xccdf-results.xml
Download xccdf-results.xml
1: <?xml version="1.0" encoding="UTF-8"?>
2: <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="scap-fedora14-xccdf.xml" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="1" xml:lang="en">
3: <status date="2010-09-11">draft</status>
4: <title xml:lang="en">Guide to the Secure Configuration of Fedora Linux</title>
5: <description xml:lang="en">This guide has been created to assist IT professionals, in effectively securing systems with Fedora Linux.</description>
6: <version>0.6.3</version>
7: <model system="urn:xccdf:scoring:default"/>
8: <model system="urn:xccdf:scoring:flat"/>
9: <Profile id="F14-Desktop">
10: <title xml:lang="en">Fedora 14 desktop settings</title>
11: <description xml:lang="en">This profile selects security controls that conform to default Fedora 14 configuration.</description>
12: <select idref="rule-2.1.1.1.1.a" selected="false"/>
13: <select idref="rule-2.1.1.1.1.b" selected="false"/>
14: <select idref="rule-2.1.1.1.2.a" selected="false"/>
15: <select idref="rule-2.1.1.1.2.b" selected="false"/>
16: <select idref="rule-2.1.1.1.3.a" selected="false"/>
17: <select idref="rule-2.1.1.1.4.a" selected="false"/>
18: <select idref="rule-2.1.1.1.5.a" selected="false"/>
19: <select idref="rule-2.1.2.1.1.a" selected="true"/>
20: <select idref="rule-2.1.2.3.2.a" selected="false"/>
21: <select idref="rule-2.1.2.3.2.b" selected="false"/>
22: <select idref="rule-2.1.2.3.3.a" selected="true"/>
23: <select idref="rule-2.1.2.3.4.a" selected="true"/>
24: <select idref="rule-2.1.2.3.5.a" selected="false"/>
25: <select idref="rule-2.1.2.3.6.a" selected="true"/>
26: <select idref="rule-2.1.3.1.1.a" selected="false"/>
27: <select idref="rule-2.1.3.1.4.a" selected="false"/>
28: <select idref="rule-2.1.3.2.a" selected="false"/>
29: <select idref="rule-2.2.1.1.a" selected="false"/>
30: <select idref="rule-2.2.1.2.a" selected="false"/>
31: <select idref="rule-2.2.1.2.b" selected="false"/>
32: <select idref="rule-2.2.1.2.c" selected="false"/>
33: <select idref="rule-2.2.2.1.1.a" selected="false"/>
34: <select idref="rule-2.2.2.1.2.a" selected="false"/>
35: <select idref="rule-2.2.2.1.3.a" selected="false"/>
36: <select idref="rule-2.2.2.1.4.a" selected="false"/>
37: <select idref="rule-2.2.2.2.a" selected="false"/>
38: <select idref="rule-2.2.2.3.a" selected="false"/>
39: <select idref="rule-2.2.2.4.a" selected="false"/>
40: <select idref="rule-2.2.2.4.b" selected="false"/>
41: <select idref="rule-2.2.2.4.c" selected="false"/>
42: <select idref="rule-2.2.2.4.d" selected="false"/>
43: <select idref="rule-2.2.2.4.e" selected="false"/>
44: <select idref="rule-2.2.2.4.f" selected="false"/>
45: <select idref="rule-2.2.2.4.g" selected="false"/>
46: <select idref="rule-2.2.3.1.a" selected="true"/>
47: <select idref="rule-2.2.3.1.b" selected="true"/>
48: <select idref="rule-2.2.3.1.c" selected="true"/>
49: <select idref="rule-2.2.3.1.d" selected="true"/>
50: <select idref="rule-2.2.3.1.e" selected="true"/>
51: <select idref="rule-2.2.3.1.f" selected="true"/>
52: <select idref="rule-2.2.3.1.g" selected="true"/>
53: <select idref="rule-2.2.3.1.h" selected="true"/>
54: <select idref="rule-2.2.3.1.i" selected="true"/>
55: <select idref="rule-2.2.3.1.j" selected="true"/>
56: <select idref="rule-2.2.3.1.k" selected="true"/>
57: <select idref="rule-2.2.3.1.l" selected="true"/>
58: <select idref="rule-2.2.3.2.a" selected="true"/>
59: <select idref="rule-2.2.3.3.a" selected="true"/>
60: <select idref="rule-2.2.3.4.a" selected="true"/>
61: <select idref="rule-2.2.3.4.b" selected="true"/>
62: <select idref="rule-2.2.3.5.a" selected="true"/>
63: <select idref="rule-2.2.3.5.b" selected="true"/>
64: <select idref="rule-2.2.3.6.a" selected="true"/>
65: <select idref="rule-2.2.4.1.a" selected="true"/>
66: <select idref="rule-2.2.4.2.a" selected="false"/>
67: <select idref="rule-2.2.4.2.b" selected="true"/>
68: <select idref="rule-2.2.4.3.a" selected="true"/>
69: <select idref="rule-2.2.4.3.b" selected="true"/>
70: <select idref="rule-2.2.4.4.2.a" selected="false"/>
71: <select idref="rule-2.3.1.1.a" selected="false"/>
72: <select idref="rule-2.3.1.1.b" selected="false"/>
73: <select idref="rule-2.3.1.1.c" selected="false"/>
74: <select idref="rule-2.3.1.1.d" selected="true"/>
75: <select idref="rule-2.3.1.2.a" selected="false"/>
76: <select idref="rule-2.3.1.2.b" selected="false"/>
77: <select idref="rule-2.3.1.3.a" selected="false"/>
78: <select idref="rule-2.3.1.4.a" selected="false"/>
79: <select idref="rule-2.3.1.5.1.a" selected="true"/>
80: <select idref="rule-2.3.1.5.2.a" selected="true"/>
81: <select idref="rule-2.3.1.6.a" selected="true"/>
82: <select idref="rule-2.3.1.7.a" selected="true"/>
83: <select idref="rule-2.3.1.7.b" selected="false"/>
84: <select idref="rule-2.3.1.7.c" selected="false"/>
85: <select idref="rule-2.3.1.7.d" selected="true"/>
86: <select idref="rule-2.3.1.8.a" selected="false"/>
87: <select idref="rule-2.3.1.8.b" selected="false"/>
88: <select idref="rule-2.3.1.8.c" selected="false"/>
89: <select idref="rule-2.3.3.1.1.a" selected="false"/>
90: <select idref="rule-2.3.3.1.2.a" selected="false"/>
91: <select idref="rule-2.3.3.2.a" selected="false"/>
92: <select idref="rule-2.3.3.2.b" selected="false"/>
93: <select idref="rule-2.3.3.4.a" selected="false"/>
94: <select idref="rule-2.3.3.4.b" selected="false"/>
95: <select idref="rule-2.3.3.5.a" selected="true"/>
96: <select idref="rule-2.3.3.6.a" selected="false"/>
97: <select idref="rule-2.3.4.1.a" selected="true"/>
98: <select idref="rule-2.3.4.1.b" selected="true"/>
99: <select idref="rule-2.3.4.2.a" selected="true"/>
100: <select idref="rule-2.3.4.4.a" selected="true"/>
101: <select idref="rule-2.3.4.4.b" selected="true"/>
102: <select idref="rule-2.3.4.5.a" selected="false"/>
103: <select idref="rule-2.3.5.2.a" selected="true"/>
104: <select idref="rule-2.3.5.2.b" selected="true"/>
105: <select idref="rule-2.3.5.2.c" selected="true"/>
106: <select idref="rule-2.3.5.2.d" selected="false"/>
107: <select idref="rule-2.3.5.3.a" selected="false"/>
108: <select idref="rule-2.3.5.4.a" selected="false"/>
109: <select idref="rule-2.3.5.5.a" selected="false"/>
110: <select idref="rule-2.3.5.5.b" selected="false"/>
111: <select idref="rule-2.3.5.6.1.a" selected="false"/>
112: <select idref="rule-2.3.5.6.1.b" selected="false"/>
113: <select idref="rule-2.3.5.6.1.c" selected="false"/>
114: <select idref="rule-2.3.5.6.1.d" selected="false"/>
115: <select idref="rule-2.3.5.6.2.a" selected="false"/>
116: <select idref="rule-2.3.7.1.a" selected="false"/>
117: <select idref="rule-2.3.7.2.a" selected="false"/>
118: <select idref="rule-2.4.2.a" selected="true"/>
119: <select idref="rule-2.4.2.b" selected="false"/>
120: <select idref="rule-2.4.2.c" selected="true"/>
121: <select idref="rule-2.4.2.d" selected="true"/>
122: <select idref="rule-2.4.2.1.a" selected="false"/>
123: <select idref="rule-2.4.3.2.a" selected="false"/>
124: <select idref="rule-2.4.3.3.a" selected="false"/>
125: <select idref="rule-2.4.5.a" selected="false"/>
126: <select idref="rule-2.5.1.1.a" selected="false"/>
127: <select idref="rule-2.5.1.1.b" selected="false"/>
128: <select idref="rule-2.5.1.1.c" selected="false"/>
129: <select idref="rule-2.5.1.2.a" selected="false"/>
130: <select idref="rule-2.5.1.2.b" selected="false"/>
131: <select idref="rule-2.5.1.2.c" selected="false"/>
132: <select idref="rule-2.5.1.2.d" selected="false"/>
133: <select idref="rule-2.5.1.2.e" selected="false"/>
134: <select idref="rule-2.5.1.2.f" selected="false"/>
135: <select idref="rule-2.5.1.2.g" selected="false"/>
136: <select idref="rule-2.5.1.2.h" selected="false"/>
137: <select idref="rule-2.5.1.2.i" selected="false"/>
138: <select idref="rule-2.5.1.2.j" selected="false"/>
139: <select idref="rule-2.5.1.2.k" selected="false"/>
140: <select idref="rule-2.5.1.2.l" selected="false"/>
141: <select idref="rule-2.5.2.2.1.a" selected="false"/>
142: <select idref="rule-2.5.2.2.2.a" selected="false"/>
143: <select idref="rule-2.5.2.2.3.a" selected="false"/>
144: <select idref="rule-2.5.3.1.1.a" selected="false"/>
145: <select idref="rule-2.5.3.1.2.a" selected="false"/>
146: <select idref="rule-2.5.3.1.2.b" selected="false"/>
147: <select idref="rule-2.5.3.1.2.c" selected="false"/>
148: <select idref="rule-2.5.3.2.1.a" selected="false"/>
149: <select idref="rule-2.5.3.2.1.b" selected="false"/>
150: <select idref="rule-2.5.3.2.1.c" selected="false"/>
151: <select idref="rule-2.5.3.2.1.d" selected="false"/>
152: <select idref="rule-2.5.3.2.3.a" selected="false"/>
153: <select idref="rule-2.5.3.2.5.a" selected="false"/>
154: <select idref="rule-2.5.3.2.5.b" selected="false"/>
155: <select idref="rule-2.5.3.2.5.c" selected="false"/>
156: <select idref="rule-2.5.3.2.5.d" selected="false"/>
157: <select idref="rule-2.5.3.2.5.e" selected="false"/>
158: <select idref="rule-2.5.3.2.5.f" selected="false"/>
159: <select idref="rule-2.5.3.2.5.g" selected="false"/>
160: <select idref="rule-2.5.5.1.a" selected="true"/>
161: <select idref="rule-2.5.5.1.b" selected="true"/>
162: <select idref="rule-2.5.5.3.1.a" selected="false"/>
163: <select idref="rule-2.5.5.3.1.b" selected="false"/>
164: <select idref="rule-2.5.7.1.a" selected="false"/>
165: <select idref="rule-2.5.7.2.a" selected="false"/>
166: <select idref="rule-2.5.7.3.a" selected="false"/>
167: <select idref="rule-2.5.7.4.a" selected="false"/>
168: <select idref="rule-2.6.1.a" selected="true"/>
169: <select idref="rule-2.6.1.2.a" selected="true"/>
170: <select idref="rule-2.6.1.2.b" selected="true"/>
171: <select idref="rule-2.6.1.2.c" selected="true"/>
172: <select idref="rule-2.6.1.3.a" selected="false"/>
173: <select idref="rule-2.6.1.4.a" selected="false"/>
174: <select idref="rule-2.6.1.5.a" selected="false"/>
175: <select idref="rule-2.6.1.6.a" selected="false"/>
176: <select idref="rule-2.6.2.1.a" selected="true"/>
177: <select idref="rule-2.6.2.3.a" selected="false"/>
178: <select idref="rule-2.6.2.4.1.a" selected="false"/>
179: <select idref="rule-2.6.2.4.2.a" selected="false"/>
180: <select idref="rule-2.6.2.4.3.a" selected="false"/>
181: <select idref="rule-2.6.2.4.4.a" selected="false"/>
182: <select idref="rule-2.6.2.4.5.a" selected="false"/>
183: <select idref="rule-2.6.2.4.6.a" selected="false"/>
184: <select idref="rule-2.6.2.4.7.a" selected="false"/>
185: <select idref="rule-2.6.2.4.8.a" selected="false"/>
186: <select idref="rule-2.6.2.4.9.a" selected="false"/>
187: <select idref="rule-2.6.2.4.10.a" selected="false"/>
188: <select idref="rule-2.6.2.4.11.a" selected="false"/>
189: <select idref="rule-2.6.2.4.12.a" selected="false"/>
190: <select idref="rule-2.6.2.4.13.a" selected="false"/>
191: <select idref="rule-2.6.2.4.14.a" selected="false"/>
192: <select idref="rule-3.2.1.a" selected="false"/>
193: <select idref="rule-3.2.1.b" selected="false"/>
194: <select idref="rule-3.2.1.c" selected="false"/>
195: <select idref="rule-3.2.1.d" selected="false"/>
196: <select idref="rule-3.2.2.a" selected="false"/>
197: <select idref="rule-3.2.2.b" selected="false"/>
198: <select idref="rule-3.2.2.1.a" selected="false"/>
199: <select idref="rule-3.2.2.1.b" selected="false"/>
200: <select idref="rule-3.2.3.1.a" selected="false"/>
201: <select idref="rule-3.2.3.1.b" selected="false"/>
202: <select idref="rule-3.2.3.1.c" selected="false"/>
203: <select idref="rule-3.2.3.1.d" selected="false"/>
204: <select idref="rule-3.2.3.2.a" selected="false"/>
205: <select idref="rule-3.2.3.3.a" selected="false"/>
206: <select idref="rule-3.2.4.a" selected="false"/>
207: <select idref="rule-3.2.4.b" selected="false"/>
208: <select idref="rule-3.2.5.a" selected="false"/>
209: <select idref="rule-3.2.5.b" selected="false"/>
210: <select idref="rule-3.3.1.a" selected="false"/>
211: <select idref="rule-3.3.2.a" selected="false"/>
212: <select idref="rule-3.3.3.a" selected="false"/>
213: <select idref="rule-3.3.4.a" selected="false"/>
214: <select idref="rule-3.3.5.a" selected="false"/>
215: <select idref="rule-3.3.6.a" selected="false"/>
216: <select idref="rule-3.3.7.a" selected="false"/>
217: <select idref="rule-3.3.8.a" selected="false"/>
218: <select idref="rule-3.3.9.1.a" selected="false"/>
219: <select idref="rule-3.3.9.2.a" selected="false"/>
220: <select idref="rule-3.3.9.3.a" selected="false"/>
221: <select idref="rule-3.3.10.a" selected="false"/>
222: <select idref="rule-3.3.11.a" selected="false"/>
223: <select idref="rule-3.3.12.a" selected="false"/>
224: <select idref="rule-3.3.12.b" selected="false"/>
225: <select idref="rule-3.3.13.1.a" selected="false"/>
226: <select idref="rule-3.3.13.2.a" selected="false"/>
227: <select idref="rule-3.3.14.1.a" selected="false"/>
228: <select idref="rule-3.3.14.2.a" selected="false"/>
229: <select idref="rule-3.3.14.3.a" selected="false"/>
230: <select idref="rule-3.3.15.1.a" selected="false"/>
231: <select idref="rule-3.3.15.2.a" selected="false"/>
232: <select idref="rule-3.3.15.3.a" selected="false"/>
233: <select idref="rule-3.4.a" selected="false"/>
234: <select idref="rule-3.4.1.a" selected="false"/>
235: <select idref="rule-3.4.1.b" selected="false"/>
236: <select idref="rule-3.4.2.1.a" selected="true"/>
237: <select idref="rule-3.4.2.1.b" selected="true"/>
238: <select idref="rule-3.4.2.1.c" selected="true"/>
239: <select idref="rule-3.4.2.2.a" selected="true"/>
240: <select idref="rule-3.4.2.2.b" selected="true"/>
241: <select idref="rule-3.4.2.2.c" selected="true"/>
242: <select idref="rule-3.4.2.3.a" selected="true"/>
243: <select idref="rule-3.4.2.3.b" selected="true"/>
244: <select idref="rule-3.4.2.3.c" selected="true"/>
245: <select idref="rule-3.4.2.3.d" selected="true"/>
246: <select idref="rule-3.4.2.3.e" selected="true"/>
247: <select idref="rule-3.4.2.3.f" selected="true"/>
248: <select idref="rule-3.4.2.3.g" selected="true"/>
249: <select idref="rule-3.4.2.3.h" selected="true"/>
250: <select idref="rule-3.4.2.3.i" selected="true"/>
251: <select idref="rule-3.4.2.3.j" selected="true"/>
252: <select idref="rule-3.4.2.3.k" selected="true"/>
253: <select idref="rule-3.4.2.3.l" selected="true"/>
254: <select idref="rule-3.4.2.3.m" selected="true"/>
255: <select idref="rule-3.4.2.3.n" selected="true"/>
256: <select idref="rule-3.4.2.3.o" selected="true"/>
257: <select idref="rule-3.4.2.4.a" selected="true"/>
258: <select idref="rule-3.4.2.4.b" selected="true"/>
259: <select idref="rule-3.4.2.4.c" selected="true"/>
260: <select idref="rule-3.4.3.a" selected="false"/>
261: <select idref="rule-3.4.3.b" selected="false"/>
262: <select idref="rule-3.4.4.a" selected="false"/>
263: <select idref="rule-3.4.4.b" selected="false"/>
264: <select idref="rule-3.5.1.1.a" selected="false"/>
265: <select idref="rule-3.5.1.1.b" selected="false"/>
266: <select idref="rule-3.5.1.2.a" selected="false"/>
267: <select idref="rule-3.5.1.2.b" selected="false"/>
268: <select idref="rule-3.5.2.1.a" selected="false"/>
269: <select idref="rule-3.5.2.3.a" selected="false"/>
270: <select idref="rule-3.5.2.3.b" selected="false"/>
271: <select idref="rule-3.5.2.4.a" selected="false"/>
272: <select idref="rule-3.5.2.5.a" selected="false"/>
273: <select idref="rule-3.5.2.6.a" selected="false"/>
274: <select idref="rule-3.5.2.7.a" selected="false"/>
275: <select idref="rule-3.5.2.8.a" selected="false"/>
276: <select idref="rule-3.5.2.9.a" selected="false"/>
277: <select idref="rule-3.5.2.10.a" selected="false"/>
278: <select idref="rule-3.6.1.1.a" selected="false"/>
279: <select idref="rule-3.6.1.2.a" selected="false"/>
280: <select idref="rule-3.6.1.3.2.a" selected="false"/>
281: <select idref="rule-3.6.2.1.a" selected="false"/>
282: <select idref="rule-3.7.1.1.a" selected="false"/>
283: <select idref="rule-3.7.2.1.a" selected="false"/>
284: <select idref="rule-3.7.2.1.b" selected="false"/>
285: <select idref="rule-3.7.2.2.a" selected="false"/>
286: <select idref="rule-3.7.2.3.a" selected="false"/>
287: <select idref="rule-3.7.2.4.a" selected="false"/>
288: <select idref="rule-3.7.2.5.a" selected="false"/>
289: <select idref="rule-3.7.2.5.b" selected="false"/>
290: <select idref="rule-3.7.2.5.c" selected="false"/>
291: <select idref="rule-3.7.2.5.d" selected="false"/>
292: <select idref="rule-3.7.2.5.e" selected="false"/>
293: <select idref="rule-3.8.1.a" selected="false"/>
294: <select idref="rule-3.8.2.a" selected="false"/>
295: <select idref="rule-3.8.2.b" selected="false"/>
296: <select idref="rule-3.8.3.1.1.a" selected="false"/>
297: <select idref="rule-3.8.3.1.1.b" selected="false"/>
298: <select idref="rule-3.8.4.1.a" selected="false"/>
299: <select idref="rule-3.9.1.a" selected="false"/>
300: <select idref="rule-3.9.3.a" selected="false"/>
301: <select idref="rule-3.9.3.b" selected="false"/>
302: <select idref="rule-3.9.4.1.a" selected="false"/>
303: <select idref="rule-3.9.4.2.a" selected="false"/>
304: <select idref="rule-3.9.4.3.a" selected="false"/>
305: <select idref="rule-3.9.4.4.a" selected="false"/>
306: <select idref="rule-3.9.4.4.b" selected="false"/>
307: <select idref="rule-3.9.4.4.c" selected="false"/>
308: <select idref="rule-3.9.4.4.d" selected="false"/>
309: <select idref="rule-3.9.4.4.e" selected="false"/>
310: <select idref="rule-3.9.4.4.f" selected="false"/>
311: <select idref="rule-3.9.4.4.g" selected="false"/>
312: <select idref="rule-3.9.4.5.a" selected="false"/>
313: <select idref="rule-3.10.2.2.1.a" selected="false"/>
314: <select idref="rule-3.10.2.2.2.a" selected="false"/>
315: <select idref="rule-3.10.2.2.3.a" selected="false"/>
316: <select idref="rule-3.10.3.1.a" selected="false"/>
317: <select idref="rule-3.10.3.2.1.a" selected="false"/>
318: <select idref="rule-3.10.3.2.2.a" selected="false"/>
319: <select idref="rule-3.11.2.1.a" selected="false"/>
320: <select idref="rule-3.12.2.2.a" selected="false"/>
321: <select idref="rule-3.12.3.1.a" selected="false"/>
322: <select idref="rule-3.13.1.1.a" selected="false"/>
323: <select idref="rule-3.13.1.1.b" selected="false"/>
324: <select idref="rule-3.13.1.1.c" selected="false"/>
325: <select idref="rule-3.13.1.2.a" selected="false"/>
326: <select idref="rule-3.13.2.3.a" selected="false"/>
327: <select idref="rule-3.13.2.3.b" selected="false"/>
328: <select idref="rule-3.13.2.3.c" selected="false"/>
329: <select idref="rule-3.13.2.3.d" selected="false"/>
330: <select idref="rule-3.13.2.3.e" selected="false"/>
331: <select idref="rule-3.13.2.3.f" selected="false"/>
332: <select idref="rule-3.13.3.1.a" selected="false"/>
333: <select idref="rule-3.13.3.1.b" selected="false"/>
334: <select idref="rule-3.13.3.2.a" selected="false"/>
335: <select idref="rule-3.13.3.2.b" selected="false"/>
336: <select idref="rule-3.13.3.2.c" selected="false"/>
337: <select idref="rule-3.13.4.1.2.a" selected="false"/>
338: <select idref="rule-3.13.4.1.3.a" selected="false"/>
339: <select idref="rule-3.13.4.1.4.a" selected="false"/>
340: <select idref="rule-3.14.1.a" selected="false"/>
341: <select idref="rule-3.14.1.b" selected="false"/>
342: <select idref="rule-3.14.3.2.a" selected="false"/>
343: <select idref="rule-3.14.3.2.b" selected="false"/>
344: <select idref="rule-3.14.3.2.c" selected="false"/>
345: <select idref="rule-3.14.4.5.a" selected="false"/>
346: <select idref="rule-3.15.1.a" selected="false"/>
347: <select idref="rule-3.15.1.b" selected="false"/>
348: <select idref="rule-3.15.3.1.a" selected="false"/>
349: <select idref="rule-3.15.3.2.a" selected="false"/>
350: <select idref="rule-3.15.3.3.1.a" selected="false"/>
351: <select idref="rule-3.15.3.4.a" selected="false"/>
352: <select idref="rule-3.16.1.a" selected="false"/>
353: <select idref="rule-3.16.1.b" selected="false"/>
354: <select idref="rule-3.16.3.1.a" selected="false"/>
355: <select idref="rule-3.16.3.1.b" selected="false"/>
356: <select idref="rule-3.16.5.1.a" selected="false"/>
357: <select idref="rule-3.16.5.1.b" selected="false"/>
358: <select idref="rule-3.16.5.1.c" selected="false"/>
359: <select idref="rule-3.16.5.1.d" selected="false"/>
360: <select idref="rule-3.16.5.1.e" selected="false"/>
361: <select idref="rule-3.17.1.a" selected="false"/>
362: <select idref="rule-3.17.1.b" selected="false"/>
363: <select idref="rule-3.17.2.1.a" selected="false"/>
364: <select idref="rule-3.17.2.1.b" selected="false"/>
365: <select idref="rule-3.17.2.1.c" selected="false"/>
366: <select idref="rule-3.17.2.1.d" selected="false"/>
367: <select idref="rule-3.17.2.2.4.a" selected="false"/>
368: <select idref="rule-3.17.2.3.a" selected="false"/>
369: <select idref="rule-3.17.2.3.b" selected="false"/>
370: <select idref="rule-3.18.1.a" selected="false"/>
371: <select idref="rule-3.18.2.3.a" selected="false"/>
372: <select idref="rule-3.18.2.10.a" selected="false"/>
373: <select idref="rule-3.18.2.11.a" selected="false"/>
374: <select idref="rule-3.19.1.a" selected="false"/>
375: <select idref="rule-3.19.1.b" selected="false"/>
376: <select idref="rule-3.19.2.2.a" selected="false"/>
377: <select idref="rule-3.19.2.2.b" selected="false"/>
378: <select idref="rule-3.19.2.2.c" selected="false"/>
379: <select idref="rule-3.19.2.2.d" selected="false"/>
380: <select idref="rule-3.19.2.2.e" selected="false"/>
381: <select idref="rule-3.19.2.2.f" selected="false"/>
382: <select idref="rule-3.19.2.2.g" selected="false"/>
383: <select idref="rule-3.19.2.2.h" selected="false"/>
384: <select idref="rule-3.19.2.3.a" selected="false"/>
385: <select idref="rule-3.19.2.3.b" selected="false"/>
386: <select idref="rule-3.19.2.3.c" selected="false"/>
387: <select idref="rule-3.19.2.3.d" selected="false"/>
388: <select idref="rule-3.19.2.5.a" selected="false"/>
389: <select idref="rule-3.19.2.5.b" selected="false"/>
390: <select idref="rule-3.19.2.5.c" selected="false"/>
391: <select idref="rule-3.19.2.5.d" selected="false"/>
392: <select idref="rule-3.19.2.5.e" selected="false"/>
393: <select idref="rule-3.19.2.5.f" selected="false"/>
394: <select idref="rule-3.19.2.5.g" selected="false"/>
395: <select idref="rule-3.19.2.5.h" selected="false"/>
396: <select idref="rule-3.19.2.5.i" selected="false"/>
397: <select idref="rule-3.19.2.5.j" selected="false"/>
398: <select idref="rule-3.20.1.a" selected="false"/>
399: <select idref="rule-3.20.1.b" selected="false"/>
400: <refine-value idref="var-2.2.3.1.i" selector="000"/>
401: <refine-value idref="var-2.2.3.1.j" selector="644"/>
402: <refine-value idref="var-2.2.3.1.k" selector="000"/>
403: <refine-value idref="var-2.2.3.1.l" selector="644"/>
404: <refine-value idref="var-2.2.4.1.a" selector="022"/>
405: <refine-value idref="var-2.3.1.7.a" selector="5"/>
406: <refine-value idref="var-2.3.1.7.b" selector="1_day"/>
407: <refine-value idref="var-2.3.1.7.c" selector="60_days"/>
408: <refine-value idref="var-2.3.1.7.d" selector="7_days"/>
409: <refine-value idref="var-2.3.3.1.1.a.retry" selector="3"/>
410: <refine-value idref="var-2.3.3.1.1.a.minlen" selector="14"/>
411: <refine-value idref="var-2.3.3.1.1.a.dcredit" selector="2"/>
412: <refine-value idref="var-2.3.3.1.1.a.ucredit" selector="2"/>
413: <refine-value idref="var-2.3.3.1.1.a.ocredit" selector="2"/>
414: <refine-value idref="var-2.3.3.1.1.a.lcredit" selector="2"/>
415: <refine-value idref="var-2.3.3.1.1.a.difok" selector="3"/>
416: <refine-value idref="var-2.3.3.2.a.deny" selector="3"/>
417: <refine-value idref="var-2.3.3.2.a.lock_time" selector="3"/>
418: <refine-value idref="var-2.3.3.2.a.unlock_time" selector="none"/>
419: <refine-value idref="var-2.3.3.4.a" selector="usergroup"/>
420: <refine-value idref="var-2.3.3.4.b" selector="4710"/>
421: <refine-value idref="var-2.3.3.5.a" selector="SHA-512"/>
422: <refine-value idref="var-2.3.3.6.a" selector="5"/>
423: <refine-value idref="var-2.3.4.4" selector="002"/>
424: <refine-value idref="var-2.3.5.2.a" selector="root"/>
425: <refine-value idref="var-2.3.5.2.b" selector="root"/>
426: <refine-value idref="var-2.3.5.2.c" selector="600"/>
427: <refine-value idref="var-2.3.5.5" selector="15_minutes"/>
428: <refine-value idref="var-2.3.7" selector="Empty_text"/>
429: <refine-value idref="var-2.4.2.c" selector="enforcing"/>
430: <refine-value idref="var-2.4.2.d" selector="targeted"/>
431: <refine-value idref="var-2.5.1.2.a" selector="disabled"/>
432: <refine-value idref="var-2.5.1.2.b" selector="disabled"/>
433: <refine-value idref="var-2.5.1.2.c" selector="disabled"/>
434: <refine-value idref="var-2.5.1.2.d" selector="enabled"/>
435: <refine-value idref="var-2.5.1.2.e" selector="disabled"/>
436: <refine-value idref="var-2.5.1.2.f" selector="disabled"/>
437: <refine-value idref="var-2.5.1.2.g" selector="disabled"/>
438: <refine-value idref="var-2.5.1.2.h" selector="enabled"/>
439: <refine-value idref="var-2.5.1.2.i" selector="enabled"/>
440: <refine-value idref="var-2.5.1.2.j" selector="enabled"/>
441: <refine-value idref="var-2.5.1.2.k" selector="enabled"/>
442: <refine-value idref="var-2.5.3.2.1.b" selector="disabled"/>
443: <refine-value idref="var-2.5.3.2.1.c" selector="disabled"/>
444: <refine-value idref="var-2.5.1.2.l" selector="enabled"/>
445: <refine-value idref="var-2.6.1.2.a" selector="root"/>
446: <refine-value idref="var-2.6.1.2.b" selector="root"/>
447: <refine-value idref="var-2.6.1.2.c" selector="600"/>
448: <refine-value idref="var-3.4.2.system.crontab.primary.group" selector="root"/>
449: <refine-value idref="var-3.4.2.system.crontab.primary.user" selector="root"/>
450: <refine-value idref="var-3.4.2.system.crontab.primary.permissions" selector="644"/>
451: <refine-value idref="var-3.4.2.system.anacrontab.group" selector="root"/>
452: <refine-value idref="var-3.4.2.system.anacrontab.user" selector="root"/>
453: <refine-value idref="var-3.4.2.system.anacrontab.permissions" selector="644"/>
454: <refine-value idref="var-3.4.2.system.crontab.directories.group" selector="root"/>
455: <refine-value idref="var-3.4.2.system.crontab.directories.user" selector="root"/>
456: <refine-value idref="var-3.4.2.system.crontab.directories.permissions" selector="755"/>
457: <refine-value idref="var-3.5.2.3.a" selector="5_minutes"/>
458: <refine-value idref="var-3.5.2.3.b" selector="0"/>
459: <refine-value idref="var-3.4.2.spool.directory.group" selector="root"/>
460: <refine-value idref="var-3.4.2.spool.directory.user" selector="root"/>
461: <refine-value idref="var-3.4.2.spool.directory.permissions" selector="700"/>
462: </Profile>
463: <Group id="group-1" hidden="false">
464: <title xml:lang="en">Introduction</title>
465: <description xml:lang="en">
466: The purpose of this guide is to provide security configuration
467: recommendations for Fedora Linux. Recommended settings for the basic
468: operating system are provided, as well as for many commonly-used services
469: that the system can host in a network environment.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
470: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
471: The guide is intended for system administrators. Readers are
472: assumed to possess basic system administration skills for Unix-like systems, as well as some
473: familiarity with Red Hat's documentation and administration conventions. Some instructions
474: within this guide are complex. All directions should be followed completely and with
475: understanding of their effects in order to avoid serious adverse effects on the system and its
476: security.
477: </description>
478: <Group id="group-1.1" hidden="false">
479: <title xml:lang="en">General Principles</title>
480: <description xml:lang="en">
481: The following general principles motivate much of the advice in
482: this guide and should also influence any configuration decisions that are not explicitly
483: covered.</description>
484: <Group id="group-1.1.1" hidden="false" weight="1.000000">
485: <title xml:lang="en">Encrypt Transmitted Data Whenever Possible</title>
486: <description xml:lang="en">
487: Data transmitted over a network, whether wired or wireless, is
488: susceptible to passive monitoring. Whenever practical solutions for encrypting such data
489: exist, they should be applied. Even if data is expected to be transmitted only over a
490: local network, it should still be encrypted. Encrypting authentication data, such as
491: passwords, is particularly important. Networks of machines can and should be
492: configured so that no unencrypted authentication data is ever transmitted between
493: machines.</description>
494: </Group>
495: <Group id="group-1.1.2" hidden="false">
496: <title xml:lang="en">Minimize Software to Minimize Vulnerability</title>
497: <description xml:lang="en">
498: The simplest way to avoid vulnerabilities in software is to avoid
499: installing that software. The RPM Package Manager allows for careful management of the
500: set of software packages installed on a system. Installed software contributes to system
501: vulnerability in several ways. Packages that include setuid programs may provide local
502: attackers a potential path to privilege escalation. Packages that include network services
503: may give this opportunity to network-based attackers. Packages that include programs
504: which are predictably executed by local users (e.g. after graphical login) may provide
505: opportunities for trojan horses or other attack code to be run undetected. The number of
506: software packages installed on a system can almost always be significantly pruned to include only
507: the software for which there is an environmental or operational need.</description>
508: </Group>
509: <Group id="group-1.1.3" hidden="false">
510: <title xml:lang="en">Run Different Network Services on Separate Systems</title>
511: <description xml:lang="en">
512: Whenever possible, a server should be dedicated to serving
513: exactly one network service. This limits the number of other services that can be
514: compromised in the event that an attacker is able to successfully exploit a software flaw
515: in one network service.</description>
516: </Group>
517: <Group id="group-1.1.4" hidden="false">
518: <title xml:lang="en">Configure Security Tools to Improve System Robustness</title>
519: <description xml:lang="en">
520: Several tools exist which can be effectively used to improve a
521: system's resistance to and detection of unknown attacks. These tools can improve
522: robustness against attack at the cost of relatively little configuration effort. In
523: particular, this guide recommends and discusses the use of Iptables for host-based
524: firewalling, SELinux for protection against vulnerable services, and a logging and
525: auditing infrastructure for detection of problems.</description>
526: </Group>
527: <Group id="group-1.1.5" hidden="false">
528: <title xml:lang="en">Least Privilege</title>
529: <description xml:lang="en">
530: Grant the least privilege necessary for user accounts and
531: software to perform tasks. For example, do not allow users except those that need
532: administrator access to use sudo. Another example is to limit logins on server
533: systems to only those administrators who need to log into them in order to perform
534: administration tasks. Using SELinux also follows the principle of least privilege:
535: SELinux policy can confine software to perform only actions on the system that are
536: specifically allowed. This can be far more restrictive than the actions permissible
537: by the traditional Unix permissions model.</description>
538: </Group>
539: </Group>
540: <Group id="group-1.2" hidden="false">
541: <title xml:lang="en">How to Use This Guide</title>
542: <description xml:lang="en">Readers should heed the following points when using the guide.</description>
543: <Group id="group-1.2.1" hidden="false">
544: <title xml:lang="en">Read Sections Completely and in Order</title>
545: <description xml:lang="en">
546: Each section may build on information and recommendations
547: discussed in prior sections. Each section should be read and understood completely;
548: instructions should never be blindly applied. Relevant discussion will occur after
549: instructions for an action. The system-level configuration guidance in Chapter 2 must be
550: applied to all machines. The guidance for individual services in Chapter 3 must be
551: considered for all machines as well: apply the guidance if the machine is either a server
552: or a client for that service, and ensure that the service is disabled according to the
553: instructions provided if the machine is neither a server nor a client.</description>
554: </Group>
555: <Group id="group-1.2.2" hidden="false">
556: <title xml:lang="en">Test in Non-Production Environment</title>
557: <description xml:lang="en">
558: This guidance should always be tested in a non-production
559: environment before deployment. This test environment should simulate the setup in which
560: the system will be deployed as closely as possible.</description>
561: </Group>
562: <Group id="group-1.2.3" hidden="false">
563: <title xml:lang="en">Root Shell Environment Assumed</title>
564: <description xml:lang="en">
565: Most of the actions listed in this document are written with the
566: assumption that they will be executed by the root user running the /bin/bash shell. Any
567: commands preceded with a hash mark (#) assume that the administrator will execute the
568: commands as root, i.e. apply the command via sudo whenever possible, or use su to gain
569: root privileges if sudo cannot be used.</description>
570: </Group>
571: <Group id="group-1.2.4" hidden="false">
572: <title xml:lang="en">Formatting Conventions</title>
573: <description xml:lang="en">
574: Commands intended for shell execution, as well as configuration
575: file text, are featured in a monospace font. Italics are used to indicate instances where
576: the system administrator must substitute the appropriate information into a command or
577: configuration file.</description>
578: </Group>
579: <Group id="group-1.2.5" hidden="false">
580: <title xml:lang="en">Reboot Required</title>
581: <description xml:lang="en">
582: A system reboot is implicitly required after some actions in
583: order to complete the reconfiguration of the system. In many cases, the changes will not
584: take effect until a reboot is performed. In order to ensure that changes are applied
585: properly and to test functionality, always reboot the system after applying a set of
586: recommendations from this guide.</description>
587: </Group>
588: </Group>
589: </Group>
590: <Group id="group-2" hidden="false">
591: <title xml:lang="en">System-wide Configuration</title>
592: <Group id="group-2.1" hidden="false">
593: <title xml:lang="en">Installing and Maintaining Software</title>
594: <description xml:lang="en">
595: The following sections contain information on security-relevant
596: choices during the initial operating system installation process and the setup of software
597: updates.</description>
598: <Group id="group-2.1.1" hidden="false">
599: <title xml:lang="en">Initial Installation Recommendations</title>
600: <description xml:lang="en">
601: The recommendations here apply to a clean installation of the
602: system, where any previous installations are wiped out. The sections presented here are in
603: the same order that the installer presents, but only installation choices with security
604: implications are covered. Many of the configuration choices presented here can also be
605: applied after the system is installed. The choices can also be automatically applied via
606: Kickstart files.</description>
607: <Group id="group-2.1.1.1" hidden="false">
608: <title xml:lang="en">Disk Partitioning</title>
609: <description xml:lang="en">
610: Some system directories should be placed on their own partitions
611: (or logical volumes). This allows for better separation and protection of data.
