org.secpod.oval:def:84035 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84042 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84105 The kernel runtime parameter "kernel.randomize_va_space" should be set to "2". oval:org.secpod.oval:def:84132 The root account is the only system account that should have a login shell. oval:org.secpod.oval:def:84157 The /etc/group file should be owned by the appropriate group. oval:org.secpod.oval:def:84144 Remote connections (SSH) from accounts with empty passwords should be disabled (and dependencies are met). oval:org.secpod.oval:def:84192 Ensure only strong MAC algorithms are used oval:org.secpod.oval:def:84061 A remote chrony Server for time synchronization should be specified (and dependencies are met) oval:org.secpod.oval:def:84079 The kernel module jffs2 should be disabled. oval:org.secpod.oval:def:84014 Syslog logs should be sent to a remote loghost oval:org.secpod.oval:def:84159 The RPM package telnet should be installed. oval:org.secpod.oval:def:84125 The kernel runtime parameter "net.ipv4.conf.default.secure_redirects" should be set to "0". oval:org.secpod.oval:def:84197 The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure. oval:org.secpod.oval:def:84081 The RPM package dovecot should be removed. oval:org.secpod.oval:def:84196 When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access ... oval:org.secpod.oval:def:84006 The kernel runtime parameter "net.ipv6.conf.default.accept_redirects" should be set to "0". oval:org.secpod.oval:def:84068 Specify UID and GID for Anonymous NFS Connections (/etc/exports) should be configured appropriately. oval:org.secpod.oval:def:84013 The RPM package rsyslog should be installed. oval:org.secpod.oval:def:84080 The mod_security package installation should be configured appropriately. oval:org.secpod.oval:def:84184 Ensure nftables is not installed or stopped and masked oval:org.secpod.oval:def:84166 The kernel module sctp should be disabled. oval:org.secpod.oval:def:84183 Ensure nfs-utils is not installed or the nfs-server service is masked oval:org.secpod.oval:def:84170 The '/etc/shadow' file should be owned by the appropriate group. oval:org.secpod.oval:def:84011 The kernel module tipc should be disabled. oval:org.secpod.oval:def:84187 An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authent ... oval:org.secpod.oval:def:84191 An SSH private key is one of two files used in SSH public key authentication. In this authentication method, The possession of the private key is proof of identity. Only a private key that corresponds to a public key will be able to authenticate successfully. The private keys need to be stored and ... oval:org.secpod.oval:def:84175 The password ocredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:84020 max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value oval:org.secpod.oval:def:84128 The kernel runtime parameter "net.ipv4.tcp_syncookies" should be set to "1". oval:org.secpod.oval:def:84180 Audit files deletion events. oval:org.secpod.oval:def:84053 Disable Prelinking (/etc/sysconfig/prelink) should be configured appropriately. oval:org.secpod.oval:def:84119 The kernel runtime parameter "net.ipv4.ip_forward" should be set to "0". oval:org.secpod.oval:def:84021 max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action oval:org.secpod.oval:def:84178 The password dcredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:84038 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84094 The RPM package mcstrans should be installed. oval:org.secpod.oval:def:84149 The /etc/group file should be owned by the appropriate user. oval:org.secpod.oval:def:84158 Only SSH protocol version 2 connections should be permitted. oval:org.secpod.oval:def:84024 action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account oval:org.secpod.oval:def:84156 Emulation of the rsh command through the ssh server should be disabled (and dependencies are met) oval:org.secpod.oval:def:84131 The kernel module bluetooth should be disabled. oval:org.secpod.oval:def:84186 Ensure rsync is not installed or the rsyncd service is masked oval:org.secpod.oval:def:84161 The password hashing algorithm should be set correctly in /etc/libuser.conf. oval:org.secpod.oval:def:84085 Configure Dovecot to Use the SSL Key file should be configured appropriately. oval:org.secpod.oval:def:84071 The RPM package vsftpd should be removed. oval:org.secpod.oval:def:84176 The /etc/gshadow file should be owned by the appropriate user. oval:org.secpod.oval:def:84008 Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain (/etc/sysconfig/iptables). oval:org.secpod.oval:def:84009 IP forwarding should be enabled or disabled as appropriate. oval:org.secpod.oval:def:84174 The /etc/passwd file should be owned by the appropriate user. oval:org.secpod.oval:def:84096 The RPM package ypbind should be installed. oval:org.secpod.oval:def:84025 Record attempts to alter time through adjtimex. oval:org.secpod.oval:def:84127 The kernel runtime parameter "net.ipv4.icmp_ignore_bogus_error_responses" should be set to "1". oval:org.secpod.oval:def:84193 To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon. oval:org.secpod.oval:def:84148 The passwords to remember should be set correctly. oval:org.secpod.oval:def:84151 File permissions for '/etc/group' should be set correctly. oval:org.secpod.oval:def:84039 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84078 The kernel module freevxfs should be disabled. oval:org.secpod.oval:def:84041 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84114 The default umask for all users should be set correctly oval:org.secpod.oval:def:84121 The kernel runtime parameter "net.ipv4.conf.all.secure_redirects" should