Download
| Alert*
|
CCE-95060-0
The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days. Rationale: By ... CCE-95100-4 SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure. Rationale: SSH v1 suffers from insecurities that do not affect SSH v2. Fix: Edit the /etc/ssh/sshd_config file to set the param ... CCE-95046-9 The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options. * retr ... CCE-95047-7 This setting disables the systems ability to accept router advertisements Rationale: It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trus ... CCE-95023-8 The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Rationale: Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non ... CCE-95089-9 The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 60 days. Rationale: The window of opportunity for an attacker to leverage compromised ... CCE-95028-7 The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. Rationale: If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking pro ... CCE-95009-7 The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root. Rationale: The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- priliveged users, but needs to be readable as this informati ... CCE-95065-9 The /etc/shadow file contains the one-way cipher text passwords for each user defined in the /etc/passwd file. The command below sets the user and group ownership of the file to root. UID - User Identifier is a number assigned by Linux to each user on the system. This number is used to identify the ... CCE-95007-1 The /etc/passwd file contains a list of all the valid userIDs defined in the system, but not the passwords. The command below sets the owner and group of the file to root. UID - User Identifier is a number assigned by Linux to each user on the system. This number is used to identify the user to the ... CCE-95015-4 The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else. Groups in Linux are defined by GIDs (group IDs). Just like with UIDs, the first 100 GIDs are usually reserved for system use. The ... CCE-99402-2 Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration file /etc/pam.d/login. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will ... |