612: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
613: The installer’s default partitioning scheme creates separate partitions (or logical volumes)
614: for /, /boot, and swap.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
615: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
616: <xhtml:li>If starting with any of the default layouts, check the box to “Review and modify
617: partitioning.” This allows for the easy creation of additional logical volumes inside
618: the volume group already created, though it may require making /’s logical volume smaller
619: to create space. In general, using logical volumes is preferable to using partitions
620: because they can be more easily adjusted later.</xhtml:li>
621: <xhtml:li>If creating a custom layout, create the partitions mentioned in the previous paragraph
622: (which the installer will require anyway), as well as separate ones described in the
623: following sections.</xhtml:li>
624: </xhtml:ul>
625: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
626: If a system has already been installed, and the default partitioning scheme was
627: used, it is possible but nontrivial to modify it to create separate logical volumes for the
628: directories listed above. The Logical Volume Manager (LVM) makes this possible. See the LVM
629: HOWTO at http://tldp.org/HOWTO/LVM-HOWTO/ for more detailed information on LVM.
630: </description>
631: <Group id="group-2.1.1.1.1" hidden="false">
632: <title xml:lang="en">Create Separate Partition or Logical Volume for /tmp</title>
633: <description xml:lang="en">
634: The /tmp directory is a world-writable directory used for
635: temporary file storage. Ensure that it has its own partition or logical volume.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
636: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
637: Because software may need to use /tmp to temporarily store large files, ensure
638: that it is of adequate size. For a modern, general-purpose system, 10GB should be adequate. Smaller or larger sizes could be used, depending on
639: the availability of space on the drive and the system’s operating requirements
640: </description>
641: <Value id="var-2.1.1.1.1.b" operator="equals" type="string">
642: <title xml:lang="en">Minimum size for /tmp</title>
643: <question xml:lang="en">Choose minimum size of /tmp</question>
644: <value>2G</value>
645: <value selector="125M">125M</value>
646: <value selector="500M">500M</value>
647: <value selector="2G">2G</value>
648: <value selector="10G">10G</value>
649: <value selector="40G">40G</value>
650: <match>^[\d]+[KMGkmg]?$</match>
651: </Value>
652: <Rule id="rule-2.1.1.1.1.a" selected="false" weight="10.000000">
653: <title xml:lang="en">Ensure that /tmp has its own partition or logical volume</title>
654: <description xml:lang="en">The /tmp directory is a world-writable directory used for temporary file storage. Ensure that it has its own partition or logical volume.</description>
655: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
656: <check-content-ref name="oval:org.fedoraproject.f14:def:20000" href="scap-fedora14-oval.xml"/>
657: </check>
658: </Rule>
659: <Rule id="rule-2.1.1.1.1.b" selected="false" weight="2.000000">
660: <title xml:lang="en">Ensure that /tmp is of adequate size</title>
661: <description xml:lang="en">Because software may need to use /tmp to temporarily store large files, ensure that it is of adequate size.</description>
662: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
663: <check-content-ref name="oval:org.fedoraproject.f14:def:20001" href="scap-fedora14-oval.xml"/>
664: </check>
665: </Rule>
666: </Group>
667: <Group id="group-2.1.1.1.2" hidden="false">
668: <title xml:lang="en">Create Separate Partition or Logical Volume for /var</title>
669: <description xml:lang="en">
670: The /var directory is used by daemons and other system
671: services to store frequently-changing data. It is not uncommon for the /var directory
672: to contain world-writable directories, installed by other software packages.
673: Ensure that /var has its own partition or logical volume.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
674: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
675: Because the yum package manager and other software uses /var to temporarily store
676: large files, ensure that it is of adequate size. For a modern, general-purpose system,
677: 10GB should be adequate.
678: </description>
679: <Value id="var-2.1.1.1.2.b" operator="equals" type="string">
680: <title xml:lang="en">Minimum size of /var</title>
681: <description xml:lang="en">Choose minimum size of /var</description>
682: <question xml:lang="en">Choose minimum size of /var</question>
683: <value>5G</value>
684: <value selector="500k">500K</value>
685: <value selector="1G">1G</value>
686: <value selector="5G">5G</value>
687: <value selector="10G">10G</value>
688: <value selector="15G">15G</value>
689: <value selector="20G">20G</value>
690: <match>^[\d]+[KMGkmg]?$</match>
691: </Value>
692: <Rule id="rule-2.1.1.1.2.a" selected="false" weight="10.000000" severity="low">
693: <title xml:lang="en">Ensure that /var has its own partition or logical volume</title>
694: <description xml:lang="en">The /var directory is used by daemons and other system services to store frequently-changing data. It is not uncommon for the /var directory to contain world-writable directories, installed by other software packages. Ensure that /var has its own partition or logical volume.</description>
695: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
696: <check-content-ref name="oval:org.fedoraproject.f14:def:20002" href="scap-fedora14-oval.xml"/>
697: </check>
698: </Rule>
699: <Rule id="rule-2.1.1.1.2.b" selected="false" weight="10.000000">
700: <title xml:lang="en">Ensure that /var is of adequate size</title>
701: <description xml:lang="en">Because the yum package manager and other software uses /var to temporarily store large files, ensure that it is of adequate size. For a modern, general-purpose system, 10GB should be adequate.</description>
702: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
703: <check-export export-name="oval:org.fedoraproject.f14:var:20003" value-id="var-2.1.1.1.2.b"/>
704: <check-content-ref name="oval:org.fedoraproject.f14:def:20003" href="scap-fedora14-oval.xml"/>
705: </check>
706: </Rule>
707: </Group>
708: <Group id="group-2.1.1.1.3" hidden="false">
709: <title xml:lang="en">Create Separate Partition or Logical Volume for /var/log</title>
710: <description xml:lang="en">
711: System logs are stored in the /var/log directory.
712: Ensure that it has its own partition or logical volume.
713: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
714: See 2.6 for more information about logging and auditing.</description>
715: <Rule id="rule-2.1.1.1.3.a" selected="false" weight="10.000000">
716: <title xml:lang="en">Ensure that /var/log has its own partition or logical volume</title>
717: <description xml:lang="en">
718: System logs are stored in the /var/log directory.
719: Ensure that it has its own partition or logical volume.</description>
720: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
721: <check-content-ref name="oval:org.fedoraproject.f14:def:20004" href="scap-fedora14-oval.xml"/>
722: </check>
723: </Rule>
724: </Group>
725: <Group id="group-2.1.1.1.4" hidden="false">
726: <title xml:lang="en">Create Separate Partition or Logical Volume for /var/log/audit</title>
727: <description xml:lang="en">
728: Audit logs are stored in the /var/log/audit directory.
729: Ensure that it has its own partition or logical volume. Make absolutely certain
730: that it is large enough to store all audit logs that will be created by the auditing
731: daemon.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
732: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
733: See 2.6.2.2 for discussion on deciding on an appropriate size for the volume.</description>
734: <Rule id="rule-2.1.1.1.4.a" selected="false" weight="10.000000">
735: <title xml:lang="en">Ensure that /var/log/audit has its own partition or logical volume</title>
736: <description xml:lang="en">
737: Audit logs are stored in the /var/log/audit directory.
738: Ensure that it has its own partition or logical volume.
739: Make absolutely certain that it is large enough to store
740: all audit logs that will be created by the auditing daemon.</description>
741: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
742: <check-content-ref name="oval:org.fedoraproject.f14:def:20005" href="scap-fedora14-oval.xml"/>
743: </check>
744: </Rule>
745: </Group>
746: <Group id="group-2.1.1.1.5" hidden="false">
747: <title xml:lang="en">Create Separate Partition or Logical Volume for /home if Using Local Home Directories</title>
748: <description xml:lang="en">
749: If user home directories will be stored locally, create a separate
750: partition for /home. If /home will be mounted from another system such as an NFS server, then
751: creating a separate partition is not necessary at this time, and the mountpoint can
752: instead be configured later.</description>
753: <Rule id="rule-2.1.1.1.5.a" selected="false" weight="10.000000" severity="low">
754: <title xml:lang="en">Ensure that /home has its own partition or logical volume</title>
755: <description xml:lang="en">
756: If user home directories will be stored locally, create a separate partition for /home.
757: If /home will be mounted from another system such as an NFS server, then creating a
758: separate partition is not necessary at this time, and the mountpoint can instead be
759: configured later.</description>
760: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
761: <check-content-ref name="oval:org.fedoraproject.f14:def:20006" href="scap-fedora14-oval.xml"/>
762: </check>
763: </Rule>
764: </Group>
765: </Group>
766: <Group id="group-2.1.1.2" hidden="false">
767: <title xml:lang="en">Boot Loader Configuration</title>
768: <description xml:lang="en">
769: Check the box to "Use a boot loader password" and create a
770: password. Once this password is set, anyone who wishes to change the boot loader
771: configuration will need to enter it. More information is available in Section
772: 2.3.5.2.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
773: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
774: Assigning a boot loader password prevents a local user
775: with physical access from altering the boot loader configuration at system startup.
776: </description>
777: </Group>
778: <Group id="group-2.1.1.3" hidden="false">
779: <title xml:lang="en">Network Devices</title>
780: <description xml:lang="en">
781: The default network device configuration uses DHCP, which is
782: not recommended.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
783: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
784: Unless use of DHCP is absolutely necessary, click
785: the "Edit" button and:
786: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
787: <xhtml:li>
788: Uncheck "Use Dynamic IP configuration
789: (DHCP)".Uncheck "Enable IPv4 Support" if the system does not require IPv4. (This is
790: uncommon.)
791: </xhtml:li>
792: <xhtml:li>
793: Uncheck "Enable IPv6 Support" if the system does not require
794: IPv6.
795: </xhtml:li>
796: <xhtml:li>
797: Enter appropriate IPv4 and IPv6 addresses and prefixes as
798: required.
799: </xhtml:li>
800: </xhtml:ul>
801: With the DHCP setting disabled, the hostname, gateway, and DNS
802: servers should then be assigned on the main screen.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
803: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
804: Sections 3.9.1
805: and 3.9.2 contain more information on network configuration and the use of DHCP.
806: </description>
807: </Group>
808: <Group id="group-2.1.1.4" hidden="false">
809: <title xml:lang="en">Root Password</title>
810: <description xml:lang="en">
811: The security of the entire system depends on the strength of
812: the root password. The password should be at least 12 characters long, and should
813: include a mix of capitalized and lowercase letters, special characters, and numbers. It
814: should also not be based on any dictionary word.</description>
815: </Group>
816: <Group id="group-2.1.1.5" hidden="false">
817: <title xml:lang="en">Software Packages</title>
818: <description xml:lang="en">
819: Uncheck all package groups, including the package groups
820: "Software Development" and "Web Server", unless there is a specific requirement to
821: install software using the system installer. If the machine will be used as a web
822: server, it is preferable to manually install the necessary RPMs instead of installing
823: the full "Web Server" package group. See Section 3.16 for installation and configuration
824: details.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
825: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
826: Use the "Customize now" radio box to prune package groups
827: as much as possible. This brings up a two-column view of categories and package groups.
828: If appropriate, uncheck "X Window System" in the "Base System" category to avoid
829: installing X entirely. Any other package groups not necessary for system operation
830: should also be unchecked.
831: </description>
832: </Group>
833: <Group id="group-2.1.1.6" hidden="false">
834: <title xml:lang="en">First-boot Configuration</title>
835: <description xml:lang="en">
836: The system presents more configuration options during the first
837: boot after installation. For the screens listed, implement the security-related
838: recommendations:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
839: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
840: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
841: <xhtml:li>
842: Firewall - Leave set to
843: 'Enabled.' Only check the 'Trusted Services' that this system needs to serve. Uncheck
844: the default selection of SSH if the system does not need to serve
845: SSH.
846: </xhtml:li>
847: <xhtml:li>
848: SELinux - Leave SELinux set to 'Enforcing' mode.
849: </xhtml:li>
850: <xhtml:li>
851: Kdump -
852: Leave Kdump off unless the feature is required, such as for kernel development and
853: testing.
854: </xhtml:li>
855: <xhtml:li>
856: Set Up Software Updates - If the system is connected to the
857: Internet now, click 'Yes, I'd like to register now.' This will require a connection to
858: either the Red Hat Network servers or their proxies or satellites. This can also be
859: configured later as described in Section 2.1.2.1.
860: </xhtml:li>
861: <xhtml:li>
862: Create User - If the
863: system will require a local user account, it can be created here. Even if the system
864: will be using a network-wide authentication system as described in Section 2.3.6, do
865: not click on the 'Use Network Login...' button. Manually applying configuration later
866: is preferable.
867: </xhtml:li>
868: </xhtml:ul>
869: </description>
870: </Group>
871: </Group>
872: <Group id="group-2.1.2" hidden="false">
873: <title xml:lang="en">Security Updates</title>
874: <description xml:lang="en">
875: As security vulnerabilities are discovered, the affected software must be updated in order
876: to limit any potential security risks. If the software is part of a package within a Fedora
877: distribution that is currently supported, Fedora is committed to releasing updated packages
878: that fix the vulnerability as soon as is possible. Often, announcements about a given
879: security exploit are accompanied with a patch (or source code that fixes the problem).
880: This patch is then applied to the Fedora package and tested and released as an errata update.
881: However, if an announcement does not include a patch, a developer first works with the maintainer
882: of the software to fix the problem. Once the problem is fixed, the package is tested
883: and released as an errata update.
884: </description>
885: <Group id="group-2.1.2.1" hidden="false">
886: <title xml:lang="en">Updating Software</title>
887: <description xml:lang="en">
888: The yum command line tool is used to install and update software
889: packages. The system also provides package management service called PackageKit
890: that allows the session users to manage packages in a secure way. There are several
891: graphical utilities designed for installing, updating and removing packages on your
892: system that use PackageKit API. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
893: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
894: It is recommended to use these mechanisms to keep systems up to date with the latest
895: security patches.
896: </description>
897: <Group id="group-2.1.2.1.1" hidden="false">
898: <title xml:lang="en">Ensure Fedora GPG Key is Installed</title>
899: <description xml:lang="en">
900: To ensure that the system can cryptographically verify update packages run the following command to verify
901: that the system has the Fedora GPG properly installed:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
902: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
903: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
904: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
905: The command should return the string:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
906: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
907: gpg(Fedora (14) <fedora@fedoraproject.org>)</description>
908: <Rule id="rule-2.1.2.1.1.a" selected="false" weight="10.000000">
909: <title xml:lang="en">Ensure Fedora GPG Key is Installed</title>
910: <description xml:lang="en">The GPG key should be installed.</description>
911: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
912: <check-content-ref name="oval:org.fedoraproject.f14:def:200065" href="scap-fedora14-oval.xml"/>
913: </check>
914: </Rule>
915: </Group>
916: </Group>
917: <Group id="group-2.1.2.3" hidden="false">
918: <title xml:lang="en">Obtain Software Package Updates with yum</title>
919: <description xml:lang="en">
920: The yum update utility can be run by hand from the command
921: line, called through one of the provided front-end tools, or configured to run
922: automatically at specified intervals.</description>
923: <Group id="group-2.1.2.3.2" hidden="false">
924: <title xml:lang="en">Configure Automatic Update Retrieval and Installation with Cron</title>
925: <description xml:lang="en">
926: The yum-updatesd service is not mature enough for an
927: enterprise environment, and the service may introduce unnecessary overhead. When
928: possible, replace this service with a cron job that calls yum
929: directly.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
930: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
931: Create the file yum.cron, make it executable, and place it in
932: /etc/cron.daily:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
933: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
934: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#!/bin/sh<xhtml:br/>
935: <xhtml:br/>
936: /usr/bin/yum -R 120 -e 0 -d 0 -y update yum
937: <xhtml:br/>
938: /usr/bin/yum -R 10 -e 0 -d 0 -y update<xhtml:br/></xhtml:code>
939: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
940: This particular script instructs yum to update any
941: packages it finds. Placing the script in /etc/cron.daily ensures its daily execution.
942: To only apply updates once a week, place the script in /etc/cron.weekly instead.
943: </description>
944: <Value id="var-2.1.2.3.2.b" operator="equals" type="string">
945: <title xml:lang="en">Schedule yum update using cron</title>
946: <description xml:lang="en">Enter frequency of with which to invoke yum update</description>
947: <question xml:lang="en">Select frequency of yum update</question>
948: <value>daily</value>
949: <value selector="hourly">hourly</value>
950: <value selector="daily">daily</value>
951: <value selector="weekly">weekly</value>
952: <value selector="monthly">monthly</value>
953: <match>hourly|daily|weekly|monthly</match>
954: <choices mustMatch="true">
955: <choice>hourly</choice>
956: <choice>daily</choice>
957: <choice>weekly</choice>
958: <choice>monthly</choice>
959: </choices>
960: </Value>
961: <Rule id="rule-2.1.2.3.2.a" selected="false" weight="10.000000" severity="low">
962: <title xml:lang="en">yum-updatesd service should be disabled</title>
963: <description xml:lang="en">The yum-updatesd service should be disabled</description>
964: <ident system="http://cce.mitre.org">CCE-4218-4</ident>
965: <fix># chkconfig yum-updatesd off</fix>
966: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
967: <check-content-ref name="oval:org.fedoraproject.f14:def:20008" href="scap-fedora14-oval.xml"/>
968: </check>
969: </Rule>
970: <Rule id="rule-2.1.2.3.2.b" selected="false" weight="10.000000" severity="medium">
971: <title xml:lang="en">Automatic Update Retrieval should be scheduled with Cron</title>
972: <description xml:lang="en">Place the yum.cron script somewhere in /etc/cron.*/</description>
973: <fix>echo -e "/usr/bin/yum -R 120 -e 0 -d 0 -y update yum\n/usr/bin/yum -R 10 -e 0 -d 0 -y update" > /etc/cron.weekly/yum.cron</fix>
974: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
975: <check-export export-name="oval:org.fedoraproject.f14.dcb:var:20009" value-id="var-2.1.2.3.2.b"/>
976: <check-content-ref name="oval:org.fedoraproject.f14:def:20009" href="scap-fedora14-oval.xml"/>
977: </check>
978: </Rule>
979: </Group>
980: <Group id="group-2.1.2.3.3" hidden="false">
981: <title xml:lang="en">Ensure Package Signature Checking is Globally Activated</title>
982: <description xml:lang="en">
983: The gpgcheck option should be used to ensure that checking of an RPM package’s signature always occurs prior
984: to its installation.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
985: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
986: To force yum to check package signatures before installing them, ensure that the following line appears in
987: /etc/yum.conf in the [main] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
988: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
989: gpgcheck=1
990: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
991: </description>
992: <Rule id="rule-2.1.2.3.3.a" selected="false" weight="10.000000">
993: <title xml:lang="en">Ensure gpgcheck is Globally Activated</title>
994: <description xml:lang="en">
995: The gpgcheck option should be used to ensure that checking of an RPM package’s signature always occurs prior to its installation.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
996: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>To force yum to check package signatures before installing them, ensure that the following line appears in /etc/yum.conf in the [main] section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
997: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
998: gpgcheck=1</description>
999: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1000: <check-content-ref name="oval:org.fedoraproject.f14:def:20010" href="scap-fedora14-oval.xml"/>
1001: </check>
1002: </Rule>
1003: </Group>
1004: <Group id="group-2.1.2.3.4" hidden="false">
1005: <title xml:lang="en">Ensure Package Signature Checking is Not Disabled For Any Repos</title>
1006: <description xml:lang="en">
1007: To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT
1008: appear in any repo configuration files in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1009: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1010: gpgcheck=0
1011: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1012: </description>
1013: <Rule id="rule-2.1.2.3.4.a" selected="false" weight="10.000000">
1014: <title xml:lang="en">Ensure Package Signature Checking is Not Disabled For Any Repos</title>
1015: <description xml:lang="en">
1016: To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT appear in any repo configuration files in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1017: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>gpgcheck=0</description>
1018: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1019: <check-content-ref name="oval:org.fedoraproject.f14:def:20011" href="scap-fedora14-oval.xml"/>
1020: </check>
1021: </Rule>
1022: </Group>
1023: <Group id="group-2.1.2.3.5" hidden="false">
1024: <title xml:lang="en">Ensure Repodata Signature Checking is Globally Activated</title>
1025: <description xml:lang="en">
1026: The repo_gpgcheck option should be used to ensure that checking of a signature on repodata is performed prior
1027: to using it.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1028: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1029: To force yum to check the signature on repodata sent by a repository prior to using it, ensure that the
1030: following line appears in /etc/yum.conf in the [main] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1031: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1032: repo_gpgcheck=1
1033: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1034: </description>
1035: <Rule id="rule-2.1.2.3.5.a" selected="false" weight="10.000000">
1036: <title xml:lang="en">Ensure Repodata Signature Checking is Globally Activated</title>
1037: <description xml:lang="en">
1038: The repo_gpgcheck option should be used to ensure that checking of a signature on repodata is performed prior to using it.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1039: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>To force yum to check the signature on repodata sent by a repository prior to using it, ensure that the following line appears in /etc/yum.conf in the [main] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1040: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>repo_gpgcheck=1</description>
1041: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1042: <check-content-ref name="oval:org.fedoraproject.f14:def:20012" href="scap-fedora14-oval.xml"/>
1043: </check>
1044: </Rule>
1045: </Group>
1046: <Group id="group-2.1.2.3.6" hidden="false">
1047: <title xml:lang="en">Ensure Repodata Signature Checking is Not Disabled For Any Repos</title>
1048: <description xml:lang="en">
1049: To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT
1050: appear in any repo configuration files in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1051: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1052: gpgcheck=0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1053: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1054: Note: Red Hat’s repositories support signatures on repodata, but some public repositories do not. If a repository
1055: does not support signature checking on repodata, then this risk must be weighed against the value of using the
1056: repository.
1057: </description>
1058: <Rule id="rule-2.1.2.3.6.a" selected="false" weight="10.000000">
1059: <title xml:lang="en">Ensure Repodata Signature Checking is Not Disabled For Any Repos</title>
1060: <description xml:lang="en">
1061: To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT appear in any repo configuration files in /etc/yum.repos.d or elsewhere: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1062: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>gpgcheck=0</description>
1063: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1064: <check-content-ref name="oval:org.fedoraproject.f14:def:20013" href="scap-fedora14-oval.xml"/>
1065: </check>
1066: </Rule>
1067: </Group>
1068: </Group>
1069: </Group>
1070: <Group id="group-2.1.3" hidden="false">
1071: <title xml:lang="en">Software Integrity Checking</title>
1072: <description xml:lang="en">
1073: The AIDE (Advanced Intrusion Detection Environment) software is
1074: included with the system to provide software integrity checking. It is designed to be a
1075: replacement for the well-known Tripwire integrity checker. Integrity checking cannot
1076: <xhtml:em xmlns:xhtml="http://www.w3.org/1999/xhtml">prevent</xhtml:em>
1077: intrusions into your system, but can detect that they have occurred.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1078: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1079: Any integrity checking software should be configured before
1080: the system is deployed and able to provides services to users. Ideally, the integrity
1081: checking database would be built before the system is connected to any network, though
1082: this may prove impractical due to registration and software updates.
1083: </description>
1084: <Group id="group-2.1.3.1" hidden="false">
1085: <title xml:lang="en">Configure AIDE</title>
1086: <description xml:lang="en">
1087: Requirements for software integrity checking should be defined
1088: by policy, and this is highly dependent on the environment in which the system will be
1089: used. As such, a general strategy for implementing integrity checking is provided, but
1090: precise recommendations (such as to check a particular file) cannot be. Documentation
1091: for AIDE, including the quick-start on which this advice is based, is available in
1092: /usr/share/doc/aide-0.12.</description>
1093: <Group id="group-2.1.3.1.1" hidden="false">
1094: <title xml:lang="en">Install AIDE</title>
1095: <description xml:lang="en">AIDE is not installed by default.</description>
1096: <Rule id="rule-2.1.3.1.1.a" selected="false" weight="10.000000" severity="medium">
1097: <title xml:lang="en">Install AIDE</title>
1098: <description xml:lang="en">The AIDE package should be installed</description>
1099: <ident system="http://cce.mitre.org">CCE-4209-3</ident>
1100: <fix>yum install aide</fix>
1101: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1102: <check-content-ref name="oval:org.fedoraproject.f14:def:20014" href="scap-fedora14-oval.xml"/>
1103: </check>
1104: </Rule>
1105: </Group>
1106: <Group id="group-2.1.3.1.2" hidden="false">
1107: <title xml:lang="en">Customize Configuration File</title>
1108: <description xml:lang="en">
1109: Customize /etc/aide.conf to meet your requirements. The
1110: default configuration is acceptable for many environments.
1111: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1112: The man page aide.conf(5)
1113: provides detailed information about the configuration file format.
1114: </description>
1115: </Group>
1116: <Group id="group-2.1.3.1.3" hidden="false">
1117: <title xml:lang="en">Build, Store, and Test Database</title>
1118: <description xml:lang="en">
1119: Generate a new database:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1120: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1121: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># /usr/sbin/aide --init<xhtml:br/></xhtml:code>
1122: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1123: By default, the database will be written to
1124: the file /var/lib/aide/aide.db.new.gz. The database, as well as the configuration file
1125: /etc/aide.conf and the binary /usr/sbin/aide (or hashes of these files) should be
1126: copied and stored in a secure location. Storing these copies or hashes on read-only
1127: media may provide further confidence that they will not be
1128: altered.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1129: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1130: Install the newly-generated database:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1131: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1132: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz<xhtml:br/></xhtml:code>
1133: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1134: Run a manual check:
1135: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1136: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1137: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># /usr/sbin/aide --check<xhtml:br/></xhtml:code>
1138: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1139: If this check produces any unexpected output, investigate.
1140: </description>
1141: </Group>
1142: <Group id="group-2.1.3.1.4" hidden="false">
1143: <title xml:lang="en">Implement Periodic Execution of Integrity Checking</title>
1144: <description xml:lang="en">
1145: By default, AIDE does not install itself for periodic execution.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1146: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1147: Implement checking with whatever frequency is required
1148: by your security policy. A once-daily check may be suitable for many environments. For
1149: example, to implement a daily execution of AIDE at 4:05am, add the following line to
1150: /etc/crontab:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1151: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1152: 05 4 * * * root /usr/sbin/aide --check<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1153: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1154: AIDE output may be an indication of an attack against
1155: your system, or it may be the result of something innocuous such as an administrator's
1156: configuration change or a software update. The steps in Section 2.1.3.1.3 should be
1157: repeated when configuration changes or software updates necessitate. This will
1158: certainly be necessary after applying guidance later in this guide.
1159: </description>
1160: <Value id="var-2.1.3.1.4.a" operator="equals" type="string">
1161: <title xml:lang="en">Schedule AIDE check using cron</title>
1162: <description xml:lang="en">Frequency with which to run AIDE check</description>
1163: <question xml:lang="en">Select frequency with which to run AIDE check</question>
1164: <value>daily</value>
1165: <value selector="hourly">hourly</value>
1166: <value selector="daily">daily</value>
1167: <value selector="weekly">weekly</value>
1168: <value selector="monthly">monthly</value>
1169: <match>hourly|daily|weekly|monthly</match>
1170: <choices mustMatch="true">
1171: <choice>hourly</choice>
1172: <choice>daily</choice>
1173: <choice>weekly</choice>
1174: <choice>monthly</choice>
1175: </choices>
1176: </Value>
1177: <Rule id="rule-2.1.3.1.4.a" selected="false" weight="10.000000" role="full" severity="medium">
1178: <title xml:lang="en">Run AIDE periodically</title>
1179: <description xml:lang="en">Setup cron to run AIDE periodically using cron.</description>
1180: <fix>echo -e "/usr/sbin/aide --check" > /etc/cron.daily/aide.cron</fix>
1181: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1182: <check-export export-name="oval:org.fedoraproject.f14:var:20015" value-id="var-2.1.3.1.4.a"/>
1183: <check-content-ref name="oval:org.fedoraproject.f14:def:20015" href="scap-fedora14-oval.xml"/>
1184: </check>
1185: </Rule>
1186: </Group>
1187: <Group id="group-2.1.3.1.5" hidden="false">
1188: <title xml:lang="en">Manually Verify Integrity of AIDE</title>
1189: <description xml:lang="en">
1190: Because integrity checking is a means of intrusion detection
1191: and not intrusion prevention, it cannot be guaranteed that the AIDE binaries,
1192: configuration files, or database have not been tampered with. An attacker could
1193: disable or alter these files after a successful intrusion. Because of this, manual and
1194: frequent checks on these files is recommended. The safely stored copies (or hashes) of
1195: the database, binary, and configuration file were created earlier for this
1196: purpose.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1197: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1198: Manually verify the integrity of the AIDE binaries,
1199: configuration file, and database. Possibilities for doing so include:
1200: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
1201: <xhtml:li>Use sha1sum or md5sum to generate checksums on the
1202: files and then visually compare them to those generated from the safely stored
1203: versions. This does not, of course, preclude the possibility that such output could
1204: also be faked.</xhtml:li>
1205: <xhtml:li>Mount the stored versions on read-only media and run
1206: /bin/diff to verify that there are no differences between the
1207: files.</xhtml:li>
1208: <xhtml:li>Copying the files to another system and performing the hash or file
1209: comparisons there may impart additional confidence that the manual verification
1210: process is not being interfered with.</xhtml:li>
1211: </xhtml:ol>
1212: </description>
1213: </Group>
1214: </Group>
1215: <Group id="group-2.1.3.2" hidden="false">
1216: <title xml:lang="en">Verify Package Integrity Using RPM</title>
1217: <description xml:lang="en">
1218: The RPM package management system includes the ability to
1219: verify the integrity of installed packages by comparing the installed files with
1220: information about the files taken from the package metadata stored in the RPM
1221: database. Although an attacker could corrupt the RPM database (analogous to
1222: attacking the AIDE database as described above), this check can still reveal
1223: modification of important files.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1224: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1225: To determine which files on the system differ from what is expected by the RPM
1226: database:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1227: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1228: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -qVa<xhtml:br/></xhtml:code>
1229: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1230: A “c” in the second column indicates that a file is a configuration file (and may be
1231: expected to change). In order to exclude configuration files from this list, run:
1232: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1233: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -qVa | awk '$2!="c" {print $0}'<xhtml:br/></xhtml:code>
1234: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1235: The man page rpm(8) describes the format of the output. Any files that do not
1236: match the expected output demand further investigation if the system is being
1237: seriously examined. This check could also be run as a cron job.
1238: </description>
1239: <Rule id="rule-2.1.3.2.a" selected="false" weight="10.000000">
1240: <title xml:lang="en">Verify Package Integrity Using RPM</title>
1241: <description xml:lang="en">Verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database.</description>
1242: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1243: <check-content-ref name="oval:org.fedoraproject.f14:def:200155" href="scap-fedora14-oval.xml"/>
1244: </check>
1245: </Rule>
1246: </Group>
1247: </Group>
1248: </Group>
1249: <Group id="group-2.2" hidden="false">
1250: <title xml:lang="en">File Permissions and Masks</title>
1251: <description xml:lang="en">
1252: Traditional Unix security relies heavily on file and directory
1253: permissions to prevent unauthorized users from reading or modifying files to which they
1254: should not have access. Adhere to the principle of least privilege — configure each file,
1255: directory, and filesystem to allow only the access needed in order for that file to serve
1256: its purpose.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1257: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1258: However, Linux systems contain a large number of files, so
1259: it is often prohibitively time-consuming to ensure that every file on a machine has exactly
1260: the permissions needed. This section introduces several permission restrictions which are
1261: almost always appropriate for system security, and which are easy to test and
1262: correct. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1263: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1264: Note: Several of the commands in this section search
1265: filesystems for files or directories with certain characteristics, and are intended to be
1266: run on every local ext2, ext3 and ext4 partition on a given machine. When the variable
1267: <xhtml:em xmlns:xhtml="http://www.w3.org/1999/xhtml">PART</xhtml:em>
1268: appears in one of the commands below, it means that the command
1269: is intended to be run repeatedly, with the name of each local partition substituted for
1270: <xhtml:em xmlns:xhtml="http://www.w3.org/1999/xhtml">PART</xhtml:em>
1271: in turn.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1272: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1273: The following command prints a
1274: list of ext2, ext3 and ext4 partitions on a given machine:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1275: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1276: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ mount -t ext2,ext3,ext4 | awk '{print $3}'<xhtml:br/></xhtml:code>
1277: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1278: If your site uses a local filesystem type other than ext{234}, you will need to modify
1279: this command.
1280: </description>
1281: <Group id="group-2.2.1" hidden="false">
1282: <title xml:lang="en">Restrict Partition Mount Options</title>
1283: <description xml:lang="en">
1284: System partitions can be mounted with certain options which limit
1285: what files on those partitions can do. These options are set in the file /etc/fstab, and
1286: can be used to make certain types of malicious behavior more difficult.</description>
1287: <Group id="group-2.2.1.1" hidden="false" weight="1.000000">
1288: <title xml:lang="en">Add nodev Option to Non-Root Local Partitions</title>
1289: <description xml:lang="en">
1290: The nodev option prevents users from mounting unauthorized
1291: devices on any partition which is known not to contain any authorized devices. The root
1292: partition typically contains the /dev partition, which is the primary location for
1293: authorized devices, so this option should not be set on /. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1294: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1295: However, if system programs are being run in chroot jails, this advice may need to be
1296: modified further, since it is often necessary to create device files inside the chroot
1297: directory for use by the restricted program.