be set to "0". oval:org.secpod.oval:def:84044 Audit rules should capture information about session initiation. oval:org.secpod.oval:def:84152 PermitUserEnvironment should be disabled oval:org.secpod.oval:def:84031 Record Events that Modify the System's Discretionary Access Controls - chmod. The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84076 File uploads via vsftpd should be enabled or disabled as appropriate oval:org.secpod.oval:def:84100 The RPM package talk should be installed. oval:org.secpod.oval:def:84074 The kernel module cramfs should be disabled. oval:org.secpod.oval:def:84115 The default umask for all users specified in /etc/login.defs oval:org.secpod.oval:def:84036 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84048 Force a reboot to change audit rules is enabled oval:org.secpod.oval:def:84065 Protect against unnecessary release of information. oval:org.secpod.oval:def:84098 The squashfs Kernel Module should be enabled or disabled as appropriate. oval:org.secpod.oval:def:84030 Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled. oval:org.secpod.oval:def:84005 The kernel runtime parameter "net.ipv6.conf.default.accept_ra" should be set to "0". oval:org.secpod.oval:def:84126 The kernel runtime parameter "net.ipv4.icmp_echo_ignore_broadcasts" should be set to "1". oval:org.secpod.oval:def:84146 This test makes sure that '/etc/passwd' has proper permission. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:84142 The kernel module dccp should be disabled. oval:org.secpod.oval:def:84153 The password ucredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:84129 The kernel runtime parameter "net.ipv4.conf.all.rp_filter" should be set to "1". oval:org.secpod.oval:def:84072 Logging of vsftpd transactions should be enabled or disabled as appropriate oval:org.secpod.oval:def:84062 Specify Additional Remote chrony Servers (/etc/chrony.conf) should be configured appropriately. oval:org.secpod.oval:def:84188 Ensure only strong Key Exchange algorithms are used oval:org.secpod.oval:def:84051 The RPM package ypserv should be removed. oval:org.secpod.oval:def:84154 The gpgcheck option should be used to ensure that checking of an RPM package's signature always occurs prior to its installation. oval:org.secpod.oval:def:84040 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84118 The kernel runtime parameter "net.ipv4.conf.all.send_redirects" should be set to "0". oval:org.secpod.oval:def:84055 The anacron service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:84102 The daemon umask should be set as appropriate oval:org.secpod.oval:def:84017 The rsyslog to Accept Messages via UDP, if Acting As Log Server should be enabled or disabled as appropriate. oval:org.secpod.oval:def:84164 This test makes sure that '/etc/shadow' file permission is setted as appropriate. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:84037 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84010 The kernel module rds should be disabled. oval:org.secpod.oval:def:84150 Root login via SSH should be disabled (and dependencies are met) oval:org.secpod.oval:def:84103 Core dumps for all users should be disabled oval:org.secpod.oval:def:84060 Logging (/etc/rsyslog.conf) should be configured appropriately. oval:org.secpod.oval:def:84050 The RPM package rsh-server should be removed. oval:org.secpod.oval:def:84199 Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy. oval:org.secpod.oval:def:84084 Dovecot plaintext authentication of clients should be enabled or disabled as necessary oval:org.secpod.oval:def:84130 The kernel runtime parameter "net.ipv4.conf.default.rp_filter" should be set to "1". oval:org.secpod.oval:def:84075 Restrict Access to Anonymous Users should be configured appropriately. oval:org.secpod.oval:def:84194 SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only re ... oval:org.secpod.oval:def:84190 Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disa ... oval:org.secpod.oval:def:84091 Ensure Default Password Is Not Used (/etc/snmp/snmpd.conf) should be configured appropriately. oval:org.secpod.oval:def:84169 The password hashing algorithm should be set correctly in /etc/login.defs. oval:org.secpod.oval:def:84090 The RPM package net-snmp should be removed. oval:org.secpod.oval:def:84043 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84101 The kernel module udf should be enabled or disabled as appropriate. oval:org.secpod.oval:def:84116 The RPM package tmux should be installed. oval:org.secpod.oval:def:84147 The number of allowed failed logins should be set correctly. oval:org.secpod.oval:def:84032 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84171 The audit rules should be configured to log information about kernel module loading and unloading. oval:org.secpod.oval:def:84179 The RPM package telnet-server should be removed. oval:org.secpod.oval:def:84160 Limit the ciphers to those which are FIPS-approved and only use ciphers in counter (CTR) mode. oval:org.secpod.oval:def:84059 The RPM package dhcpd should be removed. oval:org.secpod.oval:def:84165 The password hashing algorithm should be set correctly in /etc/pam.d/system-auth. oval:org.secpod.oval:def:84143 The /etc/gshadow file should be owned by the appropriate group. oval:org.secpod.oval:def:84022 space_left_action setting in /etc/audit/auditd.conf is set to a certain action oval:org.secpod.oval:def:84070 The RPM package bind should be removed. oval:org.secpod.oval:def:84058 Disable Avahi Publishing (/etc/avahi/avahi-daemon.conf) should be configured appropriately. oval:org.secpod.oval:def:84120 The kernel runtime parameter "net.ipv4.conf.all.accept_redirects" should be set to "0". oval:org.secpod.oval:def:84104 