Use Only Approved Ciphers
Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in '/etc/ssh/sshd_config'
demonstrates use of FIPS-approved ciphers:
The man page 'sshd_config(5)' contains a list of supported ci ...
Disable Interactive Boot
To disable the ability for users to perform interactive startups,
edit the file '/etc/sysconfig/init'.
Add or correct the line:
The 'PROMPT' option allows the console user to perform an
interactive system startup, in which it is possible to select the
set of services which are started on boot.
Serve Avahi Only via Required Protocol
If you are using only IPv4, edit '/etc/avahi/avahi-daemon.conf' and ensure
the following line exists in the '[server]' section:
Similarly, if you are using only IPv6, disable IPv4 sockets with the line:
Disable URL Correction on Misspelled Entries
The 'speling' module attempts to find a document match by allowing one misspelling in an
otherwise failed request. If this functionality is unnecessary, comment out the module:
'#LoadModule speling_module modules/mod_speling.so'
This functionality weakens server security by making site enumeration easier.
Ensure the Default Umask is Set Correctly in /etc/profile
To ensure the default umask controlled by '/etc/profile' is set properly,
add or correct the 'umask' setting in '/etc/profile' to read as follows:
Configure Certificate Directives for LDAP Use of TLS
Ensure a copy of a trusted CA certificate has been placed in
the file '/etc/pki/tls/CA/cacert.pem'. Configure LDAP to enforce TLS
use and to trust certificates signed by that CA. First, edit the file
'/etc/pam_ldap.conf', and add or correct either of the following lines:
'tls_cacertfile /etc/pki/tls/CA/cacer ...
Set Password to Maximum of Three Consecutive Repeating Characters
The pam_pwquality module's 'maxrepeat' parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters. Modify the 'maxrepeat' setting
in '/etc/security/pwquality.conf' to prevent a run of (
Record Events that Modify the System's Discretionary Access Controls - removexattr
At a minimum the audit system should collect file permission
changes for all users and root. If the 'auditd' daemon is configured
to use the 'augenrules' program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
'.rules' in the directory '/etc/audit/rules.d':