1298: </description>
1299: <Rule id="rule-2.2.1.1.a" selected="false" weight="10.000000" role="full" severity="unknown">
1300: <title xml:lang="en">Add nodev Option to Non-Root Local Partitions</title>
1301: <description xml:lang="en">The nodev option should be disabled as appropriate for all non-root partitions.</description>
1302: <ident system="http://cce.mitre.org">CCE-4249-9</ident>
1303: <fixtext xml:lang="en">
1304: Edit the file /etc/fstab. The important columns for purposes of
1305: this section are column 2 (mount point), column 3 (filesystem type), and column 4 (mount
1306: options). For any line which satisfies all of the conditions:
1307: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
1308: <xhtml:li>The filesystem type is ext2, ext3 or ext4</xhtml:li>
1309: <xhtml:li>The mount point is not /</xhtml:li>
1310: </xhtml:ul>
1311: add the text “,nodev” to the list of mount options in column 4. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1312: </fixtext>
1313: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1314: <check-content-ref name="oval:org.fedoraproject.f14:def:20016" href="scap-fedora14-oval.xml"/>
1315: </check>
1316: </Rule>
1317: </Group>
1318: <Group id="group-2.2.1.2" hidden="false">
1319: <title xml:lang="en">Add nodev, nosuid, and noexec Options to Removable Media Partitions</title>
1320: <description xml:lang="en">
1321: Users should not be allowed to introduce arbitrary devices or
1322: setuid programs to a system. These options are used to prevent that. In addition, while
1323: users are usually allowed to add executable programs to a system, the noexec option
1324: prevents code from being executed directly from the media itself, and may therefore
1325: provide a line of defense against certain types of worms or malicious code.</description>
1326: <Rule id="rule-2.2.1.2.a" selected="false" weight="10.000000">
1327: <title xml:lang="en">Add nodev Option to Removable Media Partitions</title>
1328: <description xml:lang="en">The nodev option should be disabled for all removable media.</description>
1329: <ident system="http://cce.mitre.org">CCE-3522-0</ident>
1330: <fixtext xml:lang="en">Edit the file /etc/fstab. Filesystems which represent removable media can be
1331: located by finding lines whose mount points contain strings like floppy or cdrom, or
1332: whose types are iso9660, vfat, or msdos. For each line representing a removable media
1333: mountpoint, add the text ',nodev' to the list of mount options in column 4.</fixtext>
1334: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1335: <check-content-ref name="oval:org.fedoraproject.f14:def:20017" href="scap-fedora14-oval.xml"/>
1336: </check>
1337: </Rule>
1338: <Rule id="rule-2.2.1.2.b" selected="false" weight="10.000000">
1339: <title xml:lang="en">Add noexec Option to Removable Media Partitions</title>
1340: <description xml:lang="en">The noexec option should be disabled for all removable media.</description>
1341: <ident system="http://cce.mitre.org">CCE-4275-4</ident>
1342: <fixtext xml:lang="en">Edit the file /etc/fstab. Filesystems which represent removable media can be
1343: located by finding lines whose mount points contain strings like floppy or cdrom, or
1344: whose types are iso9660, vfat, or msdos. For each line representing a removable media
1345: mountpoint, add the text ',noexec' to the list of mount options in column 4.</fixtext>
1346: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1347: <check-content-ref name="oval:org.fedoraproject.f14:def:20018" href="scap-fedora14-oval.xml"/>
1348: </check>
1349: </Rule>
1350: <Rule id="rule-2.2.1.2.c" selected="false" weight="10.000000" severity="medium">
1351: <title xml:lang="en">Add nosuid Option to Removable Media Partitions</title>
1352: <description xml:lang="en">The nosuid option should be disabled for all removable media.</description>
1353: <ident system="http://cce.mitre.org">CCE-4042-8</ident>
1354: <fixtext xml:lang="en">Edit the file /etc/fstab. Filesystems which represent removable media can be
1355: located by finding lines whose mount points contain strings like floppy or cdrom, or
1356: whose types are iso9660, vfat, or msdos. For each line representing a removable media
1357: mountpoint, add the text ',nosuid' to the list of mount options in column 4.</fixtext>
1358: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1359: <check-content-ref name="oval:org.fedoraproject.f14:def:20019" href="scap-fedora14-oval.xml"/>
1360: </check>
1361: </Rule>
1362: </Group>
1363: </Group>
1364: <Group id="group-2.2.2" hidden="false">
1365: <title xml:lang="en">Restrict Dynamic Mounting and Unmounting of Filesystems</title>
1366: <description xml:lang="en">
1367: Linux includes a number of facilities for the automated addition
1368: and removal of filesystems on a running system. These facilities may increase convenience,
1369: but they all bring some risk, whether direct risk from allowing unprivileged users to
1370: introduce arbitrary filesystems to a machine, or risk that software flaws in the automated
1371: mount facility itself will allow an attacker to compromise the
1372: system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1373: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1374: Use caution when enabling any such facility, and find out
1375: whether better configuration management or user education might solve the same problem
1376: with less risk.
1377: </description>
1378: <Group id="group-2.2.2.1" hidden="false">
1379: <title xml:lang="en">Disable USB Device Support</title>
1380: <description xml:lang="en">USB flash or hard drives allow an attacker with physical access to a system to quickly copy an enormous amount of data from it.</description>
1381: <Group id="group-2.2.2.1.1" hidden="false">
1382: <title xml:lang="en">Disable Modprobe Loading of USB Storage Driver</title>
1383: <description xml:lang="en">
1384: If USB storage devices should not be used, the modprobe
1385: program used for automatic kernel module loading should be configured to not load the
1386: USB storage driver upon demand. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1387: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1388: This will prevent the modprobe program from loading the usb-storage module, but will
1389: not prevent an administrator (or another program) from using the insmod program to
1390: load the module manually.
1391: </description>
1392: <Rule id="rule-2.2.2.1.1.a" selected="false" weight="10.000000">
1393: <title xml:lang="en">Disable Modprobe Loading of USB Storage Driver</title>
1394: <description xml:lang="en">The USB device support module should not be loaded</description>
1395: <ident system="http://cce.mitre.org">CCE-4187-1</ident>
1396: <fix>echo -e "\nblacklist usb_storage" >> /etc/modprobe.d/blacklist.conf</fix>
1397: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1398: <check-content-ref name="oval:org.fedoraproject.f14:def:20021" href="scap-fedora14-oval.xml"/>
1399: </check>
1400: </Rule>
1401: </Group>
1402: <Group id="group-2.2.2.1.2" hidden="false">
1403: <title xml:lang="en">Remove USB Storage Driver</title>
1404: <description xml:lang="en">
1405: If your system never requires the use of USB storage devices,
1406: then the supporting driver can be removed. Though more effective (as USB storage
1407: certainly cannot be used if the driver is not available at all), this is less elegant
1408: than the method described in Section 2.2.2.1.1. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1409: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1410: Note that this guidance will not prevent USB storage devices from being mounted if a
1411: custom kernel (i.e., not the one supplied with the system) with built-in USB support
1412: is used.
1413: </description>
1414: <Rule id="rule-2.2.2.1.2.a" selected="false" weight="10.000000">
1415: <title xml:lang="en">Remove USB Storage Driver</title>
1416: <description xml:lang="en">
1417: The USB device support module should not be installed. The command in
1418: the FIX will need to be repeated every time the kernel is updated. This command
1419: will also cause the command rpm -q --verify kernel to fail, which may be an
1420: undesirable side effect.</description>
1421: <ident system="http://cce.mitre.org">CCE-4006-3</ident>
1422: <fix>rm /lib/modules/2.6.*/kernel/drivers/usb/storage/usb-storage.ko</fix>
1423: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1424: <check-content-ref name="oval:org.fedoraproject.f14:def:20022" href="scap-fedora14-oval.xml"/>
1425: </check>
1426: </Rule>
1427: </Group>
1428: <Group id="group-2.2.2.1.3" hidden="false">
1429: <title xml:lang="en">Disable Kernel Support for USB via Bootloader Configuration</title>
1430: <description xml:lang="en">
1431: Another means of disabling USB storage is to disable all USB
1432: support provided by the operating system. This can be accomplished by adding the
1433: 'nousb' argument to the kernel's boot loader configuration. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1434: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1435: NOTE
1436: - Disabling all kernel support for USB will cause problems for systems with USB-based
1437: keyboards, mice, or printers. This guidance is inappropriate for systems which require
1438: USB connectivity.
1439: </description>
1440: <Rule id="rule-2.2.2.1.3.a" selected="false" weight="10.000000">
1441: <title xml:lang="en">Disable Kernel Support for USB via Bootloader Configuration</title>
1442: <description xml:lang="en">USB kernel support should be disabled.</description>
1443: <ident system="http://cce.mitre.org">CCE-4173-1</ident>
1444: <fixtext xml:lang="en">To disable kernel support for USB, append 'nousb' to the kernel line in
1445: /etc/grub.conf as follows: kernel /vmlinuz-version ro vga=ext
1446: root=/dev/VolGroup00/LogVol00 rhgb quiet nousb</fixtext>
1447: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1448: <check-content-ref name="oval:org.fedoraproject.f14:def:20023" href="scap-fedora14-oval.xml"/>
1449: </check>
1450: </Rule>
1451: </Group>
1452: <Group id="group-2.2.2.1.4" hidden="false">
1453: <title xml:lang="en">Disable Booting from USB Devices</title>
1454: <description xml:lang="en">
1455: An attacker with physical access could try to boot the system
1456: from a USB flash drive and then access any data on the system's hard drive,
1457: circumventing the normal operating system's access controls. To prevent this,
1458: configure the BIOS to disallow booting from USB drives. Also configure the BIOS or
1459: firmware password as described in Section 2.3.5.1 to prevent unauthorized
1460: configuration changes.</description>
1461: <Rule id="rule-2.2.2.1.4.a" selected="false" weight="10.000000" severity="high">
1462: <title xml:lang="en">Disable Booting from USB Devices in the BIOS</title>
1463: <description xml:lang="en">The ability to boot from USB devices should be disabled</description>
1464: <ident system="http://cce.mitre.org">CCE-3944-6</ident>
1465: <fixtext xml:lang="en">BIOS settings</fixtext>
1466: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1467: <check-content-ref name="oval:org.fedoraproject.f14:def:20024" href="scap-fedora14-oval.xml"/>
1468: </check>
1469: </Rule>
1470: </Group>
1471: </Group>
1472: <Group id="group-2.2.2.2" hidden="false">
1473: <title xml:lang="en">Disable the Automounter if Possible</title>
1474: <description xml:lang="en">
1475: If the autofs service is not needed to dynamically mount NFS
1476: filesystems or removable media, disable the service. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1477: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1478: The autofs daemon mounts and unmounts filesystems, such as user home directories shared
1479: via NFS, on demand. In addition, autofs can be used to handle removable media, and the
1480: default configuration provides the cdrom device as /misc/cd. However, this method of
1481: providing access to removable media is not common, so autofs can almost always be
1482: disabled if NFS is not in use. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1483: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1484: Even if NFS is required, it is almost always
1485: possible to configure filesystem mounts statically by editing /etc/fstab rather than
1486: relying on the automounter.
1487: </description>
1488: <Rule id="rule-2.2.2.2.a" selected="false" weight="10.000000" severity="medium">
1489: <title xml:lang="en">Disable the Automounter if Possible</title>
1490: <description xml:lang="en">The autofs service should be disabled.</description>
1491: <ident system="http://cce.mitre.org">CCE-4072-5</ident>
1492: <fix>chkconfig autofs off</fix>
1493: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1494: <check-content-ref name="oval:org.fedoraproject.f14:def:20025" href="scap-fedora14-oval.xml"/>
1495: </check>
1496: </Rule>
1497: </Group>
1498: <Group id="group-2.2.2.3" hidden="false">
1499: <title xml:lang="en">Disable GNOME Automounting if Possible</title>
1500: <description xml:lang="en">
1501: The system's default desktop environment, GNOME, runs the
1502: program gnome-volume-manager to mount devices and removable media (such as DVDs, CDs and
1503: USB flash drives) whenever they are inserted into the system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1504: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1505: The system's capabilities for automatic mounting should be configured to match whatever
1506: is defined by security policy. Disabling USB storage as described in Section 2.2.2.2.1
1507: will prevent the use of USB storage devices, but this step can also be taken as an
1508: additional layer of prevention and to prevent automatic mounting of CDs and DVDs if
1509: required. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1510: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1511: Particularly for kiosk-style systems, where users should
1512: have extremely limited access to the system, more detailed information can be found in
1513: Red Hat Desktop: Deployment Guide. The gconf-editor program, available in an RPM of the
1514: same name, can be used to explore other settings available in the GNOME environment.
1515: </description>
1516: <Rule id="rule-2.2.2.3.a" selected="false" weight="10.000000" severity="medium">
1517: <title xml:lang="en">Disable GNOME Automounting if Possible</title>
1518: <description xml:lang="en">The GNOME automounter (gnome-volume-manager) should be disabled if possible</description>
1519: <ident system="http://cce.mitre.org">CCE-4231-7</ident>
1520: <fixtext xml:lang="en">Execute the following commands to prevent gnome-volume-manager from automatically
1521: mounting devices and media: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1522: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1523: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
1524: # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
1525: --type bool --set /desktop/gnome/volume_manager/automount_media false
1526: <xhtml:br/> <xhtml:br/>
1527: # gconftool-2 --direct
1528: --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
1529: --type bool
1530: --set /desktop/gnome/volume_manager/automount_drives false
1531: </xhtml:code> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1532: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1533: Verify the changes by executing
1534: the following command, which should return a list of settings: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1535: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1536: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># gconftool-2 -R /desktop/gnome/volume_manager <xhtml:br/></xhtml:code>
1537: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1538: The automount drives and automount media settings should
1539: be set to false. Survey the list for any other options that should be adjusted.</fixtext>
1540: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1541: <check-content-ref name="oval:org.fedoraproject.f14:def:20026" href="scap-fedora14-oval.xml"/>
1542: </check>
1543: </Rule>
1544: </Group>
1545: <Group id="group-2.2.2.4" hidden="false">
1546: <title xml:lang="en">Disable Mounting of Uncommon Filesystem Types</title>
1547: <description xml:lang="en">
1548: Specifying kernel module in /etc/modprobe.d/blacklist.conf will prevent
1549: kernel module loading system from inserting the modele into the kernel.
1550: This mechanism effectively prevents usage of these uncommon filesystems.</description>
1551: <Rule id="rule-2.2.2.4.a" selected="false" weight="10.000000">
1552: <title xml:lang="en">Disable Mounting of cramfs</title>
1553: <description xml:lang="en">cramfs is uncommon filesystems</description>
1554: <fix>echo "blacklist cramfs" >> /etc/modprobe.d/blacklist.conf</fix>
1555: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1556: <check-content-ref name="oval:org.fedoraproject.f14:def:20027" href="scap-fedora14-oval.xml"/>
1557: </check>
1558: </Rule>
1559: <Rule id="rule-2.2.2.4.b" selected="false" weight="10.000000">
1560: <title xml:lang="en">Disable Mounting of freevxfs</title>
1561: <description xml:lang="en">freevxfs is uncommon filesystems</description>
1562: <fix>echo "blacklist freevxfs" >> /etc/modprobe.d/blacklist.conf</fix>
1563: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1564: <check-content-ref name="oval:org.fedoraproject.f14:def:20028" href="scap-fedora14-oval.xml"/>
1565: </check>
1566: </Rule>
1567: <Rule id="rule-2.2.2.4.c" selected="false" weight="10.000000">
1568: <title xml:lang="en">Disable Mounting of jffs2</title>
1569: <description xml:lang="en">jffs2 is uncommon filesystems</description>
1570: <fix>echo "blacklist jffs2" >> /etc/modprobe.d/blacklist.conf</fix>
1571: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1572: <check-content-ref name="oval:org.fedoraproject.f14:def:20029" href="scap-fedora14-oval.xml"/>
1573: </check>
1574: </Rule>
1575: <Rule id="rule-2.2.2.4.d" selected="false" weight="10.000000">
1576: <title xml:lang="en">Disable Mounting of hfs</title>
1577: <description xml:lang="en">hfs is uncommon filesystems</description>
1578: <fix>echo "blacklist hfs" >> /etc/modprobe.d/blacklist.conf</fix>
1579: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1580: <check-content-ref name="oval:org.fedoraproject.f14:def:20030" href="scap-fedora14-oval.xml"/>
1581: </check>
1582: </Rule>
1583: <Rule id="rule-2.2.2.4.e" selected="false" weight="10.000000">
1584: <title xml:lang="en">Disable Mounting of hfsplus</title>
1585: <description xml:lang="en">hfsplus is uncommon filesystems</description>
1586: <fix>echo "blacklist hfsplus" >> /etc/modprobe.d/blacklist.conf</fix>
1587: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1588: <check-content-ref name="oval:org.fedoraproject.f14:def:20031" href="scap-fedora14-oval.xml"/>
1589: </check>
1590: </Rule>
1591: <Rule id="rule-2.2.2.4.f" selected="false" weight="10.000000">
1592: <title xml:lang="en">Disable Mounting of squashfs</title>
1593: <description xml:lang="en">squashfs is uncommon filesystems</description>
1594: <fix>echo "blacklist squashfs" >> /etc/modprobe.d/blacklist.conf</fix>
1595: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1596: <check-content-ref name="oval:org.fedoraproject.f14:def:20032" href="scap-fedora14-oval.xml"/>
1597: </check>
1598: </Rule>
1599: <Rule id="rule-2.2.2.4.g" selected="false" weight="10.000000">
1600: <title xml:lang="en">Disable Mounting of udf</title>
1601: <description xml:lang="en">udf is uncommon filesystems</description>
1602: <fix>echo "blacklist udf" >> /etc/modprobe.d/blacklist.conf</fix>
1603: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1604: <check-content-ref name="oval:org.fedoraproject.f14:def:20033" href="scap-fedora14-oval.xml"/>
1605: </check>
1606: </Rule>
1607: </Group>
1608: </Group>
1609: <Group id="group-2.2.3" hidden="false">
1610: <title xml:lang="en">Verify Permissions on Important Files and Directories</title>
1611: <description xml:lang="en">
1612: Permissions for many files on a system should be set to conform
1613: to system policy. This section discusses important permission restrictions which
1614: should be checked on a regular basis to ensure that no harmful discrepancies have arisen.
1615: </description>
1616: <Group id="group-2.2.3.1" hidden="false">
1617: <title xml:lang="en">Verify Permissions on passwd, shadow, group and gshadow Files</title>
1618: <description xml:lang="en">
1619: These are the default permissions for these files. Many
1620: utilities need read access to the passwd file in order to function properly, but read
1621: access to the shadow file allows malicious attacks against system passwords, and should
1622: never be enabled.</description>
1623: <Value id="var-2.2.3.1.i" operator="equals" type="string">
1624: <title xml:lang="en">Permissions for shadow</title>
1625: <description xml:lang="en">File permissions for /etc/shadow</description>
1626: <question xml:lang="en">Select permissions for /etc/shadow</question>
1627: <value>000000000</value>
1628: <value selector="000">000000000</value>
1629: <value selector="400">100000000</value>
1630: <value selector="644">110100100</value>
1631: <match>^[10]+$</match>
1632: </Value>
1633: <Value id="var-2.2.3.1.j" operator="equals" type="string">
1634: <title xml:lang="en">Permissions for group</title>
1635: <description xml:lang="en">File permissions for /etc/group</description>
1636: <question xml:lang="en">Select permissions for /etc/group</question>
1637: <value>110100100</value>
1638: <value selector="400">100000000</value>
1639: <value selector="644">110100100</value>
1640: <value selector="700">111000000</value>
1641: <match>^[10]+$</match>
1642: </Value>
1643: <Value id="var-2.2.3.1.k" operator="equals" type="string">
1644: <title xml:lang="en">Permissions for gshadow</title>
1645: <description xml:lang="en">File permissions for /etc/gshadow</description>
1646: <question xml:lang="en">Select permissions for /etc/gshadow</question>
1647: <value>000000000</value>
1648: <value selector="000">000000000</value>
1649: <value selector="400">100000000</value>
1650: <value selector="644">110100100</value>
1651: <match>^[10]+$</match>
1652: </Value>
1653: <Value id="var-2.2.3.1.l" operator="equals" type="string">
1654: <title xml:lang="en">Permissions for passwd</title>
1655: <description xml:lang="en">File permissions for /etc/password</description>
1656: <question xml:lang="en">Select permissions for /etc/password</question>
1657: <value>110100100</value>
1658: <value selector="400">100000000</value>
1659: <value selector="644">110100100</value>
1660: <value selector="700">111000000</value>
1661: <match>^[10]+$</match>
1662: </Value>
1663: <Rule id="rule-2.2.3.1.a" selected="false" weight="10.000000" severity="medium">
1664: <title xml:lang="en">Verify user who owns 'shadow' file</title>
1665: <description xml:lang="en">The /etc/shadow file should be owned by root.</description>
1666: <ident system="http://cce.mitre.org">CCE-3918-0</ident>
1667: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1668: <check-content-ref name="oval:org.fedoraproject.f14:def:20034" href="scap-fedora14-oval.xml"/>
1669: </check>
1670: </Rule>
1671: <Rule id="rule-2.2.3.1.b" selected="false" weight="10.000000" severity="medium">
1672: <title xml:lang="en">Verify group who owns 'shadow' file</title>
1673: <description xml:lang="en">The /etc/shadow file should be owned by root.</description>
1674: <ident system="http://cce.mitre.org">CCE-3988-3</ident>
1675: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1676: <check-content-ref name="oval:org.fedoraproject.f14:def:20035" href="scap-fedora14-oval.xml"/>
1677: </check>
1678: </Rule>
1679: <Rule id="rule-2.2.3.1.c" selected="false" weight="10.000000" severity="medium">
1680: <title xml:lang="en">Verify user who owns 'group' file</title>
1681: <description xml:lang="en">The /etc/group file should be owned by root.</description>
1682: <ident system="http://cce.mitre.org">CCE-3276-3</ident>
1683: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1684: <check-content-ref name="oval:org.fedoraproject.f14:def:20036" href="scap-fedora14-oval.xml"/>
1685: </check>
1686: </Rule>
1687: <Rule id="rule-2.2.3.1.d" selected="false" weight="10.000000" severity="medium">
1688: <title xml:lang="en">Verify group who owns 'group' file</title>
1689: <description xml:lang="en">The /etc/group file should be owned by root.</description>
1690: <ident system="http://cce.mitre.org">CCE-3883-6</ident>
1691: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1692: <check-content-ref name="oval:org.fedoraproject.f14:def:20037" href="scap-fedora14-oval.xml"/>
1693: </check>
1694: </Rule>
1695: <Rule id="rule-2.2.3.1.e" selected="false" weight="10.000000" severity="medium">
1696: <title xml:lang="en">Verify user who owns 'gshadow' file</title>
1697: <description xml:lang="en">The /etc/gshadow file should be owned by root.</description>
1698: <ident system="http://cce.mitre.org">CCE-4210-1</ident>
1699: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1700: <check-content-ref name="oval:org.fedoraproject.f14:def:20038" href="scap-fedora14-oval.xml"/>
1701: </check>
1702: </Rule>
1703: <Rule id="rule-2.2.3.1.f" selected="false" weight="10.000000" severity="medium">
1704: <title xml:lang="en">Verify group who owns 'gshadow' file</title>
1705: <description xml:lang="en">The /etc/gshadow file should be owned by root.</description>
1706: <ident system="http://cce.mitre.org">CCE-4064-2</ident>
1707: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1708: <check-content-ref name="oval:org.fedoraproject.f14:def:20039" href="scap-fedora14-oval.xml"/>
1709: </check>
1710: </Rule>
1711: <Rule id="rule-2.2.3.1.g" selected="false" weight="10.000000" severity="medium">
1712: <title xml:lang="en">Verify user who owns 'passwd' file</title>
1713: <description xml:lang="en">The /etc/passwd file should be owned by root.</description>
1714: <ident system="http://cce.mitre.org">CCE-3958-6</ident>
1715: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1716: <check-content-ref name="oval:org.fedoraproject.f14:def:20040" href="scap-fedora14-oval.xml"/>
1717: </check>
1718: </Rule>
1719: <Rule id="rule-2.2.3.1.h" selected="false" weight="10.000000" severity="medium">
1720: <title xml:lang="en">Verify group who owns 'passwd' file</title>
1721: <description xml:lang="en">The /etc/passwd file should be owned by root.</description>
1722: <ident system="http://cce.mitre.org">CCE-3495-9</ident>
1723: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1724: <check-content-ref name="oval:org.fedoraproject.f14:def:20041" href="scap-fedora14-oval.xml"/>
1725: </check>
1726: </Rule>
1727: <Rule id="rule-2.2.3.1.i" selected="false" weight="10.000000" severity="medium">
1728: <title xml:lang="en">Verify permissions on 'shadow' file</title>
1729: <description xml:lang="en">File permissions for /etc/shadow should be set correctly.</description>
1730: <ident system="http://cce.mitre.org">CCE-4130-1</ident>
1731: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1732: <check-export export-name="oval:org.fedoraproject.f14:var:20042" value-id="var-2.2.3.1.i"/>
1733: <check-content-ref name="oval:org.fedoraproject.f14:def:20042" href="scap-fedora14-oval.xml"/>
1734: </check>
1735: </Rule>
1736: <Rule id="rule-2.2.3.1.j" selected="false" weight="10.000000" severity="medium">
1737: <title xml:lang="en">Verify permissions on 'group' file</title>
1738: <description xml:lang="en">File permissions for /etc/group should be set correctly.</description>
1739: <ident system="http://cce.mitre.org">CCE-3967-7</ident>
1740: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1741: <check-export export-name="oval:org.fedoraproject.f14:var:20043" value-id="var-2.2.3.1.j"/>
1742: <check-content-ref name="oval:org.fedoraproject.f14:def:20043" href="scap-fedora14-oval.xml"/>
1743: </check>
1744: </Rule>
1745: <Rule id="rule-2.2.3.1.k" selected="false" weight="10.000000" severity="medium">
1746: <title xml:lang="en">Verify permissions on 'gshadow' file</title>
1747: <description xml:lang="en">File permissions for /etc/gshadow should be set correctly.</description>
1748: <ident system="http://cce.mitre.org">CCE-3932-1</ident>
1749: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1750: <check-export export-name="oval:org.fedoraproject.f14:var:20044" value-id="var-2.2.3.1.k"/>
1751: <check-content-ref name="oval:org.fedoraproject.f14:def:20044" href="scap-fedora14-oval.xml"/>
1752: </check>
1753: </Rule>
1754: <Rule id="rule-2.2.3.1.l" selected="false" weight="10.000000" severity="medium">
1755: <title xml:lang="en">Verify permissions on 'passwd' file</title>
1756: <description xml:lang="en">File permissions for /etc/passwd should be set correctly.</description>
1757: <ident system="http://cce.mitre.org">CCE-3566-7</ident>
1758: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1759: <check-export export-name="oval:org.fedoraproject.f14:var:20045" value-id="var-2.2.3.1.l"/>
1760: <check-content-ref name="oval:org.fedoraproject.f14:def:20045" href="scap-fedora14-oval.xml"/>
1761: </check>
1762: </Rule>
1763: </Group>
1764: <Group id="group-2.2.3.2" hidden="false">
1765: <title xml:lang="en">Verify that All World-Writable Directories Have Sticky Bits Set</title>
1766: <description xml:lang="en">
1767: When the so-called 'sticky bit' is set on a directory, only the
1768: owner of a given file may remove that file from the directory. Without the sticky bit,
1769: any user with write access to a directory may remove any file in the directory. Setting
1770: the sticky bit prevents users from removing each other's files. In cases where there is
1771: no reason for a directory to be world-writable, a better solution is to remove that
1772: permission rather than to set the sticky bit. However, if a directory is used by a
1773: particular application, consult that application's documentation instead of blindly
1774: changing modes.</description>
1775: <Rule id="rule-2.2.3.2.a" selected="false" weight="10.000000" severity="low">
1776: <title xml:lang="en">Verify that All World-Writable Directories Have Sticky Bits Set</title>
1777: <description xml:lang="en">The sticky bit should be set for all world-writable directories.</description>
1778: <ident system="http://cce.mitre.org">CCE-3399-3</ident>
1779: <fixtext xml:lang="en">Locate any directories in local partitions which are world-writable and do not have
1780: their sticky bits set. The following command will discover and print these. Run it
1781: once for each local partition PART: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1782: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># find PART -xdev -type d \( -perm -0002 -a !
1783: -perm -1000 \) -print </xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1784: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1785: If this command produces any output, fix each reported directory
1786: /dir using the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1787: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1788: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod +t /dir</xhtml:code></fixtext>
1789: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1790: <check-content-ref name="oval:org.fedoraproject.f14:def:20046" href="scap-fedora14-oval.xml"/>
1791: </check>
1792: </Rule>
1793: </Group>
1794: <Group id="group-2.2.3.3" hidden="false">
1795: <title xml:lang="en">Find Unauthorized World-Writable Files</title>
1796: <description xml:lang="en">
1797: Data in world-writable files can be modified by any user on the
1798: system. In almost all circumstances, files can be configured using a combination of user
1799: and group permissions to support whatever legitimate access is needed without the risk
1800: caused by world-writable files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1801: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1802: It is generally a good idea to
1803: remove global (other) write access to a file when it is discovered. However, check with
1804: documentation for specific applications before making changes. Also, monitor for
1805: recurring world-writable files, as these may be symptoms of a misconfigured application
1806: or user account.
1807: </description>
1808: <Rule id="rule-2.2.3.3.a" selected="false" weight="10.000000" severity="medium">
1809: <title xml:lang="en">Find Unauthorized World-Writable Files</title>
1810: <description xml:lang="en">The world-write permission should be disabled for all files.</description>
1811: <ident system="http://cce.mitre.org">CCE-3795-2</ident>
1812: <fixtext xml:lang="en">The following command discovers and prints any world-writable files in local
1813: partitions. Run it once for each local partition PART: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1814: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1815: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">find PART -xdev -type f -perm -0002 -print | xargs chmod o-w</xhtml:code></fixtext>
1816: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
1817: <check-content-ref name="oval:org.fedoraproject.f14:def:20047" href="scap-fedora14-oval.xml"/>
1818: </check>
1819: </Rule>
1820: </Group>
1821: <Group id="group-2.2.3.4" hidden="false">
1822: <title xml:lang="en">Find Unauthorized SUID/SGID System Executables</title>
1823: <description xml:lang="en">
1824: The following command discovers and prints any setuid or setgid
1825: files on local partitions. Run it once for each local partition : <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1826: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1827: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> # for PART in `mount -t ext2,ext3,ext4 | awk '{print $3}'`;
1828: do find $PART -xdev \( -perm -4000 -o -perm -2000 \) -type f -print;
1829: done </xhtml:code> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1830: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1831: If the file does not require a setuid or
1832: setgid bit as discussed below, then these bits can be removed with the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1833: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1834: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> # chmod -s file </xhtml:code> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1835: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1836: The following table contains all setuid and setgid files which are expected to
1837: be on a stock system. The setuid or setgid bit on these files may be disabled to reduce
1838: system risk if only an administrator requires their functionality. The table indicates
1839: those files which may not be needed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1840: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1841: Note: Several of these files are used for applications which are unlikely to be
1842: relevant to most production environments, such as ISDN networking, SSH hostbased
1843: authentication, or modification of network interfaces by unprivileged users. It is
1844: extremely likely that your site can disable a subset of these files with no loss of
1845: functionality. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1846: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1847: Any files found by the above command which are not in the table should be examined.
1848: If the files are not authorized, they should have permissions removed, and further
1849: investigation may be warranted.