The kernel runtime parameter "fs.suid_dumpable" should be set to "0". oval:org.secpod.oval:def:84167 The password lcredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:84054 The kernel module usb-storage should be disabled. oval:org.secpod.oval:def:84111 The number of allowed failed logins should be set correctly. oval:org.secpod.oval:def:84063 The RPM package sendmail should be removed. oval:org.secpod.oval:def:84028 Record attempts to alter time through /etc/localtime oval:org.secpod.oval:def:84185 Ensure rpcbind is not installed or the rpcbind services are masked oval:org.secpod.oval:def:84137 The /etc/passwd file should be owned by the appropriate group. oval:org.secpod.oval:def:84117 The kernel runtime parameter "net.ipv4.conf.default.send_redirects" should be set to "0". oval:org.secpod.oval:def:84088 The RPM package squid should be removed. oval:org.secpod.oval:def:84181 The system login banner text should be set correctly. oval:org.secpod.oval:def:84168 The password minimum length should be set appropriately. oval:org.secpod.oval:def:84029 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. oval:org.secpod.oval:def:84141 The SELinux state should be enforcing the local policy. oval:org.secpod.oval:def:84189 While the complete removal of /etc/sshd/sshd_config files is recommended if any are required on the system secure permissions must be applied. oval:org.secpod.oval:def:84093 The RPM package setroubleshoot should be installed. oval:org.secpod.oval:def:84067 The RPM package openldap-servers should be removed. oval:org.secpod.oval:def:84099 The RPM package talk-server should be installed. oval:org.secpod.oval:def:84182 SSH warning banner should be enabled (and dependencies are met). oval:org.secpod.oval:def:84172 The password retry should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:84026 Record attempts to alter time through settimeofday. oval:org.secpod.oval:def:84049 The RPM package xinetd should be removed. oval:org.secpod.oval:def:84087 Require samba clients which use smb.conf, such as smbclient, to use packet signing. A Samba client should only communicate with servers who can support SMB packet signing. oval:org.secpod.oval:def:84056 If inbound SSH access is not needed, the firewall should disallow or reject access to the SSH port (22). oval:org.secpod.oval:def:84145 SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. oval:org.secpod.oval:def:84007 Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain (/etc/sysconfig/ip6tables). oval:org.secpod.oval:def:84177 This test makes sure that '/etc/gshadow' is setted appropriate permission. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:84106 Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package sho ... oval:org.secpod.oval:def:84073 A warning banner for all FTP users should be enabled or disabled as appropriate oval:org.secpod.oval:def:84004 Global IPv6 initialization should be disabled. oval:org.secpod.oval:def:84123 The Kernel Parameter for Accepting Source-Routed Packets By Default and all interfaces should be enabled or disabled as appropriate oval:org.secpod.oval:def:84108 Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the system using the root account. oval:org.secpod.oval:def:84089 The kernel module hfsplus should be disabled. oval:org.secpod.oval:def:84023 admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action oval:org.secpod.oval:def:84047 Audit actions taken by system administrators on the system. oval:org.secpod.oval:def:84110 Set Password to Maximum of Three Consecutive Repeating Characters should be configured appropriately. oval:org.secpod.oval:def:84112 The default umask for users of the bash shell oval:org.secpod.oval:def:84107 Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. oval:org.secpod.oval:def:84092 The maximum password age policy should meet minimum requirements. oval:org.secpod.oval:def:84018 The logrotate (syslog rotater) service should be enabled. oval:org.secpod.oval:def:86912 Without cryptographic integrity protections, information can be altered by unauthorized users which can not be detected.The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. oval:org.secpod.oval:def:84155 The minimum password age policy should be set appropriately. oval:org.secpod.oval:def:84134 The SSH idle timeout interval should be set to an appropriate value. oval:org.secpod.oval:def:86910 The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications. It stores the failure records into per-user files in the tally directory. oval:org.secpod.oval:def:86911 A custom profile can be created by copying and customizing one of the default profiles. The default profiles include: sssd, winbind, or the nis. This profile can then be customized to follow site specific requirements. oval:org.secpod.oval:def:86906 Unless a system is specifically set up to act as a DHCP server, it is recommended that dhcpd service should be disabled to reduce the potential attack surface. oval:org.secpod.oval:def:84133 The password warning age should be set appropriately. oval:org.secpod.oval:def:86914 Running firewalld and IPtables concurrently may lead to conflict, therefore IPtables should be stopped and masked when using firewalld. oval:org.secpod.oval:def:86916 If there is no need to mount directories and file systems to Windows systems, then smb service can be disabled to reduce the potential attack surface. oval:org.secpod.oval:def:84268 Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected. oval:org.secpod.oval:def:86913 Without cryptographic integrity protections, information can be altered by unauthorized users which can not be detected.The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. |