1850: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
1851: <xhtml:table xmlns:xhtml="http://www.w3.org/1999/xhtml">
1852: <xhtml:tr>
1853: <xhtml:td>File</xhtml:td><xhtml:td>Set-ID</xhtml:td><xhtml:td>Package</xhtml:td>
1854: </xhtml:tr>
1855: <xhtml:tr>
1856: <xhtml:td>/bin/mount</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>util-linux-ng</xhtml:td>
1857: </xhtml:tr>
1858: <xhtml:tr>
1859: <xhtml:td>/bin/ping</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>iputils</xhtml:td>
1860: </xhtml:tr>
1861: <xhtml:tr>
1862: <xhtml:td>/bin/ping6</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>iputils</xhtml:td>
1863: </xhtml:tr>
1864: <xhtml:tr>
1865: <xhtml:td>/bin/su</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>coreutils</xhtml:td>
1866: </xhtml:tr>
1867: <xhtml:tr>
1868: <xhtml:td>/bin/umount</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>util-linux-ng</xhtml:td>
1869: </xhtml:tr>
1870: <xhtml:tr>
1871: <xhtml:td>/bin/fusermount</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>fuse</xhtml:td>
1872: </xhtml:tr>
1873: <xhtml:tr>
1874: <xhtml:td>/bin/cgexec</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>libcgroup</xhtml:td>
1875: </xhtml:tr>
1876: <xhtml:tr>
1877: <xhtml:td>/sbin/mount.nfs</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>nfs-utils</xhtml:td>
1878: </xhtml:tr>
1879: <xhtml:tr>
1880: <xhtml:td>/sbin/umount.nfs</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>nfs-utils</xhtml:td>
1881: </xhtml:tr>
1882: <xhtml:tr>
1883: <xhtml:td>/sbin/netreport</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>initscripts</xhtml:td>
1884: </xhtml:tr>
1885: <xhtml:tr>
1886: <xhtml:td>/sbin/pam_timestamp_check</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>pam</xhtml:td>
1887: </xhtml:tr>
1888: <xhtml:tr>
1889: <xhtml:td>/sbin/unix_chkpwd</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>pam</xhtml:td>
1890: </xhtml:tr>
1891: <xhtml:tr>
1892: <xhtml:td>/usr/bin/at</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>at</xhtml:td>
1893: </xhtml:tr>
1894: <xhtml:tr>
1895: <xhtml:td>/usr/bin/chage</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>shadow-utils</xhtml:td>
1896: </xhtml:tr>
1897: <xhtml:tr>
1898: <xhtml:td>/usr/bin/chfn</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>util-linux-ng</xhtml:td>
1899: </xhtml:tr>
1900: <xhtml:tr>
1901: <xhtml:td>/usr/bin/chsh</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>util-linux-ng</xhtml:td>
1902: </xhtml:tr>
1903: <xhtml:tr>
1904: <xhtml:td>/usr/bin/crontab</xhtml:td><xhtml:td>uid/gid root</xhtml:td><xhtml:td>cronie</xhtml:td>
1905: </xhtml:tr>
1906: <xhtml:tr>
1907: <xhtml:td>/usr/bin/gpasswd</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>shadow-utils</xhtml:td>
1908: </xhtml:tr>
1909: <xhtml:tr>
1910: <xhtml:td>/usr/bin/locate</xhtml:td><xhtml:td>gid slocate</xhtml:td><xhtml:td>mlocate</xhtml:td>
1911: </xhtml:tr>
1912: <xhtml:tr>
1913: <xhtml:td>/usr/bin/lockfile</xhtml:td><xhtml:td>gid mail</xhtml:td><xhtml:td>procmail</xhtml:td>
1914: </xhtml:tr>
1915: <xhtml:tr>
1916: <xhtml:td>/usr/bin/gnomine</xhtml:td><xhtml:td>gid games</xhtml:td><xhtml:td>gnome-games</xhtml:td>
1917: </xhtml:tr>
1918: <xhtml:tr>
1919: <xhtml:td>/usr/bin/iagno</xhtml:td><xhtml:td>gid games</xhtml:td><xhtml:td>gnome-games</xhtml:td>
1920: </xhtml:tr>
1921: <xhtml:tr>
1922: <xhtml:td>/usr/bin/newgrp</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>shadow-utils</xhtml:td>
1923: </xhtml:tr>
1924: <xhtml:tr>
1925: <xhtml:td>/usr/bin/passwd</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>passwd</xhtml:td>
1926: </xhtml:tr>
1927: <xhtml:tr>
1928: <xhtml:td>/usr/bin/pkexec</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>polkit</xhtml:td>
1929: </xhtml:tr>
1930: <xhtml:tr>
1931: <xhtml:td>/usr/bin/rcp</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>rsh</xhtml:td>
1932: </xhtml:tr>
1933: <xhtml:tr>
1934: <xhtml:td>/usr/bin/rlogin</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>rsh</xhtml:td>
1935: </xhtml:tr>
1936: <xhtml:tr>
1937: <xhtml:td>/usr/bin/rsh</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>rsh</xhtml:td>
1938: </xhtml:tr>
1939: <xhtml:tr>
1940: <xhtml:td>/usr/bin/staprun</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>systemtap-runtime</xhtml:td>
1941: </xhtml:tr>
1942: <xhtml:tr>
1943: <xhtml:td>/usr/bin/ssh-agent</xhtml:td><xhtml:td>gid nobody</xhtml:td><xhtml:td>openssh-clients</xhtml:td>
1944: </xhtml:tr>
1945: <xhtml:tr>
1946: <xhtml:td>/usr/bin/sudo</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>sudo</xhtml:td>
1947: </xhtml:tr>
1948: <xhtml:tr>
1949: <xhtml:td>/usr/bin/sudoedit</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>sudo</xhtml:td>
1950: </xhtml:tr>
1951: <xhtml:tr>
1952: <xhtml:td>/usr/bin/wall</xhtml:td><xhtml:td>gid tty</xhtml:td><xhtml:td>sysvinit-tools</xhtml:td>
1953: </xhtml:tr>
1954: <xhtml:tr>
1955: <xhtml:td>/usr/bin/write</xhtml:td><xhtml:td>gid tty</xhtml:td><xhtml:td>util-linux-ng</xhtml:td>
1956: </xhtml:tr>
1957: <xhtml:tr>
1958: <xhtml:td>/usr/bin/screen</xhtml:td><xhtml:td>gid screen</xhtml:td><xhtml:td>screen</xhtml:td>
1959: </xhtml:tr>
1960: <xhtml:tr>
1961: <xhtml:td>/usr/bin/jwhois</xhtml:td><xhtml:td>gid jwhois</xhtml:td><xhtml:td>jwhois</xhtml:td>
1962: </xhtml:tr>
1963: <xhtml:tr>
1964: <xhtml:td>/usr/bin/Xorg</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>xorg-x11-server-Xorg</xhtml:td>
1965: </xhtml:tr>
1966: <xhtml:tr>
1967: <xhtml:td>/usr/bin/ksu</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>krb5-workstation</xhtml:td>
1968: </xhtml:tr>
1969: <xhtml:tr>
1970: <xhtml:td>/usr/sbin/lockdev</xhtml:td><xhtml:td>gid lock</xhtml:td><xhtml:td>lockdev</xhtml:td>
1971: </xhtml:tr>
1972: <xhtml:tr>
1973: <xhtml:td>/usr/sbin/sendmail.sendmail</xhtml:td><xhtml:td>gid smmsp</xhtml:td><xhtml:td>sendmail</xhtml:td>
1974: </xhtml:tr>
1975: <xhtml:tr>
1976: <xhtml:td>/usr/sbin/suexec</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>httpd</xhtml:td>
1977: </xhtml:tr>
1978: <xhtml:tr>
1979: <xhtml:td>/usr/sbin/seunshare</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>policycoreutils</xhtml:td>
1980: </xhtml:tr>
1981: <xhtml:tr>
1982: <xhtml:td>/usr/sbin/userhelper</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>usermode</xhtml:td>
1983: </xhtml:tr>
1984: <xhtml:tr>
1985: <xhtml:td>/usr/sbin/userisdnctl</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>isdn4k-utils</xhtml:td>
1986: </xhtml:tr>
1987: <xhtml:tr>
1988: <xhtml:td>/usr/sbin/mtr</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>mtr</xhtml:td>
1989: </xhtml:tr>
1990: <xhtml:tr>
1991: <xhtml:td>/usr/sbin/usernetctl</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>initscripts</xhtml:td>
1992: </xhtml:tr>
1993: <xhtml:tr>
1994: <xhtml:td>/usr/sbin/ccreds_chkpwd</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>pam_ccreds</xhtml:td>
1995: </xhtml:tr>
1996: <xhtml:tr>
1997: <xhtml:td>/usr/libexec/openssh/ssh-keysign</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>ssh</xhtml:td>
1998: </xhtml:tr>
1999: <xhtml:tr>
2000: <xhtml:td>/usr/libexec/kde4/kpac_dhcp_helper</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>kdelibs</xhtml:td>
2001: </xhtml:tr>
2002: <xhtml:tr>
2003: <xhtml:td>/usr/libexec/polkit-1/polkit-agent-helper-1</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>polkit</xhtml:td>
2004: </xhtml:tr>
2005: <xhtml:tr>
2006: <xhtml:td>/usr/libexec/pt_chown</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>glibc-common</xhtml:td>
2007: </xhtml:tr>
2008: <xhtml:tr>
2009: <xhtml:td>/usr/libexec/pulse/proximity-helper</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>pulseaudio-module-bluetooth</xhtml:td>
2010: </xhtml:tr>
2011: <xhtml:tr>
2012: <xhtml:td>/usr/libexec/news/innbind</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>inn</xhtml:td>
2013: </xhtml:tr>
2014: <xhtml:tr>
2015: <xhtml:td>/usr/libexec/news/rnews</xhtml:td><xhtml:td>uid uucp</xhtml:td><xhtml:td>inn</xhtml:td>
2016: </xhtml:tr>
2017: <xhtml:tr>
2018: <xhtml:td>/usr/libexec/utempter/utempter</xhtml:td><xhtml:td>gid utmp</xhtml:td><xhtml:td>libutempter</xhtml:td>
2019: </xhtml:tr>
2020: <xhtml:tr>
2021: <xhtml:td>/usr/lib/nspluginwrapper/plugin-config</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>nspluginwrapper</xhtml:td>
2022: </xhtml:tr>
2023: <xhtml:tr>
2024: <xhtml:td>/usr/lib/vte/gnome-pty-helper</xhtml:td><xhtml:td>gid utmp</xhtml:td><xhtml:td>vte</xhtml:td>
2025: </xhtml:tr>
2026: <xhtml:tr>
2027: <xhtml:td>/usr/share/BackupPC/sbin/BackupPC_Admin</xhtml:td><xhtml:td>uid backuppc</xhtml:td><xhtml:td>BackupPC</xhtml:td>
2028: </xhtml:tr>
2029: <xhtml:tr>
2030: <xhtml:td>/var/cache/jwhois/jwhois.db</xhtml:td><xhtml:td>gid jwhois</xhtml:td><xhtml:td>jwhois</xhtml:td>
2031: </xhtml:tr>
2032: <xhtml:tr>
2033: <xhtml:td>/lib/dbus-1/dbus-daemon-launch-helper</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>dbus</xhtml:td>
2034: </xhtml:tr>
2035: </xhtml:table>
2036: </description>
2037: <Rule id="rule-2.2.3.4.a" selected="false" weight="10.000000" severity="medium">
2038: <title xml:lang="en">Find Unauthorized SGID System Executables</title>
2039: <description xml:lang="en">The sgid bit should not be set for all files.</description>
2040: <ident system="http://cce.mitre.org">CCE-4178-0</ident>
2041: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2042: <check-content-ref name="oval:org.fedoraproject.f14:def:20048" href="scap-fedora14-oval.xml"/>
2043: </check>
2044: </Rule>
2045: <Rule id="rule-2.2.3.4.b" selected="false" weight="10.000000" severity="high">
2046: <title xml:lang="en">Find Unauthorized SUID System Executables</title>
2047: <description xml:lang="en">The suid bit should not be set for all files.</description>
2048: <ident system="http://cce.mitre.org">CCE-3324-1</ident>
2049: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2050: <check-content-ref name="oval:org.fedoraproject.f14:def:20049" href="scap-fedora14-oval.xml"/>
2051: </check>
2052: </Rule>
2053: </Group>
2054: <Group id="group-2.2.3.5" hidden="false">
2055: <title xml:lang="en">Find and Repair Unowned Files</title>
2056: <description xml:lang="en">
2057: The following command will discover and print any files on
2058: local partitions which do not belong to a valid user and a valid group. Run it once for
2059: each local partition PART: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2060: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2061: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># find PART -xdev \( -nouser -o -nogroup \) -print </xhtml:code> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2062: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2063: If this command prints any results, investigate each reported file and either assign it to an
2064: appropriate user and group or remove it. Unowned files are not directly exploitable, but
2065: they are generally a sign that something is wrong with some system process. They may be
2066: caused by an intruder, by incorrect software installation or incomplete software
2067: removal, or by failure to remove all files belonging to a deleted account. The files
2068: should be repaired so that they will not cause problems when accounts are created in the
2069: future, and the problem which led to unowned files should be discovered and addressed.</description>
2070: <Rule id="rule-2.2.3.5.a" selected="false" weight="10.000000" severity="medium">
2071: <title xml:lang="en">Find files unowned by a user</title>
2072: <description xml:lang="en">All files should be owned by a user</description>
2073: <ident system="http://cce.mitre.org">CCE-4223-4</ident>
2074: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2075: <check-content-ref name="oval:org.fedoraproject.f14:def:20050" href="scap-fedora14-oval.xml"/>
2076: </check>
2077: </Rule>
2078: <Rule id="rule-2.2.3.5.b" selected="false" weight="10.000000" severity="medium">
2079: <title xml:lang="en">Find files unowned by a group</title>
2080: <description xml:lang="en">All files should be owned by a group</description>
2081: <ident system="http://cce.mitre.org">CCE-3573-3</ident>
2082: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2083: <check-content-ref name="oval:org.fedoraproject.f14:def:20051" href="scap-fedora14-oval.xml"/>
2084: </check>
2085: </Rule>
2086: </Group>
2087: <Group id="group-2.2.3.6" hidden="false">
2088: <title xml:lang="en">Verify that All World-Writable Directories Have Proper Ownership</title>
2089: <description xml:lang="en">
2090: Locate any directories in local partitions which are world-writable and
2091: ensure that they are owned by root or another system account. The following command will discover
2092: and print these (assuming only system accounts have a uid lower than 500). Run it once for each
2093: local partition PART:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2094: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2095: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># find PART -xdev -type d -perm -0002 -uid +500 -print<xhtml:br/></xhtml:code>
2096: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2097: If this command produces any output, investigate why the current owner is not root or another
2098: system account.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2099: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2100: Allowing a user account to own a world-writeable directory is undesirable because it allows the
2101: owner of that directory to remove or replace any files that may be placed in the directory by
2102: other users.</description>
2103: <Rule id="rule-2.2.3.6.a" selected="false" weight="10.000000" severity="medium">
2104: <title xml:lang="en">Find world writable directories not owned by a system account</title>
2105: <description xml:lang="en">All world writable directories should be owned by a system user</description>
2106: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2107: <check-content-ref name="oval:org.fedoraproject.f14:def:20052" href="scap-fedora14-oval.xml"/>
2108: </check>
2109: </Rule>
2110: </Group>
2111: </Group>
2112: <Group id="group-2.2.4" hidden="false">
2113: <title xml:lang="en">Restrict Programs from Dangerous Execution Patterns</title>
2114: <description xml:lang="en">
2115: The recommendations in this section provide broad protection
2116: against information disclosure or other misbehavior. These protections are applied at the
2117: system initialization or kernel level, and defend against certain types of
2118: badly-configured or compromised programs.</description>
2119: <Group id="group-2.2.4.1" hidden="false">
2120: <title xml:lang="en">Set Daemon umask</title>
2121: <description xml:lang="en">
2122: The system umask for scripts in /etc/init.d must be set to at least 022, or daemon
2123: processes may create world-writable files. The more restrictive setting
2124: 027 protects files, including temporary files and log files, from unauthorized reading
2125: by unprivileged users on the system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2126: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2127: If a particular daemon needs a
2128: less restrictive umask, consider editing the startup script or sysconfig file of that
2129: daemon to make a specific exception.
2130: </description>
2131: <Value id="var-2.2.4.1.a" operator="equals" type="string">
2132: <title xml:lang="en">daemon umask</title>
2133: <description xml:lang="en">Enter umask for daemons</description>
2134: <question xml:lang="en">Enter umask which will be used for new files created by daemons</question>
2135: <value>022</value>
2136: <value selector="022">022</value>
2137: <value selector="027">027</value>
2138: <match>^0?[0-7][0-7][0-7]?$</match>
2139: </Value>
2140: <Rule id="rule-2.2.4.1.a" selected="false" weight="10.000000" severity="medium">
2141: <title xml:lang="en">Set Daemon umask</title>
2142: <description xml:lang="en">The daemon umask should be set to profile value</description>
2143: <ident system="http://cce.mitre.org">CCE-4220-0</ident>
2144: <fixtext xml:lang="en">Edit the file /etc/rc.d/init.d/functions, and add or correct the following line: umask
2145: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.2.4.1.a"/></fixtext>
2146: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2147: <check-export export-name="oval:org.fedoraproject.f14:var:20053" value-id="var-2.2.4.1.a"/>
2148: <check-content-ref name="oval:org.fedoraproject.f14:def:20053" href="scap-fedora14-oval.xml"/>
2149: </check>
2150: </Rule>
2151: </Group>
2152: <Group id="group-2.2.4.2" hidden="false">
2153: <title xml:lang="en">Disable Core Dumps</title>
2154: <description xml:lang="en">
2155: A core dump file is the memory image of an executable program
2156: when it was terminated by the operating system due to errant behavior. In most cases,
2157: only software developers would legitimately need to access these files. The core dump
2158: files may also contain sensitive information, or unnecessarily occupy large amounts of
2159: disk space. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2160: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2161: By default, the system sets a soft limit to stop the
2162: creation of core dump files for all users. This is accomplished in /etc/profile with the
2163: line: ulimit -S -c 0 > /dev/null 2>&1 However, compliance with this
2164: limit is voluntary; it is a default intended only to protect users from the annoyance of
2165: generating unwanted core files. Users can increase the allowed core file size up to the
2166: hard limit, which is unlimited by default. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2167: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2168: Once a hard limit is set
2169: in /etc/security/limits.conf, the user cannot increase that limit within his own
2170: session. If access to core dumps is required, consider restricting them to only certain
2171: users or groups. See the limits.conf man page for more
2172: information. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2173: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2174: The core dumps of setuid programs are further
2175: protected. The sysctl variable fs.suid_dumpable controls whether the kernel allows core
2176: dumps from these programs at all. The default value of 0 is recommended.
2177: </description>
2178: <Rule id="rule-2.2.4.2.a" selected="false" weight="10.000000" severity="low">
2179: <title xml:lang="en">Disable Core Dumps for all users</title>
2180: <description xml:lang="en">Core dumps for all users should be disabled</description>
2181: <ident system="http://cce.mitre.org">CCE-4225-9</ident>
2182: <fixtext xml:lang="en">To disable core dumps for all users, add or correct the following line in
2183: /etc/security/limits.conf: * hard core 0</fixtext>
2184: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2185: <check-content-ref name="oval:org.fedoraproject.f14:def:20055" href="scap-fedora14-oval.xml"/>
2186: </check>
2187: </Rule>
2188: <Rule id="rule-2.2.4.2.b" selected="false" weight="10.000000" severity="low">
2189: <title xml:lang="en">Disable Core Dumps for SUID programs</title>
2190: <description xml:lang="en">Core dumps for setuid programs should be disabled</description>
2191: <ident system="http://cce.mitre.org">CCE-4247-3</ident>
2192: <fixtext xml:lang="en">To ensure that core dumps can never be made by setuid programs, edit
2193: /etc/sysctl.conf and add or correct the line: fs.suid_dumpable = 0</fixtext>
2194: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2195: <check-content-ref name="oval:org.fedoraproject.f14:def:20056" href="scap-fedora14-oval.xml"/>
2196: </check>
2197: </Rule>
2198: </Group>
2199: <Group id="group-2.2.4.3" hidden="false">
2200: <title xml:lang="en">Enable ExecShield</title>
2201: <description xml:lang="en">
2202: ExecShield comprises a number of kernel features to provide
2203: protection against buffer overflows. These features include random placement of the
2204: stack and other memory regions, prevention of execution in memory that should only hold
2205: data, and special handling of text buffers. This protection is enabled by default, but
2206: the sysctl variables kernel.exec-shield and kernel.randomize va space should be checked
2207: to ensure that it has not been disabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2208: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2209: ExecShield uses the
2210: segmentation feature on all x86 systems to prevent execution in memory higher than a
2211: certain address. It writes an address as a limit in the code segment descriptor, to
2212: control where code can be executed, on a per-process basis. When the kernel places a
2213: process's memory regions such as the stack and heap higher than this address, the
2214: hardware prevents execution there. However, this cannot always be done for all memory
2215: regions in which execution should not occur, so follow guidance in Section 2.2.4.4 to
2216: further protect the system.
2217: </description>
2218: <Rule id="rule-2.2.4.3.a" selected="false" weight="10.000000">
2219: <title xml:lang="en">Enable ExecShield</title>
2220: <description xml:lang="en">ExecShield should be enabled</description>
2221: <ident system="http://cce.mitre.org">CCE-4168-1</ident>
2222: <fixtext xml:lang="en">To ensure ExecShield (including random placement of virtual memory regions) is
2223: activated at boot, add or correct the following settings in /etc/sysctl.conf:
2224: kernel.exec-shield = 1</fixtext>
2225: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2226: <check-content-ref name="oval:org.fedoraproject.f14:def:20057" href="scap-fedora14-oval.xml"/>
2227: </check>
2228: </Rule>
2229: <Rule id="rule-2.2.4.3.b" selected="false" weight="10.000000">
2230: <title xml:lang="en">Enable ExecShield randomized placement of virtual memory regions</title>
2231: <description xml:lang="en">ExecShield randomized placement of virtual memory regions should be enabled</description>
2232: <ident system="http://cce.mitre.org">CCE-4146-7</ident>
2233: <fixtext xml:lang="en">To ensure ExecShield (including random placement of virtual memory regions) is
2234: activated at boot, add or correct the following settings in /etc/sysctl.conf:
2235: kernel.randomize_va_space = 2</fixtext>
2236: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2237: <check-content-ref name="oval:org.fedoraproject.f14:def:20058" href="scap-fedora14-oval.xml"/>
2238: </check>
2239: </Rule>
2240: </Group>
2241: <Group id="group-2.2.4.4" hidden="false">
2242: <title xml:lang="en">Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems</title>
2243: <description xml:lang="en">
2244: Recent processors in the x86 family support the ability to
2245: prevent code execution on a per memory page basis. Generically and on AMD processors,
2246: this ability is called No Execute (NX), while on Intel processors it is called Execute
2247: Disable (XD). This ability can help prevent exploitation of buffer overflow
2248: vulnerabilities and should be activated whenever possible. Extra steps must be taken to
2249: ensure that this protection is enabled, particularly on 32-bit x86 systems. Other
2250: processors, such as Itanium and POWER, have included such support since inception and
2251: the standard kernel for those platforms supports the feature.</description>
2252: <Group id="group-2.2.4.4.1" hidden="false">
2253: <title xml:lang="en">Check for Processor Support on x86 Systems</title>
2254: <description xml:lang="en">
2255: Check to see if the processor supports the PAE and NX
2256: features: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ cat /proc/cpuinfo</xhtml:code> If supported, the flags field will contain pae and nx.</description>
2257: </Group>
2258: <Group id="group-2.2.4.4.2" hidden="false">
2259: <title xml:lang="en">Enable NX or XD Support in the BIOS</title>
2260: <description xml:lang="en">
2261: Computers with the ability to prevent this type of code
2262: execution frequently put an option in the BIOS that will allow users to turn the
2263: feature on or off at will. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2264: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2265: See Section 2.3.5.1 for information on protecting this and
2266: other BIOS settings.</description>
2267: <Rule id="rule-2.2.4.4.2.a" selected="false" weight="10.000000">
2268: <title xml:lang="en">Enable NX or XD Support in the BIOS</title>
2269: <description xml:lang="en">The XD/NX processor feature should be enabled in the BIOS</description>
2270: <ident system="http://cce.mitre.org">CCE-4177-2</ident>
2271: <fixtext xml:lang="en">Reboot the system and enter the BIOS or 'Setup' configuration menu. Navigate the
2272: BIOS configuration menu and make sure that the option is enabled. The setting may be
2273: located under a 'Security' section. Look for Execute Disable (XD) on Intel-based
2274: systems and No Execute (NX) on AMD-based systems.</fixtext>
2275: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2276: <check-content-ref name="oval:org.fedoraproject.f14:def:20060" href="scap-fedora14-oval.xml"/>
2277: </check>
2278: </Rule>
2279: </Group>
2280: </Group>
2281: </Group>
2282: </Group>
2283: <Group id="group-2.3" hidden="false">
2284: <title xml:lang="en">Account and Access Control</title>
2285: <description xml:lang="en">
2286: In traditional Unix security, if an attacker gains shell access to
2287: a certain login account, he can perform any action or access any file to which that account
2288: has access. Therefore, making it more difficult for unauthorized people to gain shell access
2289: to accounts, particularly to privileged accounts, is a necessary part of securing a system.
2290: This section introduces mechanisms for restricting access to login accounts.</description>
2291: <Group id="group-2.3.1" hidden="false">
2292: <title xml:lang="en">Protect Accounts by Restricting Password-Based Login</title>
2293: <description xml:lang="en">
2294: Conventionally, Unix shell accounts are accessed by providing a
2295: username and password to a login program, which tests these values for correctness using
2296: the /etc/passwd and /etc/shadow files. Password-based login is vulnerable to guessing of
2297: weak passwords, and to sniffing and man-in-the-middle attacks against passwords entered
2298: over a network or at an insecure console. Therefore, mechanisms for accessing accounts by
2299: entering usernames and passwords should be restricted to those which are operationally
2300: necessary.</description>
2301: <Group id="group-2.3.1.1" hidden="false">
2302: <title xml:lang="en">Restrict Root Logins to System Console</title>
2303: <description xml:lang="en">
2304: Edit the file /etc/securetty. Ensure that the file contains
2305: only the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2306: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
2307: <xhtml:li>The primary system console device: <xhtml:br/>console</xhtml:li>
2308: <xhtml:li>The virtual console devices: <xhtml:br/>tty1 tty2 tty3 tty4 tty5
2309: tty6 ... </xhtml:li>
2310: <xhtml:li>If required by your organization, the deprecated virtual console interface
2311: may be retained for backwards compatibility:<xhtml:br/>vc/1 vc/2 vc/3 vc/4 vc/5
2312: vc/6 ...</xhtml:li>
2313: <xhtml:li>If required by your organization, the serial consoles may be added:<xhtml:br/>
2314: ttyS0 ttyS1</xhtml:li>
2315: </xhtml:ul>
2316: Direct root logins should be allowed only for
2317: emergency use. In normal situations, the administrator should access the system via a
2318: unique unprivileged account, and use su or sudo to execute privileged commands.
2319: Discouraging administrators from accessing the root account directly ensures an audit
2320: trail in organizations with multiple administrators. Locking down the channels through
2321: which root can connect directly reduces opportunities for password-guessing against the
2322: root account. The login program uses the file /etc/securetty to determine which
2323: interfaces should allow root logins. The virtual devices /dev/console and /dev/tty*
2324: represent the system consoles (accessible via the Ctrl-Alt-F1 through Ctrl-Alt-F6
2325: keyboard sequences on a default installation). The default securetty file also contains
2326: /dev/vc/*. These are likely to be deprecated in most environments, but may be retained
2327: for compatibility. Root should also be prohibited from connecting via network protocols.
2328: See Section 3.5 for instructions on preventing root from logging in via SSH.</description>
2329: <Rule id="rule-2.3.1.1.a" selected="false" weight="10.000000" severity="medium">
2330: <title xml:lang="en">Restrict Root Logins to System Console</title>
2331: <description xml:lang="en">Logins through the specified virtual console interface should be disabled
2332: </description>
2333: <ident system="http://cce.mitre.org">CCE-3820-8</ident>
2334: <fixtext xml:lang="en">Edit /etc/securetty</fixtext>
2335: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2336: <check-content-ref name="oval:org.fedoraproject.f14:def:20061" href="scap-fedora14-oval.xml"/>
2337: </check>
2338: </Rule>
2339: <Rule id="rule-2.3.1.1.b" selected="false" weight="10.000000" severity="medium">
2340: <title xml:lang="en">Restrict Root Logins to System Console</title>
2341: <description xml:lang="en">Logins through the specified virtual console device should be disabled</description>
2342: <ident system="http://cce.mitre.org">CCE-3485-0</ident>
2343: <fixtext xml:lang="en"> Edit /etc/securetty</fixtext>
2344: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2345: <check-content-ref name="oval:org.fedoraproject.f14:def:20062" href="scap-fedora14-oval.xml"/>
2346: </check>
2347: </Rule>
2348: <Rule id="rule-2.3.1.1.c" selected="false" weight="10.000000" severity="medium">
2349: <title xml:lang="en">Restrict virtual console Root Logins</title>
2350: <description xml:lang="en">Logins through the virtual console devices should be disabled</description>
2351: <ident system="http://cce.mitre.org">CCE-4111-1</ident>
2352: <fixtext xml:lang="en"> Edit /etc/securetty</fixtext>
2353: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2354: <check-content-ref name="oval:org.fedoraproject.f14:def:20063" href="scap-fedora14-oval.xml"/>
2355: </check>
2356: </Rule>
2357: <Rule id="rule-2.3.1.1.d" selected="false" weight="10.000000" severity="medium">
2358: <title xml:lang="en">Restrict serial port Root Logins</title>
2359: <description xml:lang="en">Login prompts on serial ports should be disabled.</description>
2360: <ident system="http://cce.mitre.org">CCE-4256-4</ident>
2361: <fixtext xml:lang="en">Edit /etc/securetty</fixtext>
2362: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2363: <check-content-ref name="oval:org.fedoraproject.f14:def:20064" href="scap-fedora14-oval.xml"/>
2364: </check>
2365: </Rule>
2366: </Group>
2367: <Group id="group-2.3.1.2" hidden="false">
2368: <title xml:lang="en">Limit su Access to the Root Account</title>
2369: <description xml:lang="en">
2370: The su command allows a user to gain the privileges of another user by entering the
2371: password for that user's account. It is desirable to restrict the root user so that only
2372: known administrators are ever allowed to access the root account. This restricts
2373: password-guessing against the root account by unauthorized users or by accounts which
2374: have been compromised. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2375: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2376: By convention, the group wheel contains all users who are allowed to run privileged
2377: commands. The PAM module pam_wheel.so is used to restrict root access to this set of
2378: users.</description>
2379: <Rule id="rule-2.3.1.2.a" selected="false" weight="10.000000" severity="medium">
2380: <title xml:lang="en">Limit su Access to the Root Account</title>
2381: <description xml:lang="en">The wheel group should exist</description>
2382: <fixtext xml:lang="en"> Ensure that the group wheel exists, and that the usernames of all administrators
2383: who should be allowed to execute commands as root are members of that group.
2384: </fixtext>
2385: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2386: <check-content-ref name="oval:org.fedoraproject.f14:def:20065" href="scap-fedora14-oval.xml"/>
2387: </check>
2388: </Rule>
2389: <Rule id="rule-2.3.1.2.b" selected="false" weight="10.000000" severity="medium">
2390: <title xml:lang="en">Limit su Access to the wheel group</title>
2391: <description xml:lang="en">Command access to the root account should be restricted to the wheel group.</description>
2392: <fixtext xml:lang="en"> Edit the file /etc/pam.d/su. Add, uncomment, or correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2393: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2394: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">auth required pam_wheel.so use_uid</xhtml:code>
2395: </fixtext>
2396: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2397: <check-content-ref name="oval:org.fedoraproject.f14:def:20066" href="scap-fedora14-oval.xml"/>
2398: </check>
2399: </Rule>
2400: </Group>
2401: <Group id="group-2.3.1.3" hidden="false">
2402: <title xml:lang="en">Configure sudo to Improve Auditing of Root Access</title>
2403: <description xml:lang="en">
2404: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
2405: <xhtml:li>Ensure that the group wheel exists, and that the usernames
2406: of all administrators who should be allowed to execute commands as root are members of
2407: that group. <xhtml:br/>
2408: <xhtml:br/>
2409: <xhtml:code># grep ^wheel /etc/group</xhtml:code></xhtml:li>
2410: <xhtml:li>Edit the file /etc/sudoers. Add, uncomment, or
2411: correct the line: <xhtml:br/>
2412: <xhtml:br/>
2413: %wheel ALL=(ALL) ALL</xhtml:li>
2414: </xhtml:ol>
2415: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2416: The sudo command allows fine-grained control over
2417: which users can execute commands using other accounts. The primary benefit of sudo when
2418: configured as above is that it provides an audit trail of every command run by a
2419: privileged user. It is possible for a malicious administrator to circumvent this
2420: restriction, but, if there is an established procedure that all root commands are run
2421: using sudo, then it is easy for an auditor to detect unusual behavior when this
2422: procedure is not followed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2423: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2424: Editing /etc/sudoers by hand can be dangerous, since a configuration error may make it
2425: impossible to access the root account remotely. The recommended means of editing this
2426: file is using the visudo command, which checks the file's syntax for correctness before
2427: allowing it to be saved.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2428: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2429: Note that sudo allows any attacker who gains access to the password of an administrator
2430: account to run commands as root. This is a downside which must be weighed against the
2431: benefits of increased audit capability and of being able to heavily restrict the use of
2432: the high-value root password (which can be logistically difficult to change often). As
2433: a basic precaution, never use the NOPASSWD directive, which would allow anyone with
2434: access to an administrator account to execute commands as root without knowing the
2435: administrator's password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2436: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2437: The sudo command has many options which can be used to further customize its behavior.
2438: See the sudoers(5) man page for details.</description>
2439: <Rule id="rule-2.3.1.3.a" selected="false" weight="10.000000" severity="medium">
2440: <title xml:lang="en">Configure sudo to Improve Auditing of Root Access</title>
2441: <description xml:lang="en">Sudo privileges should granted to the wheel group</description>
2442: <ident system="http://cce.mitre.org">CCE-4044-4</ident>
2443: <fix>echo "%wheel ALL=(ALL) ALL" >> /etc/sudoers</fix>
2444: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2445: <check-content-ref name="oval:org.fedoraproject.f14:def:20067" href="scap-fedora14-oval.xml"/>
2446: </check>
2447: </Rule>
2448: </Group>
2449: <Group id="group-2.3.1.4" hidden="false">
2450: <title xml:lang="en">Block Shell and Login Access for Non-Root System Accounts</title>
2451: <description xml:lang="en">
2452: Using /etc/passwd, obtain a listing of all users, their UIDs,
2453: and their shells, for instance by running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2454: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2455: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd<xhtml:br/></xhtml:code>
2456: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2457: Identify the system accounts from this listing. These will primarily be the accounts
2458: with UID numbers less than 500, other than root.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2459: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2460: For each identified system account SYSACCT , lock the account: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2461: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2462: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># usermod -L SYSACCT <xhtml:br/></xhtml:code> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2463: and disable its shell: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2464: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2465: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># usermod -s /sbin/nologin SYSACCT <xhtml:br/></xhtml:code>
2466: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2467: These are the accounts which are
2468: not associated with a human user of the system, but which exist to perform some
2469: administrative function. Make it more difficult for an attacker to use these accounts by
2470: locking their passwords and by setting their shells to some non-valid shell. The Fedora
2471: default non-valid shell is /sbin/nologin, but any command which will exit with a failure
2472: status and disallow execution of any further commands, such as /bin/false or /dev/null,
2473: will work.</description>
2474: <warning xml:lang="en" override="false" category="functionality">Do not perform the steps in this section on the root account.
2475: Doing so might cause the system to become inaccessible.</warning>
2476: <Rule id="rule-2.3.1.4.a" selected="false" weight="10.000000" severity="medium">
2477: <title xml:lang="en">Block Shell and Login Access for Non-Root System Accounts</title>
2478: <description xml:lang="en">Login access to non-root system accounts should be disabled</description>
2479: <ident system="http://cce.mitre.org">CCE-3987-5</ident>
2480: <fixtext xml:lang="en">Edit /etc/passwd</fixtext>
2481: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2482: <check-content-ref name="oval:org.fedoraproject.f14:def:20068" href="scap-fedora14-oval.xml"/>
2483: </check>
2484: </Rule>
2485: </Group>
2486: <Group id="group-2.3.1.5" hidden="false">
2487: <title xml:lang="en">Verify Proper Storage and Existence of Password Hashes</title>
2488: <Group id="group-2.3.1.5.1" hidden="false">
2489: <title xml:lang="en">Verify that No Accounts Have Empty Password Fields</title>
2490: <description xml:lang="en">
2491: Run the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2492: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2493: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($2 == "") {print}' /etc/shadow <xhtml:br/></xhtml:code>
2494: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2495: If this produces any output, fix the problem by locking each account
2496: (see Section 2.3.1.4 above) or by setting a password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2497: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2498: If an account has an empty password, anybody may log in and run commands with the
2499: privileges of that account. Accounts with empty passwords should never be used in
2500: operational environments.</description>
2501: <Rule id="rule-2.3.1.5.1.a" selected="false" weight="10.000000" severity="medium">
2502: <title xml:lang="en">Verify that No Accounts Have Empty Password Fields</title>
2503: <description xml:lang="en">Login access to accounts without passwords should be disabled</description>
2504: <ident system="http://cce.mitre.org">CCE-4238-2</ident>
2505: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2506: <check-content-ref name="oval:org.fedoraproject.f14:def:20069" href="scap-fedora14-oval.xml"/>
2507: </check>
2508: </Rule>
2509: </Group>
2510: <Group id="group-2.3.1.5.2" hidden="false">
2511: <title xml:lang="en">Verify that All Account Password Hashes are Shadowed</title>
2512: <description xml:lang="en">
2513: To ensure that no password hashes are stored in /etc/passwd, the following command should have no output:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2514: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2515: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($2 != "x") {print}' /etc/passwd<xhtml:br/></xhtml:code>
2516: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2517: The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd,
2518: which is readable by all users.
2519: </description>
2520: <Rule id="rule-2.3.1.5.2.a" selected="false" weight="10.000000" severity="medium">
2521: <title xml:lang="en">Verify that All Account Password Hashes are Shadowed</title>
2522: <description xml:lang="en">Check that passwords are shadowed</description>
2523: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2524: <check-content-ref name="oval:org.fedoraproject.f14:def:200695" href="scap-fedora14-oval.xml"/>
2525: </check>
2526: </Rule>
2527: </Group>
2528: </Group>
2529: <Group id="group-2.3.1.6" hidden="false">
2530: <title xml:lang="en">Verify that No Non-Root Accounts Have UID 0</title>
2531: <description xml:lang="en">
2532: This command will print all password file entries for accounts
2533: with UID 0: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2534: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2535: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($3 == "0") {print}' /etc/passwd <xhtml:br/></xhtml:code>
2536: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2537: This should print only one line, for the user root. If any other lines appear, ensure
2538: that these additional UID-0 accounts are authorized, and that there is a good reason for
2539: them to exist. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2540: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2541: In general, the best practice solution for auditing use of the root account is to restrict
2542: the set of cases in which root must be accessed anonymously by requiring use of su or sudo
2543: in almost all cases. Some sites choose to have more than one account with UID 0 in order
2544: to differentiate between administrators, but this practice may have unexpected side
2545: effects, and is therefore not recommended.</description>
2546: <Rule id="rule-2.3.1.6.a" selected="false" weight="10.000000" severity="medium">
2547: <title xml:lang="en">Verify that No Non-Root Accounts Have UID 0</title>
2548: <description xml:lang="en">Anonymous root logins should be disabled</description>
2549: <ident system="http://cce.mitre.org">CCE-4009-7</ident>
2550: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2551: <check-content-ref name="oval:org.fedoraproject.f14:def:20070" href="scap-fedora14-oval.xml"/>
2552: </check>
2553: </Rule>
2554: </Group>
2555: <Group id="group-2.3.1.7" hidden="false">
2556: <title xml:lang="en">Set Password Expiration Parameters</title>
2557: <description xml:lang="en">
2558: Edit the file /etc/login.defs to specify password expiration
2559: settings for new accounts. Add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2560: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
2561: PASS_MAX_DAYS=180<xhtml:br/>
2562: PASS_MIN_DAYS=7 <xhtml:br/>
2563: PASS_MIN_LEN=8 <xhtml:br/>
2564: PASS_WARN_AGE=7 <xhtml:br/></xhtml:code>
2565: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2566: For each existing human user USER , modify the current expiration settings to match
2567: these: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2568: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chage -M 180 -m 7 -W 7 USER<xhtml:br/></xhtml:code>
2569: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2570: Users should be forced to change their passwords, in order to decrease the utility of
2571: compromised passwords. However, the need to change passwords often should be balanced
2572: against the risk that users will reuse or write down passwords if forced to change them
2573: too often. Forcing password changes every 90-360 days, depending on the environment, is
2574: recommended. Set the appropriate value as PASS_MAX_DAYS and apply it to existing
2575: accounts with the -M flag. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2576: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2577: The PASS_MIN_DAYS (-m) setting prevents password changes for 7 days after the first
2578: change, to discourage password cycling. If you use this setting, train users to contact
2579: an administrator for an emergency password change in case a new password becomes
2580: compromised. The PASS_WARN_AGE (-W) setting gives users 7 days of warnings at login time
2581: that their passwords are about to expire.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2582: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2583: The PASS_MIN_LEN setting, which controls minimum password length, should be set to
2584: whatever is required by your site or organization security policy. The example value of
2585: 8 provided here may be inadequate for many environments. See Section 2.3.3 for
2586: information on how to enforce more sophisticated requirements on password length and
2587: quality
2588: </description>
2589: <Value id="var-2.3.1.7.a" operator="equals" type="string">
2590: <title xml:lang="en">minimum password length</title>
2591: <description xml:lang="en">Minimum number of characters in password</description>
2592: <warning xml:lang="en">This will only check new passwords</warning>
2593: <question xml:lang="en">Select minimum number of characters in password</question>
2594: <value>14</value>
2595: <value selector="5">5</value>
2596: <value selector="6">6</value>
2597: <value selector="8">8</value>
2598: <value selector="10">10</value>
2599: <value selector="14">14</value>
2600: <match>^[\d]+$</match>
2601: </Value>
2602: <Value id="var-2.3.1.7.b" operator="equals" type="string">
2603: <title xml:lang="en">minimum password age</title>
2604: <description xml:lang="en">Enter minimum duration before allowing a password change</description>
2605: <question xml:lang="en">Select minimum duration (in days) before allowing a password change</question>
2606: <value>1</value>
2607: <value selector="1_day">1</value>
2608: <value selector="7_days">7</value>
2609: <match>^[\d]+$</match>
2610: </Value>
2611: <Value id="var-2.3.1.7.c" operator="equals" type="string">
2612: <title xml:lang="en">maximum password age</title>
2613: <description xml:lang="en">Enter age before which a password must be changed</description>
2614: <question xml:lang="en">Select age (in days) before which a password must be changed</question>
2615: <value>60</value>
2616: <value selector="0_days">0</value>
2617: <value selector="30_days">30</value>
2618: <value selector="60_days">60</value>
2619: <value selector="90_days">90</value>
2620: <value selector="120_days">120</value>
2621: <value selector="150_days">150</value>
2622: <value selector="180_days">180</value>
2623: <match>^[\d]+$</match>
2624: </Value>
2625: <Value id="var-2.3.1.7.d" operator="equals" type="string">
2626: <title xml:lang="en">password warn age</title>
2627: <description xml:lang="en">
2628: The number of days warning given before a password expires. A zero
2629: means warning is given only upon the day of expiration, a negative
2630: value means no warning is given. If not specified, no warning will
2631: be provided.</description>
2632: <question xml:lang="en">Select number of days warning is given before a password expires</question>
2633: <value>14</value>
2634: <value selector="7_days">7</value>
2635: <value selector="8_days">8</value>
2636: <value selector="14_days">14</value>
2637: <match>^[\d]+$</match>
2638: </Value>
2639: <Rule id="rule-2.3.1.7.a" selected="false" weight="10.000000" severity="medium">
2640: <title xml:lang="en">Set password minimum length</title>
2641: <description xml:lang="en">The password minimum length should be set to:
2642: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.1.7.a"/></description>
2643: <ident system="http://cce.mitre.org">CCE-4154-1</ident>
2644: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2645: <check-export export-name="oval:org.fedoraproject.f14:var:20071" value-id="var-2.3.1.7.a"/>
2646: <check-content-ref name="oval:org.fedoraproject.f14:def:20071" href="scap-fedora14-oval.xml"/>
2647: </check>
2648: </Rule>
2649: <Rule id="rule-2.3.1.7.b" selected="false" weight="10.000000" severity="medium">
2650: <title xml:lang="en">Set minimum password age</title>
2651: <description xml:lang="en">The minimum password age should be set to:
2652: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.1.7.b"/></description>
2653: <ident system="http://cce.mitre.org">CCE-4180-6</ident>
2654: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2655: <check-export export-name="oval:org.fedoraproject.f14:var:20072" value-id="var-2.3.1.7.b"/>
2656: <check-content-ref name="oval:org.fedoraproject.f14:def:20072" href="scap-fedora14-oval.xml"/>
2657: </check>
2658: </Rule>
2659: <Rule id="rule-2.3.1.7.c" selected="false" weight="10.000000" severity="medium">
2660: <title xml:lang="en">Set maximum password age</title>
2661: <description xml:lang="en">The maximum password age should be set to:
2662: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.1.7.c"/></description>
2663: <ident system="http://cce.mitre.org">CCE-4092-3</ident>
2664: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2665: <check-export export-name="oval:org.fedoraproject.f14:var:20073" value-id="var-2.3.1.7.c"/>
2666: <check-content-ref name="oval:org.fedoraproject.f14:def:20073" href="scap-fedora14-oval.xml"/>
2667: </check>
2668: </Rule>
2669: <Rule id="rule-2.3.1.7.d" selected="false" weight="10.000000" severity="medium">
2670: <title xml:lang="en">Set password warn age</title>
2671: <description xml:lang="en">The password warn age should be set to:
2672: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.1.7.d"/></description>
2673: <ident system="http://cce.mitre.org">CCE-4097-2</ident>
2674: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2675: <check-export export-name="oval:org.fedoraproject.f14:var:20074" value-id="var-2.3.1.7.d"/>
2676: <check-content-ref name="oval:org.fedoraproject.f14:def:20074" href="scap-fedora14-oval.xml"/>
2677: </check>
2678: </Rule>
2679: </Group>
2680: <Group id="group-2.3.1.8" hidden="false">
2681: <title xml:lang="en">Remove Legacy + Entries from Password Files</title>
2682: <description xml:lang="en">
2683: The command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2684: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2685: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># grep "^+:" /etc/passwd /etc/shadow /etc/group<xhtml:br/></xhtml:code>
2686: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2687: should produce no output. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2688: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2689: The + symbol was used by systems to include data from NIS maps
2690: into existing files. However, a certain configuration error in which a NIS inclusion
2691: line appears in /etc/passwd, but NIS is not running, could lead to anyone being able to
2692: access the system with the username + and no password. Therefore, it is important to
2693: verify that no such line appears in any of the relevant system files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2694: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2695: The correct way to
2696: tell the local system to consult network databases such as LDAP or NIS for user
2697: information is to make appropriate modifications to /etc/nsswitch.conf.</description>
2698: <Rule id="rule-2.3.1.8.a" selected="false" weight="10.000000" severity="medium">
2699: <title xml:lang="en">Remove Legacy + Entries from /etc/shadow</title>
2700: <description xml:lang="en">NIS file inclusions should be set appropriately in the /etc/shadow file</description>
2701: <fixtext xml:lang="en">(1) via /etc/shadow</fixtext>
2702: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2703: <check-content-ref name="oval:org.fedoraproject.f14:def:20075" href="scap-fedora14-oval.xml"/>
2704: </check>
2705: </Rule>
2706: <Rule id="rule-2.3.1.8.b" selected="false" weight="10.000000" severity="medium">
2707: <title xml:lang="en">Remove Legacy + Entries from /etc/group</title>
2708: <description xml:lang="en">NIS file inclusions should be set appropriately in the /etc/group file</description>
2709: <fixtext xml:lang="en">(1) via /etc/group</fixtext>
2710: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2711: <check-content-ref name="oval:org.fedoraproject.f14:def:20076" href="scap-fedora14-oval.xml"/>
2712: </check>
2713: </Rule>
2714: <Rule id="rule-2.3.1.8.c" selected="false" weight="10.000000" severity="medium">
2715: <title xml:lang="en">Remove Legacy + Entries from /etc/passwd</title>
2716: <description xml:lang="en">NIS file inclusions should be set appropriately in the /etc/passwd file</description>
2717: <ident system="http://cce.mitre.org">CCE-4114-5</ident>
2718: <fixtext xml:lang="en">(1) via /etc/passwd</fixtext>
2719: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2720: <check-content-ref name="oval:org.fedoraproject.f14:def:20077" href="scap-fedora14-oval.xml"/>
2721: </check>
2722: </Rule>
2723: </Group>
2724: </Group>
2725: <Group id="group-2.3.2" hidden="false">
2726: <title xml:lang="en">Use Unix Groups to Enhance Security</title>
2727: <description xml:lang="en">
2728: The access control policies which can be enforced by standard
2729: Unix permissions are limited, and configuring SELinux (Section 2.4) is frequently a better
2730: choice. However, this guide recommends that security be enhanced to the extent possible by
2731: enforcing the Unix group policies outlined in this section.</description>
2732: <Group id="group-2.3.2.1" hidden="false" weight="1.000000">
2733: <title xml:lang="en">Create a Unique Default Group for Each User</title>
2734: <description xml:lang="en">
2735: When running useradd, do not use the -g flag or otherwise
2736: override the default group. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2737: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2738: The Red Hat default is that each new user account should
2739: have a unique primary group whose name is the same as that of the account. This default
2740: is recommended, in order to provide additional protection against files which are
2741: created with group write permission enabled.</description>
2742: </Group>
2743: <Group id="group-2.3.2.2" hidden="false">
2744: <title xml:lang="en">Create and Maintain a Group Containing All Human Users</title>
2745: <description xml:lang="en">
2746: Identify all user accounts on the system which correspond to
2747: human users. Depending on your system configuration, this may be all entries in
2748: /etc/passwd with UID values of at least 500. Once, you have identified such a set of
2749: users, create a group named usergroup (substitute some name appropriate to your
2750: environment) and populate it with each human user: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2751: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2752: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># groupadd usergroup <xhtml:br/>
2753: # usermod -G usergroup human1 <xhtml:br/>
2754: # usermod -G usergroup human2 ... <xhtml:br/>
2755: # usermod -G usergroup humanN <xhtml:br/></xhtml:code>
2756: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2757: Then modify your procedure for creating new user accounts by adding -G usergroup to the
2758: set of flags with which useradd is invoked, so that new human users will be placed in
2759: the correct group by default. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2760: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2761: Creating a group of human users does not, by itself, enhance
2762: system security. However, as you work on securing your system, you will often find
2763: commands which never need to be run by system accounts, or which are only ever needed by
2764: users logged into the graphical console (which should only ever be available to human
2765: users, even on workstations). Once a group of users has been created, it is easy to
2766: restrict access to a given command, for instance /path/to/graphical/command , to
2767: authorized users: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2768: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2769: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chgrp usergroup /path/to/graphical/command <xhtml:br/>
2770: # chmod 750 /path/graphical/command <xhtml:br/></xhtml:code>
2771: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2772: Without a group of human users, it is necessary to restrict
2773: access by somehow preventing each system account from running the command, which is an
2774: error-prone process even when it is possible at all.</description>
2775: </Group>
2776: </Group>
2777: <Group id="group-2.3.3" hidden="false">
2778: <title xml:lang="en">Protect Accounts by Configuring PAM</title>
2779: <description xml:lang="en">
2780: PAM, or Pluggable Authentication Modules, is a system which
2781: implements modular authentication for Linux programs. PAM is well-integrated into Linux's
2782: authentication architecture, making it difficult to remove, but it can be configured to
2783: minimize your system's exposure to unnecessary risk. This section contains guidance on how
2784: to accomplish that, and how to ensure that the modules used by your PAM configuration do
2785: what they are supposed to do. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2786: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2787: PAM is implemented as a set of shared objects which are
2788: loaded and invoked whenever an application wishes to authenticate a user. Typically, the
2789: application must be running as root in order to take advantage of PAM. Traditional
2790: privileged network listeners (e.g. sshd) or SUID programs (e.g. sudo) already meet this
2791: requirement. An SUID root application, userhelper, is provided so that programs which are
2792: not SUID or privileged themselves can still take advantage of PAM. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2793: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2794: PAM looks in the
2795: directory /etc/pam.d for application-specific configuration information. For instance, if
2796: the program login attempts to authenticate a user, then PAM's libraries follow the
2797: instructions in the file /etc/ pam.d/login to determine what actions should be taken.
2798: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2799: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>One
2800: very important file in /etc/pam.d is /etc/pam.d/system-auth. This file, which is included
2801: by many other PAM configuration files, defines 'default' system authentication measures.
2802: Modifying this file is a good way to make far-reaching authentication changes, for
2803: instance when implementing a centralized authentication service.
2804: </description>
2805: <warning xml:lang="en">
2806: Be careful when making changes to PAM's configuration files. The syntax for these files
2807: is complex, and modifications can have unexpected consequences.1 The default
2808: configurations shipped with applications should be sufficient for most users.
2809: </warning>
2810: <warning xml:lang="en">
2811: Running authconfig or system-config-authentication will re-write the PAM configuration
2812: files, destroying any manually made changes and replacing them with a series of system
2813: defaults. 1One reference to the configuration file syntax can be found at
2814: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/ sag-configuration-file.html.
2815: </warning>
2816: <Group id="group-2.3.3.1" hidden="false">
2817: <title xml:lang="en">Set Password Quality Requirements</title>
2818: <description xml:lang="en">
2819: The default pam_cracklib PAM module provides strength checking
2820: for passwords. It performs a number of checks, such as making sure passwords are not
2821: similar to dictionary words, are of at least a certain length, are not the previous
2822: password reversed, and are not simply a change of case from the previous password. It
2823: can also require passwords to be in certain character classes.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2824: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2825: The pam_passwdqc PAM module provides the ability to enforce even more stringent
2826: password strength requirements. It is provided in an RPM of the same name. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2827: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2828: The man pages pam_cracklib(8) and pam_passwdqc(8) provide information on the
2829: capabilities and configuration of each.
2830: </description>
2831: <Group id="group-2.3.3.1.1" hidden="false">
2832: <title xml:lang="en">Set Password Quality Requirements, if using pam_cracklib</title>
2833: <description xml:lang="en">
2834: The pam_cracklib PAM module can be configured to meet
2835: recommendations for DoD systems as stated in [12].<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2836: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2837: To configure pam_cracklib to require at least one uppercase character, lowercase
2838: character, digit, and other (special) character, locate the following line in
2839: /etc/pam.d/system-auth:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2840: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2841: password requisite pam_cracklib.so try_first_pass retry=3<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2842: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2843: and then alter it to read:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2844: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2845: password required pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 /
2846: ucredit=-1 ocredit=-1 lcredit=0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2847: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2848: If necessary, modify the arguments to ensure compliance with your organization’s
2849: security policy.
2850: </description>
2851: <warning xml:lang="en">Note that the password quality requirements are not enforced
2852: for the root account for some reason.
2853: </warning>
2854: <Value id="var-2.3.3.1.1.a.retry" type="string">
2855: <title xml:lang="en">retry</title>
2856: <description xml:lang="en">Number of retry attempts before erroring out</description>
2857: <question xml:lang="en">Select number of password retry attempts before erroring out</question>
2858: <value>3</value>
2859: <value selector="1">1</value>
2860: <value selector="2">2</value>
2861: <value selector="3">3</value>
2862: <match>^[\d]+$</match>
2863: </Value>
2864: <Value id="var-2.3.3.1.1.a.difok" type="string">
2865: <title xml:lang="en">difok</title>
2866: <description xml:lang="en">Mininum number of characters not present in old password</description>
2867: <warning xml:lang="en">Keep this high for short passwords</warning>
2868: <question xml:lang="en">Select minimum number of characters not present in old password</question>
2869: <value>5</value>
2870: <value selector="2">2</value>
2871: <value selector="3">3</value>
2872: <value selector="4">4</value>
2873: <value selector="5">5</value>
2874: <match>^[\d]+$</match>
2875: </Value>
2876: <Value id="var-2.3.3.1.1.a.minlen" type="string">
2877: <title xml:lang="en">minlen</title>
2878: <description xml:lang="en">Minimum number of characters in password</description>
2879: <question xml:lang="en">Select minimum number of characters in pasword</question>
2880: <value>14</value>
2881: <value selector="6">6</value>
2882: <value selector="8">8</value>
2883: <value selector="10">10</value>
2884: <value selector="14">14</value>
2885: <value selector="15">15</value>
2886: <match>^[\d]+$</match>
2887: </Value>
2888: <Value id="var-2.3.3.1.1.a.dcredit" type="string">
2889: <title xml:lang="en">dcredit</title>
2890: <description xml:lang="en">Mininum number of digits in password</description>
2891: <question xml:lang="en">Select number of digits in password</question>
2892: <value>-2</value>
2893: <value selector="2">-2</value>
2894: <value selector="1">-1</value>
2895: <value selector="0">0</value>
2896: <match>^-?[\d]+$</match>
2897: </Value>
2898: <Value id="var-2.3.3.1.1.a.ocredit" type="string">
2899: <title xml:lang="en">ocredit</title>
2900: <description xml:lang="en">Mininum number of other (special characters) in password</description>
2901: <question xml:lang="en">Select number of special characters in password</question>
2902: <value>-2</value>
2903: <value selector="2">-2</value>
2904: <value selector="1">-1</value>
2905: <value selector="0">0</value>
2906: <match>^-?[\d]+$</match>
2907: </Value>
2908: <Value id="var-2.3.3.1.1.a.lcredit" type="string">
2909: <title xml:lang="en">lcredit</title>
2910: <description xml:lang="en">Mininum number of lower case in password</description>
2911: <question xml:lang="en">Select minimum number of lower case in password</question>
2912: <value>-2</value>
2913: <value selector="2">-2</value>
2914: <value selector="1">-1</value>
2915: <value selector="0">0</value>
2916: <match>^-?[\d]+$</match>
2917: </Value>
2918: <Value id="var-2.3.3.1.1.a.ucredit" type="string">
2919: <title xml:lang="en">ucredit</title>
2920: <description xml:lang="en">Mininum number of upper case in password</description>
2921: <question xml:lang="en">Select minimum number of upper case in password</question>
2922: <value>-2</value>
2923: <value selector="2">-2</value>
2924: <value selector="1">-1</value>
2925: <value selector="0">0</value>
2926: <match>^-?[\d]+$</match>
2927: </Value>
2928: <Rule id="rule-2.3.3.1.1.a" selected="false" weight="10.000000" severity="medium">
2929: <title xml:lang="en">Set Password Quality Requirements</title>
2930: <description xml:lang="en">The password strength should meet minimum requirements</description>
2931: <ident system="http://cce.mitre.org">CCE-3762-2</ident>
2932: <fixtext xml:lang="en">(1) via PAM</fixtext>
2933: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
2934: <check-export export-name="oval:org.fedoraproject.f14:var:200781" value-id="var-2.3.3.1.1.a.retry"/>
2935: <check-export export-name="oval:org.fedoraproject.f14:var:200782" value-id="var-2.3.3.1.1.a.minlen"/>
2936: <check-export export-name="oval:org.fedoraproject.f14:var:200783" value-id="var-2.3.3.1.1.a.dcredit"/>
2937: <check-export export-name="oval:org.fedoraproject.f14:var:200784" value-id="var-2.3.3.1.1.a.ucredit"/>
2938: <check-export export-name="oval:org.fedoraproject.f14:var:200785" value-id="var-2.3.3.1.1.a.ocredit"/>
2939: <check-export export-name="oval:org.fedoraproject.f14:var:200786" value-id="var-2.3.3.1.1.a.lcredit"/>
2940: <check-export export-name="oval:org.fedoraproject.f14:var:200787" value-id="var-2.3.3.1.1.a.difok"/>
2941: <check-content-ref name="oval:org.fedoraproject.f14:def:20078" href="scap-fedora14-oval.xml"/>
2942: </check>
2943: </Rule>
2944: </Group>
2945: <Group id="group-2.3.3.1.2" hidden="false">
2946: <title xml:lang="en">Set Password Quality Requirements, if using pam_passwdqc</title>
2947: <description xml:lang="en">
2948: If password strength stronger than that guaranteed by
2949: pam_cracklib is required, configure PAM to use pam_passwdqc.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2950: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2951: To activate pam_passwdqc, locate the following line in /etc/pam.d/system-auth:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2952: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2953: password requisite pam_cracklib.so try_first_pass retry=3<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2954: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2955: and then replace it with the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2956: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2957: password requisite pam_passwdqc.so min=disabled,disabled,16,12,8<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2958: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2959: If necessary, modify the arguments (min=disabled,disabled,16,12,8) to ensure
2960: compliance with your organization’s security policy. Configuration options are
2961: described in the man page pam_passwdqc(8) and also in /usr/share/doc/pam_passwdqc-version.
2962: The minimum lengths provided here supercede that specified
2963: by the argument PASS MIN LEN as described in Section 2.3.1.7.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2964: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
2965: The options given in the example above set a minimum length for each of the
2966: password “classes” that pam_passwdqc recognizes. Setting a particular minimum
2967: value to disabled will stop users from choosing a password that falls into
2968: that category alone.
2969: </description>
2970: <Value id="var-2.3.3.1.2.a.N0" type="string">
2971: <title xml:lang="en">N0</title>
2972: <description xml:lang="en">
2973: N0 is used for passwords consisting of characters
2974: from one character class only. The character classes are: digits,
2975: lower-case letters, upper-case letters, and other characters. There is
2976: also a special class for non-ASCII characters which could not be
2977: classified, but are assumed to be non-digits. </description>
2978: <value>24</value>
2979: <value selector="disabled">disabled</value>
2980: <value selector="24">24</value>
2981: <value selector="30">30</value>
2982: </Value>
2983: <Value id="var-2.3.3.1.2.a.N1" type="string">
2984: <title xml:lang="en">N1</title>
2985: <description xml:lang="en">
2986: N1 is used for passwords consisting of characters
2987: from two character classes which do not meet the requirements for a
2988: passphrase.</description>
2989: <value>16</value>
2990: <value selector="disabled">disabled</value>
2991: <value selector="18">18</value>
2992: <value selector="24">24</value>
2993: </Value>
2994: <Value id="var-2.3.3.1.2.a.N2" type="string">
2995: <title xml:lang="en">N2</title>
2996: <description xml:lang="en">
2997: N2 is used for passphrases. Note that besides
2998: meeting this length requirement, a passphrase must also consist of a
2999: sufficient number of words (see the "passphrase" option below). </description>
3000: <value>16</value>
3001: <value selector="disabled">disabled</value>
3002: <value selector="16">16</value>
3003: <value selector="17">17</value>
3004: <value selector="18">18</value>
3005: </Value>
3006: <Value id="var-2.3.3.1.2.a.N3" type="string">
3007: <title xml:lang="en">N3</title>
3008: <description xml:lang="en">N3 is the number of characters required for a password that uses characters from 3 character classes.</description>
3009: <question xml:lang="en">Select the number of characters required for a password that uses characters from 3 character classes</question>
3010: <value>16</value>
3011: <value selector="disabled">disabled</value>
3012: <value selector="14">14</value>
3013: <value selector="15">15</value>
3014: <value selector="16">16</value>
3015: </Value>
3016: <Value id="var-2.3.3.1.2.a.N4" type="string">
3017: <title xml:lang="en">N4</title>
3018: <description xml:lang="en">N4 is the number of characters required for a password that uses characters from 4 character classes.</description>
3019: <question xml:lang="en">Select the number of characters required for a password that uses characters from 4 character classes</question>
3020: <value>14</value>
3021: <value selector="10">10</value>
3022: <value selector="12">12</value>
3023: <value selector="14">14</value>
3024: </Value>
3025: <Value id="var-2.3.3.1.2.a.passphrase" type="string">
3026: <title xml:lang="en">passphrase</title>
3027: <description xml:lang="en">The number of words required for a passphrase, or 0 to disable the support for user-chosen passphrases. </description>
3028: <question xml:lang="en">Select the number of words required for a passphrase</question>
3029: <value>3</value>
3030: <value selector="disabled">0</value>
3031: <value selector="3">3</value>
3032: <value selector="5">5</value>
3033: <match>^[\d]+$</match>
3034: </Value>
3035: <Value id="var-2.3.3.1.2.a.match" type="string">
3036: <title xml:lang="en">match</title>
3037: <description xml:lang="en">
3038: The length of common substring required to
3039: conclude that a password is at least partially based on information
3040: found in a character string, or 0 to disable the substring search.
3041: Note that the password will not be rejected once a weak substring is
3042: found; it will instead be subjected to the usual strength requirements
3043: with the weak substring removed.</description>
3044: <question xml:lang="en">Enter the length of common substring required to conclude that a password is at least partially based on information found in a character string</question>
3045: <value>5</value>
3046: <value selector="disable">0</value>
3047: <value selector="3">3</value>
3048: <value selector="4">4</value>
3049: <value selector="5">5</value>
3050: <match>^[\d]+$</match>
3051: </Value>
3052: <Value id="var-2.3.3.1.2.a.retry" type="string">
3053: <title xml:lang="en">retry</title>
3054: <description xml:lang="en">
3055: The number of times the module will ask for a
3056: new password if the user fails to provide a sufficiently strong
3057: password and enter it twice the first time. </description>
3058: <question xml:lang="en">Enter the number of times the module will ask for a new password if user fail to provide a sufficiently strong password</question>
3059: <value>3</value>
3060: <value selector="2">2</value>
3061: <value selector="3">3</value>
3062: <value selector="4">4</value>
3063: <match>^[\d]+$</match>
3064: </Value>
3065: <Rule id="rule-2.3.3.1.2.a" selected="false" weight="10.000000">
3066: <title xml:lang="en">Set Password Quality Requirements using pam_passwdqc</title>
3067: <description xml:lang="en">The password strength should meet minimum requirements</description>
3068: <ident system="http://cce.mitre.org">CCE-3762-2</ident>
3069: <fixtext xml:lang="en">(1) via PAM</fixtext>
3070: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3071: <check-export export-name="oval:org.fedoraproject.f14:var:200790" value-id="var-2.3.3.1.2.a.N0"/>
3072: <check-export export-name="oval:org.fedoraproject.f14:var:200791" value-id="var-2.3.3.1.2.a.N1"/>
3073: <check-export export-name="oval:org.fedoraproject.f14:var:200792" value-id="var-2.3.3.1.2.a.N2"/>
3074: <check-export export-name="oval:org.fedoraproject.f14:var:200793" value-id="var-2.3.3.1.2.a.N3"/>
3075: <check-export export-name="oval:org.fedoraproject.f14:var:200794" value-id="var-2.3.3.1.2.a.N4"/>
3076: <check-export export-name="oval:org.fedoraproject.f14:var:200795" value-id="var-2.3.3.1.2.a.passphrase"/>
3077: <check-export export-name="oval:org.fedoraproject.f14:var:200796" value-id="var-2.3.3.1.2.a.match"/>
3078: <check-export export-name="oval:org.fedoraproject.f14:var:200797" value-id="var-2.3.3.1.2.a.retry"/>
3079: <check-content-ref name="oval:org.fedoraproject.f14:def:20079" href="scap-fedora14-oval.xml"/>
3080: </check>
3081: </Rule>
3082: </Group>
3083: </Group>
3084: <Group id="group-2.3.3.2" hidden="false">
3085: <title xml:lang="en">Set Lockouts for Failed Password Attempts</title>
3086: <description xml:lang="en">
3087: The pam_tally2 PAM module provides the capability to lock out
3088: user accounts after a number of failed login attempts. Its documentation is available in
3089: /usr/share/doc/pam-version/txts/README.pam_tally2. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3090: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3091: If locking out accounts after a number of incorrect login attempts is required by your
3092: security policy, implement use of pam_tally2.so for the relevant PAM-aware programs
3093: such as login, sshd, and vsftpd. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3094: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3095: Find the following line in /etc/pam.d/system-auth: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3096: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3097: auth sufficient pam_unix.so nullok try_first_pass <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3098: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3099: and then change it so that it reads as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3100: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3101: auth required pam_unix.so nullok try_first_pass <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3102: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3103: In the same file, comment out or delete the lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3104: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3105: auth requisite pam_succeed_if.so uid >= 500 quiet <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3106: auth required pam_deny.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3107: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3108: To enforce password lockout, add the following to the individual programs'
3109: configuration files in /etc/pam.d. First, add to end of the auth lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3110: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3111: auth required pam_tally2.so deny=5 onerr=fail <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3112: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3113: Second, add to the end of the account lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3114: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3115: account required pam_tally2.so<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3116: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3117: Adjust the deny argument to conform to your system security policy. The pam_tally2
3118: utility can be used to unlock user accounts as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3119: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3120: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># /sbin/pam_tally2 --user username --reset <xhtml:br/></xhtml:code>
3121: </description>
3122: <warning xml:lang="en">
3123: Locking out user accounts presents the risk of a denial-of-service attack. The security
3124: policy regarding system lockout must weigh whether the risk of such a denial-of-service
3125: attack outweighs the benefits of thwarting password guessing attacks. The pam_tally2
3126: utility can be run from a cron job on a hourly or daily basis to try and offset this
3127: risk.
3128: </warning>
3129: <Value id="var-2.3.3.2.a.deny" type="string">
3130: <title xml:lang="en">deny</title>
3131: <description xml:lang="en">Deny access if tally for this user exceeds n.</description>
3132: <value>3</value>
3133: <value selector="1">1</value>
3134: <value selector="3">3</value>
3135: <value selector="5">5</value>
3136: <value selector="10">10</value>
3137: <match>^[\d]+$</match>
3138: </Value>
3139: <Value id="var-2.3.3.2.a.lock_time" type="string">
3140: <title xml:lang="en">lock_time</title>
3141: <description xml:lang="en">Always deny for n seconds after failed attempt.</description>
3142: <value>5</value>
3143: <value selector="1">1</value>
3144: <value selector="3">3</value>
3145: <value selector="5">5</value>
3146: <value selector="10">10</value>
3147: <match>^[\d]+$</match>
3148: </Value>
3149: <Value id="var-2.3.3.2.a.unlock_time" type="string">
3150: <title xml:lang="en">unlock_time</title>
3151: <description xml:lang="en">
3152: Allow access after n seconds after failed attempt. If this
3153: option is used the user will be locked out for the specified amount of time after
3154: he exceeded his maximum allowed attempts. Otherwise the account is locked until the
3155: lock is removed by a manual intervention of the system administrator.</description>
3156: <question xml:lang="en">Select time (in seconds) user will be locked out after he exceeded his maximum allowed attempts</question>
3157: <value>0</value>
3158: <value selector="none">1</value>
3159: <value selector="15_minutes">900</value>
3160: <value selector="30_minutes">1800</value>
3161: <value selector="1_hour">3600</value>
3162: <match>^[\d]+$</match>
3163: </Value>
3164: <Rule id="rule-2.3.3.2.a" selected="false" weight="10.000000" severity="medium">
3165: <title xml:lang="en">Set Lockouts for Failed Password Attempts</title>
3166: <description xml:lang="en">The "account lockout threshold" policy should meet minimum requirements.</description>
3167: <ident system="http://cce.mitre.org">CCE-3410-8</ident>
3168: <fixtext xml:lang="en">(1) via PAM</fixtext>
3169: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3170: <check-export export-name="oval:org.fedoraproject.f14:var:200801" value-id="var-2.3.3.2.a.deny"/>
3171: <check-export export-name="oval:org.fedoraproject.f14:var:200802" value-id="var-2.3.3.2.a.lock_time"/>
3172: <check-export export-name="oval:org.fedoraproject.f14:var:200803" value-id="var-2.3.3.2.a.unlock_time"/>
3173: <check-content-ref name="oval:org.fedoraproject.f14:def:20080" href="scap-fedora14-oval.xml"/>
3174: </check>
3175: </Rule>
3176: <Rule id="rule-2.3.3.2.b" selected="false" weight="10.000000">
3177: <title xml:lang="en">Do not leak information on authorization failure</title>
3178: <description xml:lang="en">Authorization failures should not alert attackers as to what went wrong.</description>
3179: <fixtext xml:lang="en">(1) via /etc/pam.d/system-auth</fixtext>
3180: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3181: <check-content-ref name="oval:org.fedoraproject.f14:def:200805" href="scap-fedora14-oval.xml"/>
3182: </check>
3183: </Rule>
3184: <Rule id="rule-2.3.3.2.c" selected="false" weight="10.000000" severity="medium">
3185: <title xml:lang="en">Do not log authorization failures and successes</title>
3186: <description xml:lang="en">Remove pam_succeed_if module with quiet option and remove auth pam_deny line.</description>
3187: <fixtext xml:lang="en">(1) via /etc/pam.d/system-auth</fixtext>
3188: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3189: <check-content-ref name="oval:org.fedoraproject.f14:def:200806" href="scap-fedora14-oval.xml"/>
3190: </check>
3191: </Rule>
3192: </Group>
3193: <Group id="group-2.3.3.3" hidden="false">
3194: <title xml:lang="en">Use pam_deny.so to Quickly Deny Access to a Service</title>
3195: <description xml:lang="en">
3196: In order to deny access to a service SVCNAME via PAM, edit the
3197: file /etc/pam.d/SVCNAME . Prepend this line to the beginning of the file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3198: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3199: auth requisite pam_deny.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3200: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3201: Under most circumstances, there are better ways to disable a service than to
3202: deny access via PAM. However, this should suffice as a way to quickly make a service
3203: unavailable to future users (existing sessions which have already been authenticated,
3204: are not affected). The requisite tag tells PAM that, if the named module returns
3205: failure, authentication should fail, and PAM should immediately stop processing the
3206: configuration file. The pam_deny.so module always returns failure regardless of its
3207: input.</description>
3208: </Group>
3209: <Group id="group-2.3.3.4" hidden="false">
3210: <title xml:lang="en">Restrict Execution of userhelper to Console Users</title>
3211: <description xml:lang="en">
3212: If your environment has defined a group, usergroup containing
3213: all the human users of your system, restrict execution of the userhelper program to only
3214: that group: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3215: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3216: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chgrp usergroup /usr/sbin/userhelper <xhtml:br/>
3217: # chmod 4710 /usr/sbin/userhelper <xhtml:br/></xhtml:code>
3218: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3219: The userhelper program provides authentication for graphical services which must run
3220: with root privileges, such as the system-config- family of graphical configuration
3221: utilities. Only human users logged into the system console are likely to ever have a
3222: legitimate need to run these utilities. This step provides some protection against
3223: possible flaws in userhelper's implementation, and against further privilege escalation
3224: when system accounts are compromised. See Section 2.3.2.2 for more information on
3225: creating a group of human users. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3226: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3227: The userhelper program is configured by the files in /etc/security/console.apps/. Each
3228: file specifies, for some program, what user the program should run as, and what program
3229: should be executed after successful authentication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3230: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3231: Note: The configuration in /etc/security/console.apps/ is applied in
3232: combination with the PAM configuration of the service defined in /etc/pam.d/. First,
3233: userhelper determines what user the service should run as. (Typically, this will be
3234: root.) Next, userhelper uses the PAM API to allow the user who ran the program to
3235: attempt to authenticate as the desired user. The PAM API exchange is wrapped in a GUI if
3236: the application's configuration requests one.</description>
3237: <Value id="var-2.3.3.4.a" operator="equals" type="string">
3238: <title xml:lang="en">Name of group containing human users</title>
3239: <description xml:lang="en">Enter group to aggregate human users</description>
3240: <value>usergroup</value>
3241: <value selector="usergroup">usergroup</value>
3242: </Value>
3243: <Value id="var-2.3.3.4.b" operator="equals" type="string">
3244: <title xml:lang="en">userhelper file permissions</title>
3245: <description xml:lang="en">Enter file permissions for /usr/sbin/userhelper</description>
3246: <question xml:lang="en">Enter file permission for /usr/bin/userhelper</question>
3247: <value>100111001000</value>
3248: <value selector="4710">100111001000</value>
3249: <match>^[10]+$</match>
3250: </Value>
3251: <Rule id="rule-2.3.3.4.a" selected="false" weight="10.000000">
3252: <title xml:lang="en">Restrict Execution of userhelper to Console Users</title>
3253: <description xml:lang="en">The /usr/sbin/userhelper file should be owned by the appropriate group.</description>
3254: <ident system="http://cce.mitre.org">CCE-4185-5</ident>
3255: <fix># chgrp usergroup /usr/sbin/userhelper</fix>
3256: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3257: <check-export export-name="oval:org.fedoraproject.f14:var:20081" value-id="var-2.3.3.4.a"/>
3258: <check-content-ref name="oval:org.fedoraproject.f14:def:20081" href="scap-fedora14-oval.xml"/>
3259: </check>
3260: </Rule>
3261: <Rule id="rule-2.3.3.4.b" selected="false" weight="10.000000">
3262: <title xml:lang="en">Restrict File permissions of userhelper</title>
3263: <description xml:lang="en">File permissions for /usr/sbin/userhelper should be set correctly.</description>
3264: <ident system="http://cce.mitre.org">CCE-3952-9</ident>
3265: <fix># chmod 4710 /usr/sbin/userhelper</fix>
3266: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3267: <check-export export-name="oval:org.fedoraproject.f14:var:20082" value-id="var-2.3.3.4.b"/>
3268: <check-content-ref name="oval:org.fedoraproject.f14:def:20082" href="scap-fedora14-oval.xml"/>
3269: </check>
3270: </Rule>
3271: </Group>
3272: <Group id="group-2.3.3.5" hidden="false">
3273: <title xml:lang="en">Password Hashing Algorithm</title>
3274: <description xml:lang="en">
3275: The default algorithm for storing password hashes should be SHA-512.
3276: </description>
3277: <Value id="var-2.3.3.5.a" operator="equals" type="string">
3278: <title xml:lang="en">Password hashing algorithm</title>
3279: <description xml:lang="en">Enter /etc/shadow password hashing algorithm</description>
3280: <question xml:lang="en">Enter /etc/shadow password hashing algorithm</question>
3281: <value>sha512</value>
3282: <value selector="MD5">md5</value>
3283: <value selector="SHA-256">sha256</value>
3284: <value selector="SHA-512">sha512</value>
3285: <choices>
3286: <choice>md5</choice>
3287: <choice>sha256</choice>
3288: <choice>sha512</choice>
3289: </choices>
3290: </Value>
3291: <Rule id="rule-2.3.3.5.a" selected="false" weight="10.000000" severity="medium">
3292: <title xml:lang="en">Password hashing algorithm</title>
3293: <description xml:lang="en">The password hashing algorithm should be set to SHA-512</description>
3294: <fix>/usr/sbin/authconfig --passalgo=sha512 --update</fix>
3295: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3296: <check-export export-name="oval:org.fedoraproject.f14:var:20083" value-id="var-2.3.3.5.a"/>
3297: <check-content-ref name="oval:org.fedoraproject.f14:def:20083" href="scap-fedora14-oval.xml"/>
3298: </check>
3299: </Rule>
3300: </Group>
3301: <Group id="group-2.3.3.6" hidden="false">
3302: <title xml:lang="en">Limit Password Reuse</title>
3303: <description xml:lang="en">
3304: Do not allow users to reuse recent passwords. This can be
3305: accomplished by using the remember option for the pam_unix PAM module. In order to
3306: prevent a user from re-using any of his or her last <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.3.6.a"/> passwords,
3307: append remember=<sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.3.6.a"/> to the password line which uses the
3308: pam_unix module in the file /etc/pam.d/system-auth, as shown:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3309: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3310: password sufficient pam_unix.so existing_options remember=<sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.3.6.a"/><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3311: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3312: Old (and thus no longer valid) passwords are stored in the file /etc/security/opasswd.
3313: </description>
3314: <Value id="var-2.3.3.6.a" operator="equals" type="string">
3315: <title xml:lang="en">remember</title>
3316: <description xml:lang="en">
3317: The last n passwords for each user are saved in
3318: /etc/security/opasswd in order to force password change history and keep the user from
3319: alternating between the same password too frequently. </description>
3320: <question xml:lang="en">Enter how many last passwords will be saved to keep the user from alternating between the same password too frequently</question>
3321: <value>5</value>
3322: <value selector="5">5</value>
3323: <value selector="10">10</value>
3324: <match>^[\d]+$</match>
3325: </Value>
3326: <Rule id="rule-2.3.3.6.a" selected="false" weight="10.000000" severity="medium">
3327: <title xml:lang="en">Limit password reuse</title>
3328: <description xml:lang="en">The passwords to remember should be set to: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.3.6.a"/></description>
3329: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3330: <check-export export-name="oval:org.fedoraproject.f14:var:20084" value-id="var-2.3.3.6.a"/>
3331: <check-content-ref name="oval:org.fedoraproject.f14:def:20084" href="scap-fedora14-oval.xml"/>
3332: </check>
3333: </Rule>
3334: </Group>
3335: </Group>
3336: <Group id="group-2.3.4" hidden="false">
3337: <title xml:lang="en">Secure Session Configuration Files for Login Accounts</title>
3338: <description xml:lang="en">
3339: When a user logs into a Unix account, the system configures the
3340: user's session by reading a number of files. Many of these files are located in the user's
3341: home directory, and may have weak permissions as a result of user error or
3342: misconfiguration. If an attacker can modify or even read certain types of account
3343: configuration information, he can often gain full access to the affected user's account.
3344: Therefore, it is important to test and correct configuration file permissions for
3345: interactive accounts, particularly those of privileged users such as root or system
3346: administrators.</description>
3347: <Group id="group-2.3.4.1" hidden="false">
3348: <title xml:lang="en">Ensure that No Dangerous Directories Exist in Roots Path '</title>
3349: <description xml:lang="en">
3350: The active path of the root account can be obtained by starting
3351: a new root shell and running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3352: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3353: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># echo $PATH <xhtml:br/></xhtml:code>
3354: This will produce a colon-separated list of directories in the path. For each directory
3355: DIR in the path, ensure that DIR is not equal to a single . character. Also ensure that
3356: there are no 'empty' elements in the path, such as in these examples: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3357: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3358: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH=:/bin <xhtml:br/>
3359: PATH=/bin: <xhtml:br/>
3360: PATH=/bin::/sbin <xhtml:br/></xhtml:code>
3361: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3362: These empty elements have the same effect as a single . character. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3363: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3364: For each element in the path, run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3365: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3366: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld DIR <xhtml:br/></xhtml:code>
3367: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3368: and ensure that write permissions are disabled for group and other. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3369: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3370: It is important to prevent root from executing unknown or untrusted programs, since such
3371: programs could contain malicious code. Therefore, root should not run programs installed
3372: by unprivileged users. Since root may often be working inside untrusted directories, the
3373: . character, which represents the current directory, should never be in the root path,
3374: nor should any directory which can be written to by an unprivileged or semi-privileged
3375: (system) user. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3376: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3377: It is a good practice for administrators to always execute privileged
3378: commands by typing the full path to the command.</description>
3379: <Rule id="rule-2.3.4.1.a" selected="false" weight="10.000000" severity="medium">
3380: <title xml:lang="en">Ensure that No Dangerous Directories Exist in Root's Path</title>
3381: <description xml:lang="en">The PATH variable should be set correctly for user root</description>
3382: <ident system="http://cce.mitre.org">CCE-3301-9</ident>
3383: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3384: <check-content-ref name="oval:org.fedoraproject.f14:def:20085" href="scap-fedora14-oval.xml"/>
3385: </check>
3386: </Rule>
3387: <Rule id="rule-2.3.4.1.b" selected="false" weight="10.000000" severity="medium">
3388: <title xml:lang="en">Write permissions are disabled for group and other in all directories in Root's Path</title>
3389: <description xml:lang="en">Check each directory in root's path and make use it does not grant write permission to group and other</description>
3390: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3391: <check-content-ref name="oval:org.fedoraproject.f14:def:200855" href="scap-fedora14-oval.xml"/>
3392: </check>
3393: </Rule>
3394: </Group>
3395: <Group id="group-2.3.4.2" hidden="false">
3396: <title xml:lang="en">Ensure that User Home Directories are not Group-Writable or
3397: World-Readable</title>
3398: <description xml:lang="en">
3399: For each human user USER of the system, view the permissions of the
3400: user's home directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3401: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3402: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld /home/USER <xhtml:br/></xhtml:code>
3403: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3404: Ensure that the directory is not group-writable and that it is not world-readable. If
3405: necessary, repair the permissions:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3406: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3407: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod g-w /home/USER <xhtml:br/>
3408: # chmod o-rwx /home/USER <xhtml:br/></xhtml:code>
3409: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3410: User home directories contain many
3411: configuration files which affect the behavior of a user's account. No user should ever
3412: have write permission to another user's home directory. Group shared directories can be
3413: configured in subdirectories or elsewhere in the filesystem if they are needed.
3414: Typically, user home directories should not be world-readable. If a subset of users need
3415: read access to one another's home directories, this can be provided using groups.</description>
3416: <warning xml:lang="en">Sections 2.3.4.2–2.3.4.5 recommend modifying user home
3417: directories. Notify your user community, and solicit input if appropriate, before making
3418: this type of change. </warning>
3419: <Rule id="rule-2.3.4.2.a" selected="false" weight="10.000000" severity="medium">
3420: <title xml:lang="en">Ensure that User Home Directories are not Group-Writable or World-Readable</title>
3421: <description xml:lang="en">File permissions should be set correctly for the home directories for all user accounts.</description>
3422: <ident system="http://cce.mitre.org">CCE-4090-7</ident>
3423: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3424: <check-content-ref name="oval:org.fedoraproject.f14:def:20086" href="scap-fedora14-oval.xml"/>
3425: </check>
3426: </Rule>
3427: </Group>
3428: <Group id="group-2.3.4.3" hidden="false">
3429: <title xml:lang="en">Ensure that User Dot-Files are not World-writable</title>
3430: <description xml:lang="en">
3431: For each human user USER of the system, view the permissions of
3432: all dot-files in the user's home directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3433: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3434: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld /home/USER /.[A-Za-z0-9]* <xhtml:br/></xhtml:code>
3435: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3436: Ensure that none of these files are group- or world-writable. Correct each misconfigured file
3437: FILE by executing: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3438: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3439: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod go-w /home/USER /FILE <xhtml:br/></xhtml:code>
3440: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3441: A user who can modify another user's configuration files can likely execute commands
3442: with the other user's privileges, including stealing data, destroying files, or
3443: launching further attacks on the system.</description>
3444: </Group>
3445: <Group id="group-2.3.4.4" hidden="false">
3446: <title xml:lang="en">Ensure that Users Have Sensible Umask Values</title>
3447: <description xml:lang="en">
3448: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns="http://checklists.nist.gov/xccdf/1.1">
3449: <xhtml:li>Edit the global configuration files /etc/bashrc and /etc/csh.cshrc.
3450: Add or correct the line: umask <sub idref="var-2.3.4.4"/></xhtml:li>
3451: <xhtml:li>View the additional configuration files /etc/csh.login and /etc/profile.d/*,
3452: and ensure that none of these files redefine the umask to a more permissive value
3453: unless there is a good reason for it.</xhtml:li>
3454: </xhtml:ol>
3455: With a default umask setting of 077, files and directories created by users will not be
3456: readable by any other user on the system. Users who wish to make specific files group-
3457: or world-readable can accomplish this using the chmod command. Additionally, users can
3458: make all their files readable to their group by default by setting a umask of 027 in
3459: their shell configuration files. If default per-user groups exist (that is, if every
3460: user has a default group whose name is the same as that user's username and whose only
3461: member is the user), then it may even be safe for users to select a umask of 007, making
3462: it very easy to intentionally share files with group s of which the user is a member. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3463: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3464: In addition, it may be necessary to change root's umask temporarily in order to install
3465: software or files which must be readable by other users, or to change the default umasks
3466: of certain service accounts such as the FTP user. However, setting a restrictive default
3467: protects the files of users who have not taken steps to make their files more available,
3468: and preventing files from being inadvertently shared.</description>
3469: <Value id="var-2.3.4.4" operator="equals" type="string">
3470: <title xml:lang="en">Sensible umask</title>
3471: <description xml:lang="en">Enter default user umask</description>
3472: <question xml:lang="en">Enter default user umask</question>
3473: <value>002</value>
3474: <value selector="002">002</value>
3475: <value selector="007">007</value>
3476: <value selector="022">022</value>
3477: <value selector="027">027</value>
3478: <value selector="077">077</value>
3479: <match>^0?[0-7][0-7][0-7]?$</match>
3480: </Value>
3481: <Rule id="rule-2.3.4.4.a" selected="false" weight="10.000000" severity="medium">
3482: <title xml:lang="en">Ensure that Users Have Sensible Umask Values in /etc/bashrc</title>
3483: <description xml:lang="en">The default umask for all users for the bash shell should be set to:
3484: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.4.4"/></description>
3485: <ident system="http://cce.mitre.org">CCE-3844-8</ident>
3486: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3487: <check-export export-name="oval:org.fedoraproject.f14:var:20087" value-id="var-2.3.4.4"/>
3488: <check-content-ref name="oval:org.fedoraproject.f14:def:20087" href="scap-fedora14-oval.xml"/>
3489: </check>
3490: </Rule>
3491: <Rule id="rule-2.3.4.4.b" selected="false" weight="10.000000" severity="medium">
3492: <title xml:lang="en">Ensure that Users Have Sensible Umask Values in /etc/csh.cshrc</title>
3493: <description xml:lang="en">The default umask for all users for the csh shell should be set to:
3494: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.4.4"/></description>
3495: <ident system="http://cce.mitre.org">CCE-4227-5</ident>
3496: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3497: <check-export export-name="oval:org.fedoraproject.f14:var:20087" value-id="var-2.3.4.4"/>
3498: <check-content-ref name="oval:org.fedoraproject.f14:def:20088" href="scap-fedora14-oval.xml"/>
3499: </check>
3500: </Rule>
3501: </Group>
3502: <Group id="group-2.3.4.5" hidden="false">
3503: <title xml:lang="en">Ensure that Users do not Have .netrc Files</title>
3504: <description xml:lang="en">
3505: For each human user USER of the system, ensure that the user
3506: has no .netrc file. The command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3507: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3508: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -l /home/USER /.netrc <xhtml:br/></xhtml:code>
3509: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3510: should return the error 'No such file or directory'. If any user has such a file,
3511: approach that user to discuss removing this file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3512: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3513: The .netrc file is a configuration file used to make unattended
3514: logins to other systems via FTP. When this file exists, it frequently contains
3515: unencrypted passwords which may be used to attack other systems.</description>
3516: <Rule id="rule-2.3.4.5.a" selected="false" weight="10.000000" severity="medium">
3517: <title xml:lang="en">Check for existance of .netrc file</title>
3518: <description xml:lang="en">No user directory should contain file .netrc</description>
3519: <fix>rm .netrc</fix>
3520: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3521: <check-content-ref name="oval:org.fedoraproject.f14:def:20091" href="scap-fedora14-oval.xml"/>
3522: </check>
3523: </Rule>
3524: </Group>
3525: </Group>
3526: <Group id="group-2.3.5" hidden="false">
3527: <title xml:lang="en">Protect Physical Console Access</title>
3528: <description xml:lang="en">
3529: It is impossible to fully protect a system from an attacker with
3530: physical access, so securing the space in which the system is located should be considered
3531: a necessary step. However, there are some steps which, if taken, make it more difficult
3532: for an attacker to quickly or undetectably modify a system from its console.</description>
3533: <Group id="group-2.3.5.1" hidden="false">
3534: <title xml:lang="en">Set BIOS Password</title>
3535: <description xml:lang="en">
3536: The BIOS (on x86 systems) is the first code to execute during
3537: system startup and controls many important system parameters, including which devices
3538: the system will try to boot from, and in which order. Assign a password to prevent any
3539: unauthorized changes to the BIOS configuration. The exact steps will vary depending on
3540: your machine, but are likely to include:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3541: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
3542: <xhtml:li>Reboot the machine.</xhtml:li>
3543: <xhtml:li>Press the appropriate key during the initial boot screen (F2 is typical)</xhtml:li>
3544: <xhtml:li>Navigate the BIOS configuration menu to add a password.</xhtml:li>
3545: </xhtml:ol>
3546: The exact process will be system-specific and the system's
3547: hardware manual may provide detailed instructions. This password should prevent
3548: attackers with physical access from attempting to change important parameters, such as
3549: those described in Sections 2.5.2.2.1 and 2.2.2.2.4. However, an attacker with physical
3550: access can usually clear the BIOS password. The password should be written down and
3551: stored in a physically-secure location, such as a safe, in the event that it is
3552: forgotten and must be retrieved.</description>
3553: </Group>
3554: <Group id="group-2.3.5.2" hidden="false">
3555: <title xml:lang="en">Set Boot Loader Password</title>
3556: <description xml:lang="en">
3557: During the boot process, the boot loader is responsible for
3558: starting the execution of the kernel and passing options to it. The boot loader allows
3559: for the selection of different kernels – possibly on different partitions or media.
3560: Options it can pass to the kernel include 'single-user mode,' which provides root access
3561: without any authentication, and the ability to disable SELinux. To prevent local users
3562: from modifying the boot parameters and endangering security, the boot loader
3563: configuration should be protected with a password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3564: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3565: The default Fedora boot loader for x86 systems is called GRUB. To protect its
3566: configuration: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3567: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
3568: <xhtml:li>Select a password and then generate a hash from it by running: <xhtml:br/>
3569: <xhtml:br/>
3570: <xhtml:code># grub-md5-crypt </xhtml:code> <xhtml:br/> <xhtml:br/> </xhtml:li>
3571: <xhtml:li>Insert the following line into /etc/grub.conf immediately after the header
3572: comments. (Use the output from grub-md5-crypt as the value of password-hash ): <xhtml:br/>
3573: <xhtml:br/>
3574: <xhtml:code>password --md5 password-hash </xhtml:code> <xhtml:br/> <xhtml:br/> </xhtml:li>
3575: <xhtml:li>Verify the permissions on /etc/grub.conf (which is a symlink to ../boot/grub/grub.conf):
3576: <xhtml:br/>
3577: <xhtml:br/>
3578: <xhtml:code># chown root:root /boot/grub/grub.conf <xhtml:br/>
3579: # chmod 600 /boot/grub/grub.conf</xhtml:code></xhtml:li>
3580: </xhtml:ol>
3581: Boot loaders for other platforms should offer a similar password protection feature.</description>
3582: <Value id="var-2.3.5.2.a" operator="equals" type="string">
3583: <title xml:lang="en">User that owns /boot/grub/grub.conf</title>
3584: <description xml:lang="en">Choose user that should own /boot/grub/grub.conf</description>
3585: <value>root</value>
3586: <value selector="root">root</value>
3587: </Value>
3588: <Value id="var-2.3.5.2.b" operator="equals" type="string">
3589: <title xml:lang="en">Group that owns /boot/grub/grub.conf</title>
3590: <description xml:lang="en">Choose group that should own /boot/grub/grub.conf</description>
3591: <value>root</value>
3592: <value selector="root">root</value>
3593: </Value>
3594: <Value id="var-2.3.5.2.c" operator="equals" type="string">
3595: <title xml:lang="en">permissions on /boot/grub/grub.conf</title>
3596: <description xml:lang="en">Choose file permissions on /boot/grub/grub.conf</description>
3597: <value>110000000</value>
3598: <value selector="600">110000000</value>
3599: <match>^[01]+$</match>
3600: </Value>
3601: <Rule id="rule-2.3.5.2.a" selected="false" weight="10.000000" severity="medium">
3602: <title xml:lang="en">Set Boot Loader user owner</title>
3603: <description xml:lang="en">The /boot/grub/grub.conf file should be owned by root.</description>
3604: <ident system="http://cce.mitre.org">CCE-4144-2</ident>
3605: <fix>chown root /boot/grub/grub.conf</fix>
3606: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3607: <check-export export-name="oval:org.fedoraproject.f14:var:20092" value-id="var-2.3.5.2.a"/>
3608: <check-content-ref name="oval:org.fedoraproject.f14:def:20092" href="scap-fedora14-oval.xml"/>
3609: </check>
3610: </Rule>
3611: <Rule id="rule-2.3.5.2.b" selected="false" weight="10.000000" severity="medium">
3612: <title xml:lang="en">Set Boot Loader group owner</title>
3613: <description xml:lang="en">The /boot/grub/grub.conf file should be owned by group root.</description>
3614: <ident system="http://cce.mitre.org">CCE-4197-0</ident>
3615: <fix>chown :root /boot/grub/grub.conf</fix>
3616: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3617: <check-export export-name="oval:org.fedoraproject.f14:var:20093" value-id="var-2.3.5.2.b"/>
3618: <check-content-ref name="oval:org.fedoraproject.f14:def:20093" href="scap-fedora14-oval.xml"/>
3619: </check>
3620: </Rule>
3621: <Rule id="rule-2.3.5.2.c" selected="false" weight="10.000000" severity="medium">
3622: <title xml:lang="en">Set permission on /boot/grub/grub.conf</title>
3623: <description xml:lang="en">File permissions for /boot/grub/grub.conf should be set correctly.</description>
3624: <ident system="http://cce.mitre.org">CCE-3923-0</ident>
3625: <fix>chmod 600 /boot/grub/grub.conf</fix>
3626: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3627: <check-export export-name="oval:org.fedoraproject.f14:var:20094" value-id="var-2.3.5.2.c"/>
3628: <check-content-ref name="oval:org.fedoraproject.f14:def:20094" href="scap-fedora14-oval.xml"/>
3629: </check>
3630: </Rule>
3631: <Rule id="rule-2.3.5.2.d" selected="false" weight="10.000000" severity="high">
3632: <title xml:lang="en">Set Boot Loader Password</title>
3633: <description xml:lang="en">The grub boot loader should have password protection enabled</description>
3634: <ident system="http://cce.mitre.org">CCE-3818-2</ident>
3635: <fixtext xml:lang="en">Edit /boot/grub/grub.conf</fixtext>
3636: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3637: <check-content-ref name="oval:org.fedoraproject.f14:def:20095" href="scap-fedora14-oval.xml"/>
3638: </check>
3639: </Rule>
3640: </Group>
3641: <Group id="group-2.3.5.3" hidden="false">
3642: <title xml:lang="en">Require Authentication for Single-User Mode</title>
3643: <description xml:lang="en">
3644: Single-user mode is intended as a system recovery method,
3645: providing a single user root access to the system by providing a boot option at startup.
3646: By default, no authentication is performed if single-user mode is selected. This
3647: provides a trivial mechanism of bypassing security on the machine and gaining root
3648: access. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3649: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3650: To require entry of the root password even if the system is started in
3651: single-user mode, add the following line to the /etc/inittab file:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3652: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3653: ~~:S:wait:/sbin/sulogin</description>
3654: <Rule id="rule-2.3.5.3.a" selected="false" weight="10.000000" severity="medium">
3655: <title xml:lang="en">Require Authentication for Single-User Mode</title>
3656: <description xml:lang="en">The requirement for a password to boot into single-user mode should be enabled.</description>
3657: <ident system="http://cce.mitre.org">CCE-4241-6</ident>
3658: <fixtext xml:lang="en">(1) via /etc/inittab</fixtext>
3659: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3660: <check-content-ref name="oval:org.fedoraproject.f14:def:20096" href="scap-fedora14-oval.xml"/>
3661: </check>
3662: </Rule>
3663: </Group>
3664: <Group id="group-2.3.5.4" hidden="false">
3665: <title xml:lang="en">Disable Interactive Boot</title>
3666: <description xml:lang="en">
3667: Edit the file /etc/sysconfig/init. Add or correct the setting:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3668: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3669: PROMPT=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3670: The PROMPT option allows the console user to perform an interactive system
3671: startup, in which it is possible to select the set of services which are started on
3672: boot. Using interactive boot, the console user could disable auditing, firewalls, or
3673: other services, weakening system security.</description>
3674: <Rule id="rule-2.3.5.4.a" selected="false" weight="10.000000" severity="medium">
3675: <title xml:lang="en">Disable Interactive Boot</title>
3676: <description xml:lang="en">The ability for users to perform interactive startups should be disabled.</description>
3677: <ident system="http://cce.mitre.org">CCE-4245-7</ident>
3678: <fixtext xml:lang="en">(1) via /etc/sysconfig/init</fixtext>
3679: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3680: <check-content-ref name="oval:org.fedoraproject.f14:def:20097" href="scap-fedora14-oval.xml"/>
3681: </check>
3682: </Rule>
3683: </Group>
3684: <Group id="group-2.3.5.5" hidden="false">
3685: <title xml:lang="en">Implement Inactivity Time-out for Login Shells</title>
3686: <description xml:lang="en">
3687: If the system does not run X Windows, then the login shells can
3688: be configured to automatically log users out after a period of inactivity. The following
3689: instructions are not practical for systems which run X Windows, as they will close
3690: terminal windows in the X environment. For information on how to automatically lock
3691: those systems, see Section 2.3.5.6. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3692: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3693: To implement a 15-minute idle time-out for the
3694: default /bin/bash shell, create a new file tmout.sh in the directory /etc/profile.d with
3695: the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3696: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3697: TMOUT=900 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3698: readonly TMOUT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3699: export TMOUT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3700: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3701: To implement a 15-minute idle
3702: time-out for the tcsh shell, create a new file autologout.csh in the directory
3703: /etc/profile.d with the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3704: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3705: set -r autologout 15 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3706: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3707: Similar actions should be taken for any other login shells used. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3708: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3709: The example time-out here of 15 minutes should be
3710: adjusted to whatever your security policy requires. The readonly line for bash and the
3711: -r option for tcsh can be omitted if policy allows users to override the value. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3712: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3713: The automatic shell logout only occurs when the shell is the foreground process. If, for
3714: example, a vi session is left idle, then automatic logout would not occur. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3715: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3716: When logging in through a remote connection, as with SSH, it may be more effective to set
3717: the timeout value directly through that service. To learn how to set automatic timeout
3718: intervals for SSH, see Section 3.5.2.3.</description>
3719: <Value id="var-2.3.5.5" operator="equals" type="string">
3720: <title xml:lang="en">Inactivity timout</title>
3721: <description xml:lang="en">Choose allowed duration of inactive SSH connections, shells, and X sessions</description>
3722: <question xml:lang="en">Choose allowed duration of inactive SSH connections, shells and X sessions in minutes</question>
3723: <value>15</value>
3724: <value selector="0_minutes">0</value>
3725: <value selector="10_minutes">10</value>
3726: <value selector="15_minutes">15</value>
3727: <match>^[\d]+$</match>
3728: </Value>
3729: <Rule id="rule-2.3.5.5.a" selected="false" weight="10.000000" severity="medium">
3730: <title xml:lang="en">Implement Inactivity Time-out for Login Shells</title>
3731: <description xml:lang="en">The idle time-out value for the default /bin/tcsh shell should be:
3732: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.5.5"/></description>
3733: <ident system="http://cce.mitre.org">CCE-3689-7</ident>
3734: <fixtext xml:lang="en">(1) via /etc/profile.d/autologout.csh</fixtext>
3735: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3736: <check-export export-name="oval:org.fedoraproject.f14:var:20098" value-id="var-2.3.5.5"/>
3737: <check-content-ref name="oval:org.fedoraproject.f14:def:20098" href="scap-fedora14-oval.xml"/>
3738: </check>
3739: </Rule>
3740: <Rule id="rule-2.3.5.5.b" selected="false" weight="10.000000" severity="medium">
3741: <title xml:lang="en">Implement Inactivity Time-out for Login Shells</title>
3742: <description xml:lang="en">The idle time-out value for the default /bin/bash shell should be:
3743: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.5.5"/></description>
3744: <warning xml:lang="en">Time out is in seconds</warning>
3745: <ident system="http://cce.mitre.org">CCE-3707-7</ident>
3746: <fixtext xml:lang="en">(1) via /etc/profile.d/tmout.sh</fixtext>
3747: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3748: <check-export export-name="oval:org.fedoraproject.f14:var:20099" value-id="var-2.3.5.5"/>
3749: <check-content-ref name="oval:org.fedoraproject.f14:def:20099" href="scap-fedora14-oval.xml"/>
3750: </check>
3751: </Rule>
3752: </Group>
3753: <Group id="group-2.3.5.6" hidden="false">
3754: <title xml:lang="en">Configure Screen Locking</title>
3755: <description xml:lang="en">
3756: When a user must temporarily leave an account logged-in, screen
3757: locking should be employed to prevent passersby from abusing the account. User education
3758: and training is particularly important for screen locking to be effective. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3759: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3760: A policy should be implemented that trains all users to lock the screen when they plan to
3761: temporarily step away from a logged-in account. Automatic screen locking is only meant
3762: as a safeguard for those cases where a user forgot to lock the screen.</description>
3763: <Group id="group-2.3.5.6.1" hidden="false">
3764: <title xml:lang="en">Configure GUI Screen Locking</title>
3765: <description xml:lang="en">
3766: In the default GNOME desktop, the screen can be locked by
3767: choosing Lock Screen from the System menu. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3768: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3769: The gconftool-2 program can be used to
3770: enforce mandatory screen locking settings for the default GNOME environment. Run the
3771: following commands to enforce idle activation of the screen saver, screen locking, a
3772: blank-screen screensaver, and 15-minute idle activation time: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3773: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:code>
3774: # gconftool-2 --direct \
3775: --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
3776: --type bool \
3777: --set /apps/gnome-screensaver/idle_activation_enabled true
3778: # gconftool-2 --direct \
3779: --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
3780: --type bool \
3781: --set /apps/gnome-screensaver/lock_enabled true
3782: # gconftool-2 --direct \
3783: --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
3784: --type string \
3785: --set /apps/gnome-screensaver/mode blank-only
3786: # gconftool-2 --direct \
3787: --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
3788: --type int \
3789: --set /apps/gnome-screensaver/idle_delay 15
3790: </xhtml:code></xhtml:pre>
3791: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3792: The default setting of 15 minutes for idle
3793: activation is reasonable for many office environments, but the setting should conform
3794: to whatever policy is defined. The screensaver mode blank-only is selected to conceal
3795: the contents of the display from passersby. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3796: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3797: Because users should be trained to lock
3798: the screen when they step away from the computer, the automatic locking feature is
3799: only meant as a backup. The Lock Screen icon from the System menu can also be dragged
3800: to the taskbar in order to facilitate even more convenient screen-locking. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3801: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3802: The root
3803: account cannot be screen-locked, but this should have no practical effect as the root
3804: account should never be used to log into an X Windows environment, and should only be
3805: used to for direct login via console in emergency circumstances. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3806: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3807: For more information
3808: about configuring GNOME screensaver, see http://live.gnome.org/GnomeScreensaver. For
3809: more information about enforcing preferences in the GNOME environment using the GConf
3810: configuration system, see http://www.gnome.org/projects/gconf and the man page
3811: gconftool-2(1).</description>
3812: <Rule id="rule-2.3.5.6.1.a" selected="false" weight="10.000000" severity="medium">
3813: <title xml:lang="en">Implement Inactivity Time-out for Login Shells</title>
3814: <description xml:lang="en">The idle time-out value for period of inactivity gnome desktop lockout should be 15 minutes</description>
3815: <ident system="http://cce.mitre.org">CCE-3315-9</ident>
3816: <fixtext xml:lang="en">(1) via gconftool-2</fixtext>
3817: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3818: <check-export export-name="oval:org.fedoraproject.f14:var:20098" value-id="var-2.3.5.5"/>
3819: <check-content-ref name="oval:org.fedoraproject.f14:def:20100" href="scap-fedora14-oval.xml"/>
3820: </check>
3821: </Rule>
3822: <Rule id="rule-2.3.5.6.1.b" selected="false" weight="10.000000" severity="medium">
3823: <title xml:lang="en">Implement idle activation of screen saver</title>
3824: <description xml:lang="en">Idle activation of the screen saver should be enabled</description>
3825: <fixtext xml:lang="en">(1) via gconftool-2</fixtext>
3826: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3827: <check-content-ref name="oval:org.fedoraproject.f14:def:201005" href="scap-fedora14-oval.xml"/>
3828: </check>
3829: </Rule>
3830: <Rule id="rule-2.3.5.6.1.c" selected="false" weight="10.000000" severity="medium">
3831: <title xml:lang="en">Implement idle activation of screen lock</title>
3832: <description xml:lang="en">Idle activation of the screen lock should be enabled</description>
3833: <fixtext xml:lang="en">(1) via gconftool-2</fixtext>
3834: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3835: <check-content-ref name="oval:org.fedoraproject.f14:def:201006" href="scap-fedora14-oval.xml"/>
3836: </check>
3837: </Rule>
3838: <Rule id="rule-2.3.5.6.1.d" selected="false" weight="10.000000" severity="medium">
3839: <title xml:lang="en">Implement blank screen saver</title>
3840: <description xml:lang="en">The screen saver should be blank</description>
3841: <fixtext xml:lang="en">(1) via gconftool-2</fixtext>
3842: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3843: <check-content-ref name="oval:org.fedoraproject.f14:def:201007" href="scap-fedora14-oval.xml"/>
3844: </check>
3845: </Rule>
3846: </Group>
3847: <Group id="group-2.3.5.6.2" hidden="false">
3848: <title xml:lang="en">Configure Console Screen Locking</title>
3849: <description xml:lang="en">
3850: A console screen locking mechanism is provided in the vlock
3851: package, which is not installed by default. If the ability to lock console screens is
3852: necessary, install the vlock package: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3853: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3854: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install vlock <xhtml:br/></xhtml:code>
3855: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3856: Instruct users to invoke the
3857: program when necessary, in order to prevent passersby from abusing their login: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3858: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ vlock <xhtml:br/></xhtml:code>
3859: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3860: The -a option can be used to prevent switching to other virtual consoles.</description>
3861: <Rule id="rule-2.3.5.6.2.a" selected="false" weight="10.000000" severity="medium">
3862: <title xml:lang="en">Configure console screen locking</title>
3863: <description xml:lang="en">The vlock package should be installed</description>
3864: <ident system="http://cce.mitre.org">CCE-3910-7</ident>
3865: <fix>yum install vlock</fix>
3866: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3867: <check-content-ref name="oval:org.fedoraproject.f14:def:20101" href="scap-fedora14-oval.xml"/>
3868: </check>
3869: </Rule>
3870: </Group>
3871: </Group>
3872: <Group id="group-2.3.5.7" hidden="false">
3873: <title xml:lang="en">Disable Unnecessary Ports</title>
3874: <description xml:lang="en">
3875: Though unusual, some systems may be managed only remotely and yet
3876: also exposed to risk from attackers with direct physical access to them. In these cases,
3877: reduce an attacker’s access to the system by disabling unnecessary external ports (e.g.
3878: USB, FireWire, NIC) in the system’s BIOS.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3879: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3880: Disable ports on the system which are not necessary for normal system operation. The exact
3881: steps will vary depending on your machine, but are likely to include:
3882: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
3883: <xhtml:li>Reboot the machine.</xhtml:li>
3884: <xhtml:li>Press the appropriate key during the initial boot screen (F2 is typical). </xhtml:li>
3885: <xhtml:li>Navigate the BIOS conguration menu to disable ports, such as USB, FireWire, and NIC.</xhtml:li>
3886: </xhtml:ol>
3887: </description>
3888: <warning xml:lang="en">Disabling USB ports is particularly unusual and will cause problems
3889: for important input devices such as keyboards or mice attached to the system.</warning>
3890: </Group>
3891: </Group>
3892: <Group id="group-2.3.6" hidden="false">
3893: <title xml:lang="en">Use a Centralized Authentication Service</title>
3894: <description xml:lang="en">
3895: A centralized authentication service is any method of maintaining
3896: central control over account and authentication data and of keeping this data synchronized
3897: between machines. Such services can range in complexity from a script which pushes
3898: centrally-generated password files out to all machines, to a managed scheme such as LDAP
3899: or Kerberos. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3900: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3901: If authentication information is not centrally managed, it quickly becomes
3902: inconsistent, leading to out-of-date credentials and forgotten accounts which should have
3903: been deleted. In addition, many older protocols (such as NFS) make use of the UID to
3904: identify users over a network. This is not a good practice, and these protocols should be
3905: avoided if possible. However, since most sites must still make use of some older
3906: protocols, having consistent UIDs and GIDs site-wide is a significant benefit. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3907: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3908: Centralized
3909: authentication services do have the disadvantage that authentication information must be
3910: transmitted over a network, leading to a risk that credentials may be intercepted or
3911: manipulated. Therefore, these services must be deployed carefully. The following
3912: precautions should be taken when configuring any authentication service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3913: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
3914: <xhtml:li>Ensure that authentication information and any sensitive account information
3915: are never sent over the network unencrypted.</xhtml:li>
3916: <xhtml:li>Ensure that the root account has a local password, to allow recovery in case
3917: of network outage or authentication server failure.</xhtml:li>
3918: </xhtml:ul>
3919: This guide recommends
3920: the use of LDAP. Secure configuration of OpenLDAP for clients and servers is described in
3921: Section 3.12. Kerberos is also a good choice for a centralized authentication service, but
3922: a description of its configuration is beyond the scope of this guide. The NIS service is
3923: not recommended, and should be considered obsolete. (See Section 3.2.4.)</description>
3924: </Group>
3925: <Group id="group-2.3.7" hidden="false">
3926: <title xml:lang="en">Warning Banners for System Accesses</title>
3927: <description xml:lang="en">
3928: Each system should expose as little information about itself as
3929: possible. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3930: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3931: System banners, which are typically displayed just before a login prompt, give
3932: out information about the service or the host's operating system. This might include the
3933: distribution name and the system kernel version, and the particular version of a network
3934: service. This information can assist intruders in gaining access to the system as it can
3935: reveal whether the system is running vulnerable software. Most network services can be
3936: configured to limit what information is displayed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3937: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3938: Many organizations implement security
3939: policies that require a system banner provide notice of the system's ownership, provide
3940: warning to unauthorized users, and remind authorized users of their consent to monitoring.</description>
3941: <Value id="var-2.3.7" operator="equals" type="string">
3942: <title xml:lang="en">login banner verbiage</title>
3943: <description xml:lang="en">Enter an appropriate login banner for your organization</description>
3944: <question xml:lang="en">Enter an appropriate login banner for your organization</question>
3945: <value/>
3946: <value selector="Empty_text"/>
3947: </Value>
3948: <Group id="group-2.3.7.1" hidden="false">
3949: <title xml:lang="en">Modify the System Login Banner</title>
3950: <description xml:lang="en">
3951: The contents of the file /etc/issue are displayed on the screen
3952: just above the login prompt for users logging directly into a terminal. Remote login
3953: programs such as SSH or FTP can be configured to display /etc/issue as well.
3954: Instructions for configuring each server daemon to show this file can be found in the
3955: relevant sections of Chapter 3. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3956: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3957: By default, the system will display the version of the
3958: OS, the kernel version, and the host name. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3959: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3960: Edit /etc/issue. Replace the default text
3961: with a message compliant with the local site policy or a legal disclaimer.</description>
3962: <Rule id="rule-2.3.7.1.a" selected="false" weight="10.000000" severity="medium">
3963: <title xml:lang="en">Modify the System Login Banner</title>
3964: <description xml:lang="en">The system login banner text should be: "<sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.7"/>"</description>
3965: <ident system="http://cce.mitre.org">CCE-4060-0</ident>
3966: <fixtext xml:lang="en">Take value of DOD_text and put it in /etc/issue</fixtext>
3967: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
3968: <check-export export-name="oval:org.fedoraproject.f14:var:20102" value-id="var-2.3.7"/>
3969: <check-content-ref name="oval:org.fedoraproject.f14:def:20102" href="scap-fedora14-oval.xml"/>
3970: </check>
3971: </Rule>
3972: </Group>
3973: <Group id="group-2.3.7.2" hidden="false">
3974: <title xml:lang="en">Implement a GUI Warning Banner</title>
3975: <description xml:lang="en">
3976: In the default graphical environment, users logging directly
3977: into the system are greeted with a login screen provided by the GNOME display manager.
3978: The warning banner should be displayed in this graphical environment for these
3979: users.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3980: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3981: The files for the default RHEL theme can be found in
3982: /usr/share/gdm/themes/RHEL. Add the following sample block of XML to
3983: /usr/share/gdm/themes/RHEL/RHEL.xml after the first two "pixmap"
3984: entries:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3985: <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">
3986: <item type="rect">
3987: <pos anchor="n" x="50%" y="10" width="box" height="box"/>
3988: <box>
3989: <item type="label">
3990: <normal font="Sans 14" color="#ffffff"/>
3991: <text>Insert the text of your warning banner here.</text>
3992: </item>
3993: </box>
3994: </item>
3995: </xhtml:pre>
3996: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
3997: The
3998: full syntax that GDM theme files expect is documented elsewhere, but the above XML will
3999: create a text box centered at the top of the screen. The font, text color, and exact
4000: positioning can all be easily modified by editing the appropriate values. The latest
4001: current GDM theme manual can be found at http://www.gnome.org/
4002: projects/gdm/docs/thememanual.html.
4003: </description>
4004: <Rule id="rule-2.3.7.2.a" selected="false" weight="10.000000" severity="medium">
4005: <title xml:lang="en">Implement a GUI Warning Banner</title>
4006: <description xml:lang="en">The direct gnome login warning banner text should be: "<sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.3.7"/>"</description>
4007: <ident system="http://cce.mitre.org">CCE-4188-9</ident>
4008: <fixtext xml:lang="en">(1) via RHEL.xml</fixtext>
4009: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4010: <check-export export-name="oval:org.fedoraproject.f14:var:20102" value-id="var-2.3.7"/>
4011: <check-content-ref name="oval:org.fedoraproject.f14:def:20103" href="scap-fedora14-oval.xml"/>
4012: </check>
4013: </Rule>
4014: </Group>
4015: </Group>
4016: </Group>
4017: <Group id="group-2.4" hidden="false">
4018: <title xml:lang="en">SELinux</title>
4019: <description xml:lang="en">
4020: SELinux is a feature of the Linux kernel which can be used to guard
4021: against misconfigured or compromised programs. SELinux enforces the idea that programs
4022: should be limited in what files they can access and what actions they can take. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4023: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4024: The default
4025: SELinux policy, as configured on RHEL5, has been sufficiently developed and debugged that it
4026: should be usable on almost any Red Hat machine with minimal configuration and a small amount
4027: of system administrator training. This policy prevents system services — including most of
4028: the common network-visible services such as mail servers, ftp servers, and DNS servers —
4029: from accessing files which those services have no valid reason to access. This action alone
4030: prevents a huge amount of possible damage from network attacks against services, from
4031: trojaned software, and so forth. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4032: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4033: This guide recommends that SELinux be enabled using the
4034: default (targeted) policy on every Red Hat system, unless that system has requirements which
4035: make a stronger policy appropriate.</description>
4036: <reference href="">Frank Mayer, K. M., and Caplan, D. SELinux by Example: Using Security Enhanced Linux</reference>
4037: <Group id="group-2.4.1" hidden="false">
4038: <title xml:lang="en">How SELinux Works</title>
4039: <description xml:lang="en">
4040: In the traditional Linux/Unix security model, known as
4041: Discretionary Access Control (DAC), processes run under a user and group identity, and
4042: enjoy that user and group's access rights to all files and other objects on the system.
4043: This system brings with it a number of security problems, most notably: that processes
4044: frequently do not need and should not have the full rights of the user who ran them; that
4045: user and group access rights are not very granular, and may require administrators to
4046: allow too much access in order to allow the access that is needed; that the Unix
4047: filesystem contains many resources (such as temporary directories and world-readable
4048: files) which are accessible to users who have no legitimate reason to access them; and
4049: that legitimate users can easily provide open access to their own resources through
4050: confusion or carelessness. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4051: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4052: SELinux provides a Mandatory Access Control (MAC) system that
4053: greatly augments the DAC model. Under SELinux, every process and every object (e.g. file,
4054: socket, pipe) on the system is given a security context, a label which include detailed
4055: type information about the object. The kernel allows processes to access objects only if
4056: that access is explicitly allowed by the policy in effect. The policy defines transitions,
4057: so that a user can be allowed to run software, but the software can run under a different
4058: context than the user's default. This automatically limits the damage that the software
4059: can do to files accessible by the calling user — the user does not need to take any action
4060: to gain this benefit. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4061: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4062: For an action to occur, both the traditional DAC permissions must be
4063: satisifed as well as SELinux's MAC rules. If either do not permit the action, then it will
4064: not be allowed. In this way, SELinux rules can only make a system's permissions more
4065: restrictive and secure. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4066: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4067: SELinux requires a complex policy in order to allow all the
4068: actions required of a system under normal operation. Three such policies have been
4069: designed for use with RHEL5, and are included with the system. In increasing order of
4070: power and complexity, they are: targeted, strict, and mls. The targeted SELinux policy
4071: consists mostly of Type Enforcement (TE) rules, and a small number of Role-Based Access
4072: Control (RBAC) rules. It restricts the actions of many types of programs, but leaves
4073: interactive users largely unaffected. The strict policy also uses TE and RBAC rules, but
4074: on more programs and more aggressively. The mls policy implements Multi-Level Security
4075: (MLS), which introduces even more kinds of labels — sensitivity and category — and rules
4076: that govern access based on these. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4077: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4078: The remainder of this section provides guidance for the
4079: configuration of the targeted policy and the administration of systems under this policy.
4080: Some pointers will be provided for readers who are interested in further strengthening
4081: their systems by using one of the stricter policies provided with RHEL5 or in writing
4082: their own policy.</description>
4083: </Group>
4084: <Group id="group-2.4.2" hidden="false">
4085: <title xml:lang="en">Enable SELinux</title>
4086: <description xml:lang="en">
4087: Edit the file /etc/selinux/config. Add or correct the following
4088: lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4089: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4090: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SELINUX=enforcing <xhtml:br/>
4091: SELINUXTYPE=targeted <xhtml:br/></xhtml:code>
4092: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4093: Edit the file /etc/grub.conf. Ensure that
4094: the following arguments DO NOT appear on any kernel command line in the file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4095: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4096: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">selinux=0 <xhtml:br/>
4097: enforcing=0 <xhtml:br/></xhtml:code>
4098: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4099: The directive SELINUX=enforcing enables SELinux at boot time. If SELinux is
4100: causing a lot of problems or preventing the system from booting, it is possible to boot
4101: into the warning-only mode SELINUX=permissive for debugging purposes. Make certain to
4102: change the mode back to enforcing after debugging, set the filesystems to be relabelled
4103: for consistency using the command touch /.autorelabel, and reboot. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4104: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4105: However, the RHEL5
4106: default SELinux configuration should be sufficiently reasonable that most systems will
4107: boot without serious problems. Some applications that require deep or unusual system
4108: privileges, such as virtual machine software, may not be compatible with SELinux in its
4109: default configuration. However, this should be uncommon, and SELinux's application support
4110: continues to improve. In other cases, SELinux may reveal unusual or insecure program
4111: behavior by design. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4112: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4113: The directive SELINUXTYPE=targeted configures SELinux to use the
4114: default targeted policy. See Section 2.4.6 if a stricter policy is appropriate for your
4115: site. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4116: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4117: The SELinux boot mode specified in /etc/selinux/config can be overridden by
4118: command-line arguments passed to the kernel. It is necessary to check grub.conf to ensure
4119: that this has not been done and to protect the bootloader as described in Section 2.3.5.2.</description>
4120: <Value id="var-2.4.2.c" operator="equals" type="string">
4121: <title xml:lang="en">SELinux state</title>
4122: <description xml:lang="en">
4123: enforcing - SELinux security policy is enforced. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4124: permissive - SELinux prints warnings instead of enforcing.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4125: disabled - SELinux is fully disabled.
4126: </description>
4127: <question xml:lang="en">Set the SELinux state</question>
4128: <value>enforcing</value>
4129: <value selector="enforcing">enforcing</value>
4130: <value selector="permissive">permissive</value>
4131: <value selector="disabled">disabled</value>
4132: <match>enforcing|permissive|disabled</match>
4133: <choices mustMatch="true">
4134: <choice>enforcing</choice>
4135: <choice>permissive</choice>
4136: <choice>disabled</choice>
4137: </choices>
4138: </Value>
4139: <Value id="var-2.4.2.d" operator="equals" type="string">
4140: <title xml:lang="en">SELinux policy</title>
4141: <description xml:lang="en">
4142: Type of policy in use. Possible values are:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4143: targeted - Only targeted network daemons are protected.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4144: strict - Full SELinux protection.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4145: mls - Multiple levels of security</description>
4146: <question xml:lang="en">Set the SELinux policy</question>
4147: <value>targeted</value>
4148: <value selector="targeted">targeted</value>
4149: <value selector="strict">strict</value>
4150: <value selector="mls">mls</value>
4151: <match>targeted|strict|mls</match>
4152: <choices mustMatch="true">
4153: <choice>targeted</choice>
4154: <choice>strict</choice>
4155: <choice>mls</choice>
4156: </choices>
4157: </Value>
4158: <Group id="group-2.4.2.1" hidden="false">
4159: <title xml:lang="en">Ensure SELinux is Properly Enabled</title>
4160: <description xml:lang="en">
4161: Run the command:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4162: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4163: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ /usr/sbin/sestatus<xhtml:br/></xhtml:code>
4164: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4165: If the system is properly configured, the output should indicate:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4166: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
4167: <xhtml:li>SELinux status: enabled</xhtml:li>
4168: <xhtml:li>Current mode: enforcing</xhtml:li>
4169: <xhtml:li>Mode from config file: enforcing</xhtml:li>
4170: <xhtml:li>Policy from config file: targeted</xhtml:li>
4171: </xhtml:ul></description>
4172: <Rule id="rule-2.4.2.1.a" selected="false" weight="10.000000" severity="medium">
4173: <title xml:lang="en">Ensure SELinux is Properly Enabled</title>
4174: <description xml:lang="en">Check output of /usr/sbin/sestatus</description>
4175: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4176: <check-content-ref name="oval:org.fedoraproject.f14:def:201035" href="scap-fedora14-oval.xml"/>
4177: </check>
4178: </Rule>
4179: </Group>
4180: <Rule id="rule-2.4.2.a" selected="false" weight="10.000000" severity="medium">
4181: <title xml:lang="en">Enable SELinux in /etc/grub.conf</title>
4182: <description xml:lang="en">SELinux should NOT be disabled in /etc/grub.conf. Check that selinux=0 is not found</description>
4183: <ident system="http://cce.mitre.org">CCE-3977-6</ident>
4184: <fixtext xml:lang="en">Remove offending line from /etc/grub.conf</fixtext>
4185: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4186: <check-content-ref name="oval:org.fedoraproject.f14:def:20104" href="scap-fedora14-oval.xml"/>
4187: </check>
4188: </Rule>
4189: <Rule id="rule-2.4.2.b" selected="false" weight="10.000000" severity="medium">
4190: <title xml:lang="en">Enable SELinux enforcement in /etc/grub.conf</title>
4191: <description xml:lang="en">SELinux enforcement should NOT be disabled in /etc/grub.conf. Check that enforcing=0 is not found.</description>
4192: <fixtext xml:lang="en">Remove offending line from /etc/grub.conf</fixtext>
4193: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4194: <check-content-ref name="oval:org.fedoraproject.f14:def:20105" href="scap-fedora14-oval.xml"/>
4195: </check>
4196: </Rule>
4197: <Rule id="rule-2.4.2.c" selected="false" weight="10.000000" severity="medium">
4198: <title xml:lang="en">Set the SELinux state</title>
4199: <description xml:lang="en">The SELinux state should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.4.2.c"/></description>
4200: <fixtext xml:lang="en">Edit /etc/selinux/config</fixtext>
4201: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4202: <check-export export-name="oval:org.fedoraproject.f14:var:20106" value-id="var-2.4.2.c"/>
4203: <check-content-ref name="oval:org.fedoraproject.f14:def:20106" href="scap-fedora14-oval.xml"/>
4204: </check>
4205: </Rule>
4206: <Rule id="rule-2.4.2.d" selected="false" weight="10.000000" severity="medium">
4207: <title xml:lang="en">Set the SELinux policy</title>
4208: <description xml:lang="en">The SELinux policy should be set appropriately.</description>
4209: <ident system="http://cce.mitre.org">CCE-3624-4</ident>
4210: <fixtext xml:lang="en">Edit /etc/selinux/config</fixtext>
4211: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4212: <check-export export-name="oval:org.fedoraproject.f14:var:20107" value-id="var-2.4.2.d"/>
4213: <check-content-ref name="oval:org.fedoraproject.f14:def:20107" href="scap-fedora14-oval.xml"/>
4214: </check>
4215: </Rule>
4216: </Group>
4217: <Group id="group-2.4.3" hidden="false">
4218: <title xml:lang="en">Disable Unnecessary SELinux Daemons</title>
4219: <description xml:lang="en">
4220: Several daemons are installed by default as part of the RHEL5
4221: SELinux support mechanism. These daemons may improve the system's ability to enforce
4222: SELinux policy in a useful fashion, but may also represent unnecessary code running on the
4223: machine, increasing system risk. If these daemons are not needed on your system, they
4224: should be disabled.</description>
4225: <Group id="group-2.4.3.1" hidden="false">
4226: <title xml:lang="en">Disable and Remove SETroubleshoot if Possible</title>
4227: <description xml:lang="en">
4228: Is there a mission-critical reason to allow users to view
4229: SELinux denial information using the sealert GUI? If not, disable the service and remove
4230: the RPM: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4231: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4232: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig setroubleshoot off <xhtml:br/>
4233: # yum erase setroubleshoot <xhtml:br/></xhtml:code>
4234: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4235: The setroubleshoot
4236: service is a facility for notifying the desktop user of SELinux denials in a
4237: user-friendly fashion. SELinux errors may provide important information about intrusion
4238: attempts in progress, or may give information about SELinux configuration problems which
4239: are preventing correct system operation. In order to maintain a secure and usable
4240: SELinux installation, error logging and notification is necessary. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4241: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4242: However,
4243: setroubleshoot is a service which has complex functionality, which runs a daemon and
4244: uses IPC to distribute information which may be sensitive, or even to allow users to
4245: modify SELinux settings, and which does not yet implement real authentication
4246: mechanisms. This guide recommends disabling setroubleshoot and using the kernel audit
4247: functionality to monitor SELinux's behavior. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4248: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4249: In addition, since setroubleshoot
4250: automatically runs client-side code whenever a denial occurs, regardless of whether the
4251: setroubleshootd daemon is running, it is recommended that the program be removed
4252: entirely unless it is needed.</description>
4253: <Rule id="rule-2.4.3.1.a" selected="false" weight="10.000000">
4254: <title xml:lang="en">Remove SETroubleshoot if Possible</title>
4255: <description xml:lang="en">The setroubleshoot package should be uninstalled.</description>
4256: <ident system="http://cce.mitre.org">CCE-4148-3</ident>
4257: <fixtext xml:lang="en">(1) via yum</fixtext>
4258: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4259: <check-content-ref name="oval:org.fedoraproject.f14:def:20108" href="scap-fedora14-oval.xml"/>
4260: </check>
4261: </Rule>
4262: <Rule id="rule-2.4.3.1.b" selected="false" weight="10.000000" severity="low">
4263: <title xml:lang="en">Disable SETroubleshoot if Possible</title>
4264: <description xml:lang="en">The setroubleshoot service should be disabled.</description>
4265: <ident system="http://cce.mitre.org">CCE-4254-9</ident>
4266: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
4267: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4268: <check-content-ref name="oval:org.fedoraproject.f14:def:20109" href="scap-fedora14-oval.xml"/>
4269: </check>
4270: </Rule>
4271: </Group>
4272: <Group id="group-2.4.3.2" hidden="false">
4273: <title xml:lang="en">Disable MCS Translation Service (mcstrans) if Possible</title>
4274: <description xml:lang="en">
4275: Unless there is some overriding need for the convenience of
4276: category label translation, disable the MCS translation service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4277: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4278: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig mcstrans off <xhtml:br/></xhtml:code>
4279: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4280: The mcstransd daemon provides the category label translation information defined in
4281: /etc/selinux/targeted/ setrans.conf to client processes which request this information.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4282: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4283: Category labelling is unlikely to be used except in sites with special requirements.
4284: Therefore, it should be disabled in order to reduce the amount of potentially vulnerable
4285: code running on the system. See Section 2.4.6 for more information about systems which
4286: use category labelling.</description>
4287: <Rule id="rule-2.4.3.2.a" selected="false" weight="10.000000" severity="low">
4288: <title xml:lang="en">Disable MCS Translation Service (mcstrans) if Possible</title>
4289: <description xml:lang="en">The mcstrans service should be disabled.</description>
4290: <ident system="http://cce.mitre.org">CCE-3668-1</ident>
4291: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
4292: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4293: <check-content-ref name="oval:org.fedoraproject.f14:def:20110" href="scap-fedora14-oval.xml"/>
4294: </check>
4295: </Rule>
4296: </Group>
4297: <Group id="group-2.4.3.3" hidden="false">
4298: <title xml:lang="en">Restorecon Service (restorecond)</title>
4299: <description xml:lang="en">
4300: The restorecond daemon monitors a list of files which are
4301: frequently created or modified on running systems, and whose SELinux contexts are not
4302: set correctly. It looks for creation events related to files listed in /etc/
4303: selinux/restorecond.conf, and sets the contexts of those files when they are discovered.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4304: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4305: The restorecond program is fairly simple, so it brings low risk, but, in its default
4306: configuration, does not add much value to a system. An automated program such as
4307: restorecond may be used to monitor problematic files for context problems, or system
4308: administrators may be trained to check file contexts of newly-created files using the
4309: command ls -lZ, and to repair contexts manually using the restorecon command. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4310: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4311: This guide
4312: makes no recommendation either for or against the use of restorecond.</description>
4313: <Rule id="rule-2.4.3.3.a" selected="false" weight="10.000000" severity="low">
4314: <title xml:lang="en">Disable restorecon Service (restorecond)</title>
4315: <description xml:lang="en">The restorecond service should be disabled.</description>
4316: <ident system="http://cce.mitre.org">CCE-4129-3</ident>
4317: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
4318: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4319: <check-content-ref name="oval:org.fedoraproject.f14:def:20111" href="scap-fedora14-oval.xml"/>
4320: </check>
4321: </Rule>
4322: </Group>
4323: </Group>
4324: <Group id="group-2.4.4" hidden="false">
4325: <title xml:lang="en">Check for Unconfined Daemons</title>
4326: <description xml:lang="en">
4327: Daemons that SELinux policy does not know about will inherit the
4328: context of the parent process. Because daemons are launched during startup and descend
4329: from the init process, they inherit the initrc t context. This is a problem because it may
4330: cause AVC denials, or it could allow privileges that the daemon does not require. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4331: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4332: To check for unconfined daemons, run the following command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4333: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4334: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'<xhtml:br/></xhtml:code>
4335: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4336: It should produce no output in a well-configured system.</description>
4337: </Group>
4338: <Group id="group-2.4.5" hidden="false">
4339: <title xml:lang="en">Check for Unconfined Daemons</title>
4340: <description xml:lang="en">
4341: Device files are used for communication with important system
4342: resources. SELinux contexts should exist for these. If a device file is not labeled, then
4343: misconfiguration is likely.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4344: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4345: To check for unlabeled device files, run the following command:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4346: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -Z | grep unlabeled_t<xhtml:br/></xhtml:code>
4347: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4348: It should produce no output in a well-configured system.</description>
4349: <Rule id="rule-2.4.5.a" selected="false" weight="10.000000" severity="medium">
4350: <title xml:lang="en">Check for Unconfined Daemons</title>
4351: <description xml:lang="en">Check for device file that is not labeled.</description>
4352: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
4353: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4354: <check-content-ref name="oval:org.fedoraproject.f14:def:201115" href="scap-fedora14-oval.xml"/>
4355: </check>
4356: </Rule>
4357: </Group>
4358: <Group id="group-2.4.6" hidden="false">
4359: <title xml:lang="en">Debugging SELinux Policy Errors</title>
4360: <description xml:lang="en">
4361: SELinux's default policies have improved significantly over time,
4362: and most systems should have few problems using the targeted SELinux policy. However,
4363: policy problems may still occasionally prevent accesses which should be allowed. This is
4364: especially true if your site runs any custom or heavily modified applications. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4365: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4366: This section gives some brief guidance on discovering and repairing SELinux-related access
4367: problems. Guidance given here is necessarily incomplete, but should provide a starting
4368: point for debugging. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4369: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4370: If you suspect that a permission error or other failure may be caused
4371: by SELinux (and are certain that misconfiguration of the traditional Unix permissions are
4372: not the cause of the problem), search the audit logs for AVC events: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4373: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4374: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ausearch -m AVC,USER_AVC -sv no <xhtml:br/></xhtml:code>
4375: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4376: The output of this command will be a set of events. The timestamp,
4377: along with the comm and pid fields, should indicate which line describes the problem. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4378: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4379: Look
4380: up the context under which the process is running. Assuming the process ID is PID , find
4381: the context by running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4382: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4383: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ps -p PID -Z <xhtml:br/></xhtml:code>
4384: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4385: The AVC denial message should identify the
4386: offending file or directory. The name field should contain the filename (not the full
4387: pathname by default), and the ino field can be used to search by inode, if necessary.
4388: Assuming the file is FILE , find its SELinux context: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4389: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4390: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -Z FILE <xhtml:br/></xhtml:code>
4391: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4392: An administrator should
4393: suspect an SELinux misconfiguration whenever a program gets a 'permission denied' error
4394: but the standard Unix permissions appear to be correct, or a program fails mysteriously on
4395: a task which seems to involve file access or network communication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4396: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4397: As described in
4398: Section 2.4.1, SELinux augments each process with a context providing detailed type
4399: information about that process. The contexts under which processes run may be referred to
4400: as subject contexts. Similarly, each filesystem object is given a context. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4401: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4402: The targeted
4403: policy consists of a set of rules, each of which allows a subject type to perform some
4404: operation on a given object type. The kernel stores information about these access
4405: decisions in an structure known as an Access Vector Cache (AVC), so authorization
4406: decisions made by the system are audited with the type AVC. It is also possible for
4407: userspace modules to implement their own policies based on SELinux, and these decisions
4408: are audited with the type USER_AVC. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4409: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4410: AVC denials are logged by the kernel audit facility
4411: (see Section 2.6.2 for configuration guidance on this subsystem) and may also be visible
4412: via setroubleshoot. This guide recommends the use of the audit userspace utilities to find
4413: AVC errors. It is possible to manually locate these errors by looking in the file
4414: /var/log/audit/audit.log or in /var/log/messages (depending on the syslog configuration in
4415: effect), but the ausearch tool allows finegrained searching on audit event types, which
4416: may be necessary if system call auditing is enabled as well. The command line above tells
4417: ausearch to look for kernel or userspace AVC messages (-m AVC,USER AVC) where the access
4418: attempt did not succeed (-sv no). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4419: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4420: If an AVC denial occurs when it should not have, the
4421: problem is generally one of the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4422: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
4423: <xhtml:li>The program is running with the wrong subject
4424: context. This could happen as a result of an incorrect context on the program's executable
4425: file, which could happen if 3rd party software is installed and not given appropriate
4426: SELinux file contexts. </xhtml:li>
4427: <xhtml:li>The file has the wrong object context because the current file's
4428: context does not match the specification. This can occur when files are created or
4429: modified in certain ways. It is not atypical for configuration files to get the wrong
4430: contexts after a system configuration change performed by an administrator. To repair the
4431: file, use the command: <xhtml:br/>
4432: <xhtml:br/>
4433: <xhtml:code># restorecon -v FILE <xhtml:br/></xhtml:code>
4434: <xhtml:br/>
4435: This should produce output indicating that the
4436: file's context has been changed. The /usr/bin/chcon program can be used to manually change
4437: a file's context, but this is problematic because the change will not persist if it does
4438: not agree with the policy-defined contexts applied by restorecon.</xhtml:li>
4439: <xhtml:li>The file has the wrong
4440: object context because the specification is either incorrect or does not match the way the
4441: file is being used on this system. In this case, it will be necessary to change the system
4442: file contexts. <xhtml:br/>
4443: <xhtml:br/>
4444: Run the system-config-selinux tool, and go to the 'File Labeling' menu.
4445: This will give a list of files and wildcards corresponding to file labelling rules on the
4446: system. Add a rule which maps the file in question to the desired context. As an
4447: alternative, file contexts can be modified from the command line using the semanage(8)
4448: tool.</xhtml:li>
4449: <xhtml:li>The program and file have the correct contexts, but the policy should allow some
4450: operation between those two contexts which is currently not allowed. In this case, it will
4451: be necessary to modify the SELinux policy. <xhtml:br/>
4452: <xhtml:br/>
4453: Run the system-config-selinux tool, and go to
4454: the 'Boolean' menu. If your configuration is supported, but is not the Red Hat default,
4455: then there will be a boolean allowing real-time modification of the SELinux policy to fix
4456: the problem. Browse through the items in this menu, looking for one which is related to
4457: the service which is not working. As an alternative, SELinux booleans can be modified from
4458: the command line using the getsebool(8) and setsebool(8) tools. <xhtml:br/>
4459: <xhtml:br/>
4460: If there is no boolean, it
4461: will be necessary to create and load a policy module. A simple way to build a policy
4462: module is to use the audit2allow tool. This tool can take input in the format of AVC
4463: denial messages, and generate syntactically correct Type Enforcement rules which would be
4464: sufficient to prevent those denials. For example, to generate and display rules which
4465: would allow all kernel denials seen in the past five minutes, run: <xhtml:br/>
4466: <xhtml:br/>
4467: <xhtml:code># ausearch -m AVC -sv no -ts recent | audit2allow <xhtml:br/></xhtml:code>
4468: <xhtml:br/>
4469: It is possible to use audit2allow to directly create a module
4470: package suitable for loading into the kernel policy. To do this, invoke audit2allow with
4471: the -M flag: <xhtml:br/>
4472: <xhtml:br/>
4473: <xhtml:code># ausearch -m AVC -sv no -ts recent | audit2allow -M localmodule <xhtml:br/></xhtml:code>
4474: <xhtml:br/>
4475: If this is
4476: successful, several lines of output should appear. Review the generated TE rules in the
4477: file localmodule .te and ensure that they express what you wish to allow. <xhtml:br/>
4478: <xhtml:br/>
4479: The file
4480: localmodule .pp should also have been created. This file is a policy module package that
4481: can be loaded into the kernel. To do so, use system-config-selinux, go to the 'Policy
4482: Module' menu and use the 'Add' button to enable your module package in SELinux, or load it
4483: from the command line using semodule(8): <xhtml:br/>
4484: <xhtml:br/>
4485: <xhtml:code># semodule -i localmodule .pp <xhtml:br/></xhtml:code>
4486: <xhtml:br/>
4487: Section 45.2 of [9] covers this procedure in detail.</xhtml:li>
4488: </xhtml:ul></description>
4489: </Group>
4490: <Group id="group-2.4.7" hidden="false">
4491: <title xml:lang="en">Further Strengthening</title>
4492: <description xml:lang="en">
4493: The recommendations up to this point have discussed how to
4494: configure and maintain a system under the default configuration of the targeted policy,
4495: which constrains only the actions of daemons and system software. This guide strongly
4496: recommends that any site which is not currently using SELinux at all transition to the
4497: targeted policy, to gain the substantial security benefits provided by that policy.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4498: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4499: However, the default policy provides only a subset of the full security gains available
4500: from using SELinux. In particular, the SELinux policy is also capable of constraining the
4501: actions of interactive users, of providing compartmented access by sensitivity level (MLS)
4502: and/or category (MCS), and of restricting certain types of system actions using booleans
4503: beyond the RHEL5 defaults. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4504: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4505: This section introduces other uses of SELinux which may be
4506: possible, and provides links to some outside resources about their use. Detailed
4507: description of how to implement these steps is beyond the scope of this guide.</description>
4508: <Group id="group-2.4.7.1" hidden="false">
4509: <title xml:lang="en">Strengthen the Default SELinux Boolean Configuration</title>
4510: <description xml:lang="en">
4511: SELinux booleans are used to enable or disable segments of
4512: policy to comply with site policy. Booleans may apply to the entire system or to an
4513: individual daemon. For instance, the boolean allow execstack, if enabled, allows
4514: programs to make part of their stack memory region executable. This would apply to all
4515: programs on the system. The boolean ftp home dir allows ftpd processes to access user
4516: home directories, and applies only to daemons which implement FTP. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4517: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4518: The command <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4519: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4520: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ getsebool -a <xhtml:br/></xhtml:code>
4521: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4522: lists the values of all SELinux booleans on the system. Section 2.4.5
4523: discussed loosening boolean values in order to debug functionality problems which occur
4524: under more restrictive defaults. It is also useful to examine and strengthen the boolean
4525: settings, to disable functionality which is not required by legitimate programs on your
4526: system, but which might be symptomatic of an attack. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4527: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4528: See the manpages booleans(8),
4529: getsebool(8), and setsebool(8) for general information about booleans. There are also
4530: manual pages for several subsystems which discuss the use of SELinux with those systems.
4531: Examples include ftpd selinux(8), httpd selinux(8), and nfs selinux(8). Another good
4532: reference is the html documentation distributed with the selinux-policy RPM. This
4533: documentation is stored under <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4534: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4535: /usr/share/doc/selinux-policy-version/html/ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4536: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4537: The pages
4538: global tunables.html and global booleans.html may be useful when examining booleans.</description>
4539: </Group>
4540: <Group id="group-2.4.7.2" hidden="false">
4541: <title xml:lang="en">Use a Stronger Policy</title>
4542: <description xml:lang="en">
4543: Using a stronger policy can greatly enhance security, but will
4544: generally require customization to be compatible with the particular system's purpose,
4545: and this may be costly or time consuming. Under the targeted policy, interactive
4546: processes are given the type unconfined t, so interactive users are not constrained by
4547: SELinux even if they attempt to take strange or malicious actions. The first alternative
4548: policy available with RHEL5's SELinux distribution, called strict, extends the
4549: protections offered by the default policy from daemons and system processes to all
4550: processes. To use the strict policy, first ensure that the policy module is installed: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4551: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4552: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install selinux-policy-strict <xhtml:br/></xhtml:code>
4553: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4554: Then edit /etc/selinux/config and correct the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4555: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4556: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SELINUXTYPE=strict <xhtml:br/></xhtml:code>
4557: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4558: The mls policy type can be used to enforce sensitivity or category
4559: labelling, and requires site-specific configuration of these labels in order to be
4560: useful. To use this policy, install the appropriate policy module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4561: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4562: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install selinux-policy-mls <xhtml:br/></xhtml:code>
4563: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4564: Then edit /etc/selinux/config and correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4565: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4566: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SELINUXTYPE=mls</xhtml:code></description>
4567: <warning xml:lang="en">
4568: Note: Switching between policies typically requires the entire disk to be relabelled, so
4569: that files get the appropriate SELinux contexts under the new policy. Boot with the
4570: additional grub command-line options <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4571: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4572: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">enforcing=0 single autorelabel </xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4573: to relabel the disk in single-user mode, then reboot normally.</warning>
4574: </Group>
4575: </Group>
4576: <Group id="group-2.4.8" hidden="false">
4577: <title xml:lang="en">SELinux References</title>
4578: <description xml:lang="en">
4579: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
4580: <xhtml:li>NSA SELinux resources:<xhtml:br/>
4581: <xhtml:ul>
4582: <xhtml:li>Web page: http://www.nsa.gov/selinux/</xhtml:li>
4583: <xhtml:li>Mailing list: selinux@tycho.nsa.gov <xhtml:br/>
4584: List information at: http://www.nsa.gov/selinux/info/list.cfm</xhtml:li>
4585: </xhtml:ul>
4586: </xhtml:li>
4587: <xhtml:li>Fedora SELinux resources:<xhtml:br/>
4588: <xhtml:ul>
4589: <xhtml:li>FAQ: http://docs.fedoraproject.org/selinux-faq/</xhtml:li>
4590: <xhtml:li>Wiki: http://fedoraproject.org/wiki/SELinux/</xhtml:li>
4591: <xhtml:li>Mailing list: fedora-selinux-list@redhat.com <xhtml:br/>
4592: List information at:
4593: https://www.redhat.com/mailman/listinfo/fedora-selinux-list</xhtml:li>
4594: </xhtml:ul>
4595: </xhtml:li>
4596: <xhtml:li>Chapters 43–45 of Red Hat Enterprise Linux 5: Deployment Guide [9]</xhtml:li>
4597: <xhtml:li>The book SELinux by Example: Using Security Enhanced Linux [13]</xhtml:li>
4598: </xhtml:ul></description>
4599: </Group>
4600: </Group>
4601: <Group id="group-2.5" hidden="false">
4602: <title xml:lang="en">Network Configuration and Firewalls</title>
4603: <description xml:lang="en">
4604: Most machines must be connected to a network of some sort, and this
4605: brings with it the substantial risk of network attack. This section discusses the security
4606: impact of decisions about networking which must be made when configuring a system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4607: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4608: This section also discusses firewalls, network access controls, and other network security
4609: frameworks, which allow system-level rules to be written that can limit attackers' ability
4610: to connect to your system. These rules can specify that network traffic should be allowed or
4611: denied from certain IP addresses, hosts, and networks. The rules can also specify which of
4612: the system's network services are available to particular hosts or networks.</description>
4613: <Group id="group-2.5.1" hidden="false">
4614: <title xml:lang="en">Kernel Parameters which Affect Networking</title>
4615: <description xml:lang="en">
4616: The sysctl utility is used to set a number of parameters which
4617: affect the operation of the Linux kernel. Several of these parameters are specific to
4618: networking, and the configuration options in this section are recommended.</description>
4619: <Group id="group-2.5.1.1" hidden="false">
4620: <title xml:lang="en">Network Parameters for Hosts Only</title>
4621: <description xml:lang="en">
4622: Is this system going to be used as a firewall or gateway to
4623: pass IP traffic between different networks? <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4624: If not, edit the file /etc/sysctl.conf and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4625: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4626: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv4.ip_forward = 0 <xhtml:br/>
4627: net.ipv4.conf.all.send_redirects = 0 <xhtml:br/>
4628: net.ipv4.conf.default.send_redirects = 0 <xhtml:br/></xhtml:code>
4629: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4630: These settings disable hosts from
4631: performing network functionality which is only appropriate for routers.</description>
4632: <Rule id="rule-2.5.1.1.a" selected="false" weight="10.000000" severity="medium">
4633: <title xml:lang="en">Disable net.ipv4.conf.default.send_redirects for Hosts Only</title>
4634: <description xml:lang="en">The default setting for sending ICMP redirects should be disabled for network interfaces.</description>
4635: <ident system="http://cce.mitre.org">CCE-4151-7</ident>
4636: <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.default.send_redirects</fixtext>
4637: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4638: <check-content-ref name="oval:org.fedoraproject.f14:def:20112" href="scap-fedora14-oval.xml"/>
4639: </check>
4640: </Rule>
4641: <Rule id="rule-2.5.1.1.b" selected="false" weight="10.000000" severity="medium">
4642: <title xml:lang="en">Disable net.ipv4.conf.all.send_redirects for Hosts Only</title>
4643: <description xml:lang="en">Sending ICMP redirects should be disabled for all interfaces.</description>
4644: <ident system="http://cce.mitre.org">CCE-4155-8</ident>
4645: <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.all.send_redirects</fixtext>
4646: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4647: <check-content-ref name="oval:org.fedoraproject.f14:def:20113" href="scap-fedora14-oval.xml"/>
4648: </check>
4649: </Rule>
4650: <Rule id="rule-2.5.1.1.c" selected="false" weight="10.000000" severity="medium">
4651: <title xml:lang="en">Disable net.ipv4.ip forward for Hosts Only</title>
4652: <description xml:lang="en">IP forwarding should be disabled.</description>
4653: <ident system="http://cce.mitre.org">CCE-3561-8</ident>
4654: <fixtext xml:lang="en">(1) via sysctl - net.ipv4.ip_forward</fixtext>
4655: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4656: <check-content-ref name="oval:org.fedoraproject.f14:def:20114" href="scap-fedora14-oval.xml"/>
4657: </check>
4658: </Rule>
4659: </Group>
4660: <Group id="group-2.5.1.2" hidden="false">
4661: <title xml:lang="en">Network Parameters for Hosts and Routers</title>
4662: <description xml:lang="en">
4663: Edit the file /etc/sysctl.conf and add or correct the following
4664: lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4665: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4666: net.ipv4.conf.all.accept_source_route = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4667: net.ipv4.conf.all.accept_redirects = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4668: net.ipv4.conf.all.secure_redirects = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4669: net.ipv4.conf.all.log_martians = 1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4670: net.ipv4.conf.default.accept_source_route = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4671: net.ipv4.conf.default.accept_redirects = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4672: net.ipv4.conf.default.secure_redirects = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4673: net.ipv4.icmp_echo_ignore_broadcasts = 1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4674: net.ipv4.icmp_ignore_bogus_error_messages = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4675: net.ipv4.tcp_syncookies = 1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4676: net.ipv4.conf.all.rp_filter = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4677: net.ipv4.conf.default.rp_filter = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4678: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4679: These options
4680: improve Linux's ability to defend against certain types of IPv4 protocol attacks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4681: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4682: The
4683: accept source route, accept redirects, and secure redirects options are turned off to
4684: disable IPv4 protocol features which are considered to have few legitimate uses and to
4685: be easy to abuse. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4686: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4687: The net.ipv4.conf.all.log martians option logs several types of
4688: suspicious packets, such as spoofed packets, source-routed packets, and redirects. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4689: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4690: The icmp echo ignore broadcasts icmp ignore bogus error messages options protect against
4691: ICMP attacks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4692: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4693: The tcp syncookies option uses a cryptographic feature called SYN cookies
4694: to allow machines to continue to accept legitimate connections when faced with a SYN
4695: flood attack. See [12] for further information on this option. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4696: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4697: The rp filter option
4698: enables RFC-recommended source validation. It should not be used on machines which are
4699: routers for very complicated networks, but is helpful for end hosts and routers serving
4700: small networks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4701: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4702: For more information on any of these, see the kernel source
4703: documentation file /Documentation/networking/ip-sysctl.txt.2</description>
4704: <Value id="var-2.5.1.2.a" operator="equals" type="boolean">
4705: <title xml:lang="en">Deactivating "source routed packets"</title>
4706: <description xml:lang="en">Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.</description>
4707: <question xml:lang="en">Enable/Disable source routed packets</question>
4708: <value>0</value>
4709: <value selector="enabled">1</value>
4710: <value selector="disabled">0</value>
4711: </Value>
4712: <Value id="var-2.5.1.2.b" operator="equals" type="boolean">
4713: <title xml:lang="en">ICMP redirect messages</title>
4714: <description xml:lang="en">Disable ICMP Redirect Acceptance?</description>
4715: <question xml:lang="en">Enable/Disable ICMP redirect messages</question>
4716: <value>0</value>
4717: <value selector="enabled">1</value>
4718: <value selector="disabled">0</value>
4719: </Value>
4720: <Value id="var-2.5.1.2.c" operator="equals" type="boolean">
4721: <title xml:lang="en">net.ipv4.conf.all.secure_redirects</title>
4722: <description xml:lang="en">Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. </description>
4723: <question xml:lang="en">Enable/Disable IPv4 prevent hijacking of routing paths</question>
4724: <value>1</value>
4725: <value selector="enabled">1</value>
4726: <value selector="disabled">0</value>
4727: </Value>
4728: <Value id="var-2.5.1.2.d" operator="equals" type="boolean">
4729: <title xml:lang="en">net.ipv4.conf.all.log_martians</title>
4730: <description xml:lang="en">Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets </description>
4731: <question xml:lang="en">Enable/Disable IPv4 logging Spoofed packets, source routed packets and redirect packets</question>
4732: <value>0</value>
4733: <value selector="enabled">1</value>
4734: <value selector="disabled">0</value>
4735: </Value>
4736: <Value id="var-2.5.1.2.e" operator="equals" type="boolean">
4737: <title xml:lang="en">net.ipv4.conf.default.accept_source_route</title>
4738: <description xml:lang="en">Disable IP source routing?</description>
4739: <question xml:lang="en">Enable/Disable IPv4 source routing</question>
4740: <value>0</value>
4741: <value selector="enabled">1</value>
4742: <value selector="disabled">0</value>
4743: </Value>
4744: <Value id="var-2.5.1.2.f" operator="equals" type="boolean">
4745: <title xml:lang="en">net.ipv4.conf.default.accept_redirects</title>
4746: <description xml:lang="en">Disable ICMP Redirect Acceptance?</description>
4747: <question xml:lang="en">Enable/Disable default IPv4 ICMP Redirect Acceptance</question>
4748: <value>0</value>
4749: <value selector="enabled">1</value>
4750: <value selector="disabled">0</value>
4751: </Value>
4752: <Value id="var-2.5.1.2.g" operator="equals" type="boolean">
4753: <title xml:lang="en">net.ipv4.conf.default.secure_redirects</title>
4754: <description xml:lang="en">Log packets with impossible addresses to kernel log?</description>
4755: <question xml:lang="en">Enable/Disable IPv4 logging packets with impossible addresses to kernel log</question>
4756: <value>1</value>
4757: <value selector="enabled">1</value>
4758: <value selector="disabled">0</value>
4759: </Value>
4760: <Value id="var-2.5.1.2.h" operator="equals" type="boolean">
4761: <title xml:lang="en">net.ipv4.icmp_echo_ignore_broadcast</title>
4762: <description xml:lang="en">Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast</description>
4763: <question xml:lang="en">Enable/Disable IPv4 ignoring ICMP ECHO and TIMESTAMP requests from broadcast/multicast</question>
4764: <value>1</value>
4765: <value selector="enabled">1</value>
4766: <value selector="disabled">0</value>
4767: </Value>
4768: <Value id="var-2.5.1.2.i" operator="equals" type="boolean">
4769: <title xml:lang="en">net.ipv4.icmp_ignore_bogus_error_messages</title>
4770: <description xml:lang="en">Enable to prevent certain types of attacks</description>
4771: <value>1</value>
4772: <value selector="enabled">1</value>
4773: <value selector="disabled">0</value>
4774: </Value>
4775: <Value id="var-2.5.1.2.j" operator="equals" type="boolean">
4776: <title xml:lang="en">net.ipv4.tcp_syncookie</title>
4777: <description xml:lang="en">Enable to turn on TCP SYN Cookie Protection</description>
4778: <question xml:lang="en">Enable/Disable TCP SYN Cookie Protection</question>
4779: <value>1</value>
4780: <value selector="enabled">1</value>
4781: <value selector="disabled">0</value>
4782: </Value>
4783: <Value id="var-2.5.1.2.k" operator="equals" type="boolean">
4784: <title xml:lang="en">net.ipv4.conf.all.rp_filter</title>
4785: <description xml:lang="en">Enable to enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense when considered in light of the physical interface on which it arrived. </description>
4786: <question xml:lang="en">Enable/Disable all enforcing sanity checks</question>
4787: <value>1</value>
4788: <value selector="enabled">1</value>
4789: <value selector="disabled">0</value>
4790: </Value>
4791: <Value id="var-2.5.1.2.l" operator="equals" type="boolean">
4792: <title xml:lang="en">net.ipv4.conf.default.rp_filter</title>
4793: <description xml:lang="en">Enables source route verification</description>
4794: <question xml:lang="en">Enable/Disable default source route verification</question>
4795: <value>1</value>
4796: <value selector="enabled">1</value>
4797: <value selector="disabled">0</value>
4798: </Value>
4799: <Rule id="rule-2.5.1.2.a" selected="false" weight="10.000000" severity="medium">
4800: <title xml:lang="en">Set net.ipv4.conf.all.accept_source_route for Hosts and Routers</title>
4801: <description xml:lang="en">Accepting source routed packets should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.a"/> for all interfaces as appropriate.</description>
4802: <ident system="http://cce.mitre.org">CCE-4236-6</ident>
4803: <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.all.accept_source_route</fixtext>
4804: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4805: <check-export export-name="oval:org.fedoraproject.f14:var:20115" value-id="var-2.5.1.2.a"/>
4806: <check-content-ref name="oval:org.fedoraproject.f14:def:20115" href="scap-fedora14-oval.xml"/>
4807: </check>
4808: </Rule>
4809: <Rule id="rule-2.5.1.2.b" selected="false" weight="10.000000" severity="medium">
4810: <title xml:lang="en">Set net.ipv4.conf.all.accept_redirects for Hosts and Routers</title>
4811: <description xml:lang="en">Accepting ICMP redirects should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.b"/> for all interfaces as appropriate.</description>
4812: <ident system="http://cce.mitre.org">CCE-4217-6</ident>
4813: <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.all.accept_redirects</fixtext>
4814: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4815: <check-export export-name="oval:org.fedoraproject.f14:var:20116" value-id="var-2.5.1.2.b"/>
4816: <check-content-ref name="oval:org.fedoraproject.f14:def:20116" href="scap-fedora14-oval.xml"/>
4817: </check>
4818: </Rule>
4819: <Rule id="rule-2.5.1.2.c" selected="false" weight="10.000000" severity="medium">
4820: <title xml:lang="en">Set net.ipv4.conf.all.secure_redirects for Hosts and Routers</title>
4821: <description xml:lang="en">Accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.c"/> for all interfaces as appropriate.</description>
4822: <ident system="http://cce.mitre.org">CCE-3472-8</ident>
4823: <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.all.secure_redirects</fixtext>
4824: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4825: <check-export export-name="oval:org.fedoraproject.f14:var:20117" value-id="var-2.5.1.2.c"/>
4826: <check-content-ref name="oval:org.fedoraproject.f14:def:20117" href="scap-fedora14-oval.xml"/>
4827: </check>
4828: </Rule>
4829: <Rule id="rule-2.5.1.2.d" selected="false" weight="10.000000" severity="medium">
4830: <title xml:lang="en">Set net.ipv4.conf.all.log_martians for Hosts and Routers</title>
4831: <description xml:lang="en">Logging of "martian" packets (those with impossible addresses) should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.d"/> for all interfaces as appropriate.</description>
4832: <ident system="http://cce.mitre.org">CCE-4320-8</ident>
4833: <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.all.log_martians</fixtext>
4834: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4835: <check-export export-name="oval:org.fedoraproject.f14:var:20118" value-id="var-2.5.1.2.d"/>
4836: <check-content-ref name="oval:org.fedoraproject.f14:def:20118" href="scap-fedora14-oval.xml"/>
4837: </check>
4838: </Rule>
4839: <Rule id="rule-2.5.1.2.e" selected="false" weight="10.000000" severity="medium">
4840: <title xml:lang="en">Set net.ipv4.conf.default.accept_source_route for Hosts and Routers</title>
4841: <description xml:lang="en">The default setting for accepting source routed packets should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.e"/> for all interfaces as appropriate.</description>
4842: <ident system="http://cce.mitre.org">CCE-4091-5</ident>
4843: <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.default.accept_source_route</fixtext>
4844: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4845: <check-export export-name="oval:org.fedoraproject.f14:var:20119" value-id="var-2.5.1.2.e"/>
4846: <check-content-ref name="oval:org.fedoraproject.f14:def:20119" href="scap-fedora14-oval.xml"/>
4847: </check>
4848: </Rule>
4849: <Rule id="rule-2.5.1.2.f" selected="false" weight="10.000000" severity="medium">
4850: <title xml:lang="en">Set net.ipv4.conf.default.accept_redirects for Hosts and Routers</title>
4851: <description xml:lang="en">The default setting for accepting ICMP redirects should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.f"/> for all interfaces as appropriate.</description>
4852: <ident system="http://cce.mitre.org">CCE-4186-3</ident>
4853: <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.default.accept_redirects</fixtext>
4854: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4855: <check-export export-name="oval:org.fedoraproject.f14:var:20120" value-id="var-2.5.1.2.f"/>
4856: <check-content-ref name="oval:org.fedoraproject.f14:def:20120" href="scap-fedora14-oval.xml"/>
4857: </check>
4858: </Rule>
4859: <Rule id="rule-2.5.1.2.g" selected="false" weight="10.000000" severity="medium">
4860: <title xml:lang="en">Set net.ipv4.conf.default.secure_redirects for Hosts and Routers</title>
4861: <description xml:lang="en">The default setting for accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.g"/> for all interfaces as appropriate.</description>
4862: <ident system="http://cce.mitre.org">CCE-3339-9</ident>
4863: <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.default.secure_redirects</fixtext>
4864: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4865: <check-export export-name="oval:org.fedoraproject.f14:var:20121" value-id="var-2.5.1.2.g"/>
4866: <check-content-ref name="oval:org.fedoraproject.f14:def:20121" href="scap-fedora14-oval.xml"/>
4867: </check>
4868: </Rule>
4869: <Rule id="rule-2.5.1.2.h" selected="false" weight="10.000000" severity="medium">
4870: <title xml:lang="en">Set net.ipv4.icmp_echo_ignore_broadcasts for Hosts and Routers</title>
4871: <description xml:lang="en">Ignoring ICMP echo requests (pings) sent to broadcast / multicast addresses should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.h"/> for all interfaces as appropriate.</description>
4872: <ident system="http://cce.mitre.org">CCE-3644-2</ident>
4873: <fixtext xml:lang="en">(1) via sysctl - net.ipv4.icmp_echo_ignore_broadcasts</fixtext>
4874: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4875: <check-export export-name="oval:org.fedoraproject.f14:var:20122" value-id="var-2.5.1.2.h"/>
4876: <check-content-ref name="oval:org.fedoraproject.f14:def:20122" href="scap-fedora14-oval.xml"/>
4877: </check>
4878: </Rule>
4879: <Rule id="rule-2.5.1.2.i" selected="false" weight="10.000000" severity="medium">
4880: <title xml:lang="en">Set net.ipv4.icmp_ignore_bogus_error_messages for Hosts and Routers</title>
4881: <description xml:lang="en">Ignoring bogus ICMP responses to broadcasts should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.i"/> for all interfaces as appropriate.</description>
4882: <ident system="http://cce.mitre.org">CCE-4133-5</ident>
4883: <fixtext xml:lang="en">(1) via sysctl - net.ipv4.icmp_ignore_bogus_error_messages</fixtext>
4884: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4885: <check-export export-name="oval:org.fedoraproject.f14:var:20123" value-id="var-2.5.1.2.i"/>
4886: <check-content-ref name="oval:org.fedoraproject.f14:def:20123" href="scap-fedora14-oval.xml"/>
4887: </check>
4888: </Rule>
4889: <Rule id="rule-2.5.1.2.j" selected="false" weight="10.000000" severity="medium">
4890: <title xml:lang="en">Set net.ipv4.tcp_syncookies for Hosts and Routers</title>
4891: <description xml:lang="en">Sending TCP syncookies should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.j"/> for all interfaces as appropriate.</description>
4892: <ident system="http://cce.mitre.org">CCE-4265-5</ident>
4893: <fixtext xml:lang="en">(1) via sysctl - net.ipv4.tcp_syncookies</fixtext>
4894: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4895: <check-export export-name="oval:org.fedoraproject.f14:var:20124" value-id="var-2.5.1.2.j"/>
4896: <check-content-ref name="oval:org.fedoraproject.f14:def:20124" href="scap-fedora14-oval.xml"/>
4897: </check>
4898: </Rule>
4899: <Rule id="rule-2.5.1.2.k" selected="false" weight="10.000000" severity="medium">
4900: <title xml:lang="en">Set net.ipv4.conf.all.rp_filter for Hosts and Routers</title>
4901: <description xml:lang="en">Performing source validation by reverse path should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.k"/> for all interfaces as appropriate.</description>
4902: <ident system="http://cce.mitre.org">CCE-4080-8</ident>
4903: <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.all.rp_filter</fixtext>
4904: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4905: <check-export export-name="oval:org.fedoraproject.f14:var:20125" value-id="var-2.5.1.2.k"/>
4906: <check-content-ref name="oval:org.fedoraproject.f14:def:20125" href="scap-fedora14-oval.xml"/>
4907: </check>
4908: </Rule>
4909: <Rule id="rule-2.5.1.2.l" selected="false" weight="10.000000" severity="medium">
4910: <title xml:lang="en">Set net.ipv4.conf.default.rp_filter for Hosts and Routers</title>
4911: <description xml:lang="en">The default setting for performing source validation by reverse path should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.1.2.l"/> for all interfaces as appropriate.</description>
4912: <ident system="http://cce.mitre.org">CCE-3840-6</ident>
4913: <fixtext xml:lang="en">(1) via sysctl - net.ipv4.conf.default.rp_filter</fixtext>
4914: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4915: <check-export export-name="oval:org.fedoraproject.f14:var:20126" value-id="var-2.5.1.2.l"/>
4916: <check-content-ref name="oval:org.fedoraproject.f14:def:20126" href="scap-fedora14-oval.xml"/>
4917: </check>
4918: </Rule>
4919: </Group>
4920: </Group>
4921: <Group id="group-2.5.2" hidden="false">
4922: <title xml:lang="en">Wireless Networking</title>
4923: <description xml:lang="en">
4924: Wireless networking (sometimes referred to as 802.11 or Wi-Fi)
4925: presents a serious security risk to sensitive or classified systems and networks. Wireless
4926: networking hardware is much more likely to be included in laptop or portable systems than
4927: desktops or servers. See Section 3.3.14 for information on Bluetooth wireless support.
4928: Bluetooth serves a different purpose and possesses a much shorter range, but it still
4929: presents serious security risks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4930: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4931: Removal of hardware is the only way to absolutely ensure
4932: that the wireless capability remains disabled. If it is completely impractical to remove
4933: the wireless hardware, and site policy still allows the device to enter sensitive spaces,
4934: every effort to disable the capability via software should be made. In general,
4935: acquisition policy should include provisions to prevent the purchase of equipment that
4936: will be used in sensitive spaces and includes wireless capabilities.</description>
4937: <Group id="group-2.5.2.1" hidden="false">
4938: <title xml:lang="en">Remove Wireless Hardware if Possible</title>
4939: <description xml:lang="en">
4940: Identifying the wireless hardware is the first step in removing
4941: it. The system's hardware manual should contain information on its wireless
4942: capabilities. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4943: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4944: Wireless hardware included with a laptop typically takes the form of a
4945: mini-PCI card or PC card. Other forms include devices which plug into USB or Ethernet
4946: ports, but these should be readily apparent and easy to remove from the base system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4947: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4948: A PC Card (originally called a PCMCIA card) is designed to be easy to remove, though it
4949: may be hidden when inserted into the system. Frequently, there will be one or more
4950: buttons near the card slot that, when pressed, eject the card from the system. If no
4951: card is ejected, the slot is empty. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4952: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4953: A mini-PCI card is approximately credit-card sized
4954: and typically accessible via a removable panel on the underside of the laptop. Removing
4955: the panel may require simple tools. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4956: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4957: In addition to manually inspecting the hardware, it
4958: is also possible to query the system for its installed hardware devices. The commands
4959: /sbin/lspci and /sbin/lsusb will show a list of all recognized devices on their
4960: respective buses, and this may indicate the presence of a wireless device.</description>
4961: </Group>
4962: <Group id="group-2.5.2.2" hidden="false">
4963: <title xml:lang="en">Disable Wireless Through Software Configuration</title>
4964: <description xml:lang="en">
4965: If it is impossible to remove the wireless hardware from the
4966: device in question, disable as much of it as possible through software. The following
4967: methods can disable software support for wireless networking, but note that these
4968: methods do not prevent malicious software or careless users from re-activating the
4969: devices.</description>
4970: <Group id="group-2.5.2.2.1" hidden="false">
4971: <title xml:lang="en">Disable Wireless in BIOS</title>
4972: <description xml:lang="en">
4973: Some laptops that include built-in wireless support offer the
4974: ability to disable the device through the BIOS. This is system-specific; consult your
4975: hardware manual or explore the BIOS setup during boot. 2A recent version of this file
4976: can be found online at
4977: http://lxr.linux.no/source/Documentation/networking/ip-sysctl.txt.</description>
4978: <Rule id="rule-2.5.2.2.1.a" selected="false" weight="10.000000" severity="medium">
4979: <title xml:lang="en">Disable Wireless in BIOS</title>
4980: <description xml:lang="en">All wireless devices should be disabled in the BIOS.</description>
4981: <ident system="http://cce.mitre.org">CCE-3628-5</ident>
4982: <fixtext xml:lang="en">(1) via BIOS menus</fixtext>
4983: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
4984: <check-content-ref name="oval:org.fedoraproject.f14:def:20127" href="scap-fedora14-oval.xml"/>
4985: </check>
4986: </Rule>
4987: </Group>
4988: <Group id="group-2.5.2.2.2" hidden="false">
4989: <title xml:lang="en">Deactivate Wireless Interfaces</title>
4990: <description xml:lang="en">
4991: Deactivating the wireless interfaces should prevent normal
4992: usage of the wireless capability. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4993: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4994: First, identify the interfaces available with the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4995: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4996: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ifconfig -a <xhtml:br/></xhtml:code>
4997: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
4998: Additionally,the following command may also be used to
4999: determine whether wireless support ('extensions') is included for a particular
5000: interface, though this may not always be a clear indicator: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5001: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5002: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># iwconfig <xhtml:br/></xhtml:code>
5003: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5004: After
5005: identifying any wireless interfaces (which may have names like wlan0, ath0, wifi0, or
5006: eth0), deactivate the interface with the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5007: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5008: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ifdown interface <xhtml:br/></xhtml:code>
5009: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5010: These changes
5011: will only last until the next reboot. To disable the interface for future boots,
5012: remove the appropriate interface file from /etc/sysconfig/network-scripts: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5013: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5014: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rm /etc/sysconfig/network-scripts/ifcfg-interface</xhtml:code></description>
5015: <Rule id="rule-2.5.2.2.2.a" selected="false" weight="10.000000" severity="medium">
5016: <title xml:lang="en">Deactivate Wireless Interfaces</title>
5017: <description xml:lang="en">All wireless interfaces should be disabled.</description>
5018: <ident system="http://cce.mitre.org">CCE-4276-2</ident>
5019: <fixtext xml:lang="en">rm /etc/sysconfig/network-scripts/ifcfg-interface</fixtext>
5020: <fixtext xml:lang="en">ifdown interface</fixtext>
5021: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5022: <check-content-ref name="oval:org.fedoraproject.f14:def:20128" href="scap-fedora14-oval.xml"/>
5023: </check>
5024: </Rule>
5025: </Group>
5026: <Group id="group-2.5.2.2.3" hidden="false">
5027: <title xml:lang="en">Disable Wireless Drivers</title>
5028: <description xml:lang="en">
5029: Removing the kernel drivers that provide support for wireless
5030: Ethernet devices will prevent users from easily activating the devices. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5031: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5032: To remove the wireless drivers from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5033: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5034: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rm -r /lib/modules/kernelversion(s)/kernel/drivers/net/wireless <xhtml:br/></xhtml:code>
5035: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5036: This command must also be repeated every time the kernel is upgraded.</description>
5037: <Rule id="rule-2.5.2.2.3.a" selected="false" weight="10.000000" severity="medium">
5038: <title xml:lang="en">Disable Wireless Drivers</title>
5039: <description xml:lang="en">Device drivers for wireless devices should be excluded from the kernel.</description>
5040: <ident system="http://cce.mitre.org">CCE-4170-7</ident>
5041: <fixtext xml:lang="en">(1) via modprobe</fixtext>
5042: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5043: <check-content-ref name="oval:org.fedoraproject.f14:def:20129" href="scap-fedora14-oval.xml"/>
5044: </check>
5045: </Rule>
5046: </Group>
5047: </Group>
5048: </Group>
5049: <Group id="group-2.5.3" hidden="false">
5050: <title xml:lang="en">IPv6</title>
5051: <description xml:lang="en">
5052: The system includes support for Internet Protocol version 6. A
5053: major and often-mentioned improvement over IPv4 is its enormous increase in the number of
5054: available addresses. Another important feature is its support for automatic configuration
5055: of many network settings.</description>
5056: <Group id="group-2.5.3.1" hidden="false">
5057: <title xml:lang="en">Disable Support for IPv6 unless Needed</title>
5058: <description xml:lang="en">
5059: Because the IPv6 networking code is relatively new and complex,
5060: it is particularly important that it be disabled unless needed. Despite configuration
5061: that suggests support for IPv6 has been disabled, link-local IPv6 address
5062: autoconfiguration occurs even when only an IPv4 address is assigned. The only way to
5063: effectively prevent execution of the IPv6 networking stack is to prevent the kernel from
5064: loading the IPv6 kernel module.</description>
5065: <reference href="">MO3:S0-C1-1</reference>
5066: <Group id="group-2.5.3.1.1" hidden="false">
5067: <title xml:lang="en">Disable Automatic Loading of IPv6 Kernel Module</title>
5068: <description xml:lang="en">
5069: To prevent the IPv6 kernel module (ipv6) from being loaded,
5070: add the following line to /etc/modprobe.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5071: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5072: install ipv6 /bin/true <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5073: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5074: When the kernel requests the ipv6 module, this line will direct the system to run the
5075: program /bin/true instead.</description>
5076: <Rule id="rule-2.5.3.1.1.a" selected="false" weight="10.000000" severity="medium">
5077: <title xml:lang="en">Disable Automatic Loading of IPv6 Kernel Module</title>
5078: <description xml:lang="en">Automatic loading of the IPv6 kernel module should be disabled.</description>
5079: <reference href="">MO3:S0-C1-1 MO3:S0-C1-2</reference>
5080: <ident system="http://cce.mitre.org">CCE-3562-6</ident>
5081: <fixtext xml:lang="en">(1) via /etc/modprobe.conf</fixtext>
5082: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5083: <check-content-ref name="oval:org.fedoraproject.f14:def:20130" href="scap-fedora14-oval.xml"/>
5084: </check>
5085: </Rule>
5086: </Group>
5087: <Group id="group-2.5.3.1.2" hidden="false">
5088: <title xml:lang="en">Disable Interface Usage of IPv6</title>
5089: <description xml:lang="en">
5090: To prevent configuration of IPv6 for all interfaces, add or
5091: correct the following lines in /etc/sysconfig/network: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5092: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5093: NETWORKING_IPV6=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5094: IPV6INIT=no<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5095: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5096: For each network interface IFACE , add or correct the following lines in
5097: /etc/sysconfig/network-scripts/ifcfg-IFACE as an additional prevention mechanism:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5098: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5099: IPV6INIT=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5100: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5101: If it becomes necessary later to configure IPv6, only the interfaces
5102: requiring it should be enabled.</description>
5103: <Rule id="rule-2.5.3.1.2.a" selected="false" weight="10.000000" severity="medium">
5104: <title xml:lang="en">Disable NETWORKING_IPV6 in /etc/sysconfig/network</title>
5105: <description xml:lang="en">The default setting for IPv6 configuration should be disabled</description>
5106: <ident system="http://cce.mitre.org">CCE-3381-1</ident>
5107: <fixtext xml:lang="en">(1) via /etc/sysconfig/network</fixtext>
5108: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5109: <check-content-ref name="oval:org.fedoraproject.f14:def:20131" href="scap-fedora14-oval.xml"/>
5110: </check>
5111: </Rule>
5112: <Rule id="rule-2.5.3.1.2.b" selected="false" weight="10.000000" severity="medium">
5113: <title xml:lang="en">Disable IPV6INIT in /etc/sysconfig/network</title>
5114: <description xml:lang="en">Global IPv6 initialization should be disabled</description>
5115: <ident system="http://cce.mitre.org">CCE-3377-9</ident>
5116: <fixtext xml:lang="en">(1) via /etc/sysconfig/network</fixtext>
5117: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5118: <check-content-ref name="oval:org.fedoraproject.f14:def:20132" href="scap-fedora14-oval.xml"/>
5119: </check>
5120: </Rule>
5121: <Rule id="rule-2.5.3.1.2.c" selected="false" weight="10.000000" severity="medium">
5122: <title xml:lang="en">Disable IPV6INIT in /etc/sysconfig/network-scripts/ifcfg-*</title>
5123: <description xml:lang="en">IPv6 configuration should be disabled for all interfaces.</description>
5124: <ident system="http://cce.mitre.org">CCE-4296-0</ident>
5125: <fixtext xml:lang="en">(1) via /etc/sysconfig/network-scripts/ifcfg-*</fixtext>
5126: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5127: <check-content-ref name="oval:org.fedoraproject.f14:def:20133" href="scap-fedora14-oval.xml"/>
5128: </check>
5129: </Rule>
5130: </Group>
5131: </Group>
5132: <Group id="group-2.5.3.2" hidden="false">
5133: <title xml:lang="en">Configure IPv6 Settings if Necessary</title>
5134: <description xml:lang="en">
5135: A major feature of IPv6 is the extent to which systems
5136: implementing it can automatically configure their networking devices using information
5137: from the network. From a security perspective, manually configuring important
5138: configuration information is always preferable to accepting it from the network in an
5139: unauthenticated fashion.</description>
5140: <Group id="group-2.5.3.2.1" hidden="false">
5141: <title xml:lang="en">Disable Automatic Configuration</title>
5142: <description xml:lang="en">
5143: Disable the system's acceptance of router advertisements and
5144: redirects by adding or correcting the following line in /etc/sysconfig/network (note
5145: that this does not disable sending router solicitations): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5146: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5147: IPV6_AUTOCONF=no</description>
5148: <Value id="var-2.5.3.2.1.a" operator="equals" type="string">
5149: <title xml:lang="en">IPV6_AUTOCONF</title>
5150: <description xml:lang="en">Toggle global IPv6 autoconfiguration (only, if global forwarding is disabled)</description>
5151: <question xml:lang="en">Enable/Disable global IPv6 autoconfiguration</question>
5152: <value>disabled</value>
5153: <value selector="enabled">enabled</value>
5154: <value selector="disabled">disabled</value>
5155: <match>enabled|disabled</match>
5156: </Value>
5157: <Value id="var-2.5.3.2.1.b" operator="equals" type="string">
5158: <title xml:lang="en">net.ipv6.conf.default.accept_ra</title>
5159: <description xml:lang="en">accept default router advertisements</description>
5160: <question xml:lang="en">Enable/Disable IPv6 accepting default router advertisements</question>
5161: <value>no</value>
5162: <value selector="enabled">yes</value>
5163: <value selector="disabled">no</value>
5164: <match>yes|no</match>
5165: </Value>
5166: <Value id="var-2.5.3.2.1.c" operator="equals" type="string">
5167: <title xml:lang="en">net.ipv6.conf.default.accept_redirects</title>
5168: <description xml:lang="en">Toggle ICMP Redirect Acceptance</description>
5169: <question xml:lang="en">Enable/Disable IPv6 default ICMP Redirect Acceptance</question>
5170: <value>disabled</value>
5171: <value selector="enabled">enabled</value>
5172: <value selector="disabled">disabled</value>
5173: <match>enabled|disabled</match>
5174: </Value>
5175: <Value id="var-2.5.3.2.1.d" operator="equals" type="string">
5176: <title xml:lang="en">net.ipv6.conf.all.accept_redirects</title>
5177: <description xml:lang="en">Toggle ICMP Redirect Acceptance</description>
5178: <question xml:lang="en">Enable/Disable all IPv6 ICMP Redirect Acceptance</question>
5179: <value>disabled</value>
5180: <value selector="enabled">enabled</value>
5181: <value selector="disabled">disabled</value>
5182: <match>enabled|disabled</match>
5183: </Value>
5184: <Rule id="rule-2.5.3.2.1.a" selected="false" weight="10.000000" severity="medium">
5185: <title xml:lang="en">Disable IPV6_AUTOCONF in /etc/sysconfig/network</title>
5186: <description xml:lang="en">Accepting IPv6 router advertisements should be disabled for all interfaces.</description>
5187: <ident system="http://cce.mitre.org">CCE-4269-7</ident>
5188: <fixtext xml:lang="en">(1) via /etc/sysconfig/network</fixtext>
5189: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5190: <check-export export-name="oval:org.fedoraproject.f14:var:20134" value-id="var-2.5.3.2.1.a"/>
5191: <check-content-ref name="oval:org.fedoraproject.f14:def:20134" href="scap-fedora14-oval.xml"/>
5192: </check>
5193: </Rule>
5194: <Rule id="rule-2.5.3.2.1.b" selected="false" weight="10.000000" severity="medium">
5195: <title xml:lang="en">Disable accepting IPv6 router advertisements (net.ipv6.conf.default.accept_ra)</title>
5196: <description xml:lang="en">The default setting for accepting IPv6 router advertisements should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.b"/> for all interfaces.</description>
5197: <ident system="http://cce.mitre.org">CCE-4291-1</ident>
5198: <fixtext xml:lang="en">(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network</fixtext>
5199: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5200: <check-export export-name="oval:org.fedoraproject.f14:var:20135" value-id="var-2.5.3.2.1.b"/>
5201: <check-content-ref name="oval:org.fedoraproject.f14:def:20135" href="scap-fedora14-oval.xml"/>
5202: </check>
5203: </Rule>
5204: <Rule id="rule-2.5.3.2.1.c" selected="false" weight="10.000000" severity="medium">
5205: <title xml:lang="en">Disable accepting redirects from IPv6 routers (net.ipv6.conf.default.accept_redirects)</title>
5206: <description xml:lang="en">Accepting redirects from IPv6 routers should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.c"/> for all interfaces.</description>
5207: <ident system="http://cce.mitre.org">CCE-4313-3</ident>
5208: <fixtext xml:lang="en">(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network</fixtext>
5209: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5210: <check-export export-name="oval:org.fedoraproject.f14:var:20136" value-id="var-2.5.3.2.1.c"/>
5211: <check-content-ref name="oval:org.fedoraproject.f14:def:20136" href="scap-fedora14-oval.xml"/>
5212: </check>
5213: </Rule>
5214: <Rule id="rule-2.5.3.2.1.d" selected="false" weight="10.000000" severity="medium">
5215: <title xml:lang="en">Disable accepting redirects from IPv6 routers (net.ipv6.conf.all.accept_redirects)</title>
5216: <description xml:lang="en">The default setting for accepting redirects from IPv6 routers should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.d"/> for all interfaces.</description>
5217: <ident system="http://cce.mitre.org">CCE-4198-8</ident>
5218: <fixtext xml:lang="en">(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network</fixtext>
5219: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5220: <check-export export-name="oval:org.fedoraproject.f14:var:20137" value-id="var-2.5.3.2.1.d"/>
5221: <check-content-ref name="oval:org.fedoraproject.f14:def:20137" href="scap-fedora14-oval.xml"/>
5222: </check>
5223: </Rule>
5224: </Group>
5225: <Group id="group-2.5.3.2.2" hidden="false">
5226: <title xml:lang="en">Manually Assign Global IPv6 Address</title>
5227: <description xml:lang="en">
5228: To manually assign an IP address for an interface IFACE, edit
5229: the file /etc/sysconfig/network-scripts/ ifcfg-IFACE. Add or correct the following
5230: line (substituting the correct IPv6 address): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5231: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5232: IPV6ADDR=2001:0DB8::ABCD/64 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5233: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5234: Manually
5235: assigning an IP address is preferable to accepting one from routers or from the
5236: network otherwise. The example address here is an IPv6 address reserved for
5237: documentation purposes, as defined by RFC3849.</description>
5238: </Group>
5239: <Group id="group-2.5.3.2.3" hidden="false">
5240: <title xml:lang="en">Use Privacy Extensions for Address if Necessary</title>
5241: <description xml:lang="en">
5242: To introduce randomness into the automatic generation of IPv6
5243: addresses, add or correct the following line in
5244: /etc/sysconfig/network-scripts/ifcfg-IFACE: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5245: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5246: IPV6_PRIVACY=rfc3041<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5247: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5248: Automatically-generated IPv6 addresses are based on the underlying hardware (e.g.
5249: Ethernet) address, and so it becomes possible to track a piece of hardware over its
5250: lifetime using its traffic. If it is important for a system's IP address to not
5251: trivially reveal its hardware address, this setting should be applied.</description>
5252: <Value id="var-2.5.3.2.3.a" operator="equals" type="string">
5253: <title xml:lang="en">IPV6_PRIVACY in /etc/sysconfig/network-scripts/ifcfg-IFACE</title>
5254: <description xml:lang="en">Control IPv6 privacy.</description>
5255: <question xml:lang="en">Select control of IPv6 address creation privacy</question>
5256: <value>rfc3041</value>
5257: <value selector="disabled">disabled</value>
5258: <value selector="lightweight">lightweight</value>
5259: <value selector="rfc3041">rfc3041</value>
5260: </Value>
5261: <Rule id="rule-2.5.3.2.3.a" selected="false" weight="10.000000">
5262: <title xml:lang="en">Use Privacy Extensions for Address if Necessary</title>
5263: <description xml:lang="en">IPv6 privacy extensions should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.3.a"/> for all interfaces.</description>
5264: <ident system="http://cce.mitre.org">CCE-3842-2</ident>
5265: <fixtext xml:lang="en">(1) via IPV6_PRIVACY in
5266: /etc/sysconfig/network-scripts/ifcfg-<interface></fixtext>
5267: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5268: <check-export export-name="oval:org.fedoraproject.f14:var:20138" value-id="var-2.5.3.2.3.a"/>
5269: <check-content-ref name="oval:org.fedoraproject.f14:def:20138" href="scap-fedora14-oval.xml"/>
5270: </check>
5271: </Rule>
5272: </Group>
5273: <Group id="group-2.5.3.2.4" hidden="false">
5274: <title xml:lang="en">Manually Assign IPv6 Router Address</title>
5275: <description xml:lang="en">
5276: Edit the file /etc/sysconfig/network-scripts/ifcfg-IFACE ,
5277: and add or correct the following line (substituting your gateway IP as appropriate):<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5278: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5279: IPV6_DEFAULTGW=2001:0DB8::0001 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5280: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5281: Router addresses should be manually set and not
5282: accepted via any autoconfiguration or router advertisement.</description>
5283: </Group>
5284: <Group id="group-2.5.3.2.5" hidden="false">
5285: <title xml:lang="en">Limit Network-Transmitted Configuration</title>
5286: <description xml:lang="en">
5287: Add the following lines to /etc/sysctl.conf to limit the
5288: configuration information requested from other systems, and accepted from the network:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5289: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5290: net.ipv6.conf.default.router_solicitations = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5291: net.ipv6.conf.default.accept_ra_rtr_pref = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5292: net.ipv6.conf.default.accept_ra_pinfo = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5293: net.ipv6.conf.default.accept_ra_defrtr = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5294: net.ipv6.conf.default.autoconf = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5295: net.ipv6.conf.default.dad_transmits = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5296: net.ipv6.conf.default.max_addresses = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5297: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5298: The router solicitations setting determines how many router solicitations are sent
5299: when bringing up the interface. If addresses are statically assigned, there is no need
5300: to send any solicitations. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5301: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5302: The accept_ra_pinfo setting controls whether the system will
5303: accept prefix info from the router. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5304: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5305: The accept_ra_defrtr setting controls whether the
5306: system will accept Hop Limit settings from a router advertisement. Setting it to 0
5307: prevents a router from changing your default IPv6 Hop Limit for outgoing packets. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5308: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5309: The autoconf setting controls whether router advertisements can cause the system to
5310: assign a global unicast address to an interface. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5311: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5312: The dad_transmits setting determines how
5313: many neighbor solicitations to send out per address (global and link-local) when
5314: bringing up an interface to ensure the desired address is unique on the network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5315: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5316: The max_addresses setting determines how many global unicast IPv6 addresses can be
5317: assigned to each interface. The default is 16, but it should be set to exactly the
5318: number of statically configured global addresses required.</description>
5319: <Value id="var-2.5.3.2.5.a" operator="equals" type="number">
5320: <title xml:lang="en"> net.ipv6.conf.default.router_solicitations</title>
5321: <description xml:lang="en">
5322: Setting determines how many router solicitations are
5323: sent when bringing up the interface. If addresses are statically assigned, there
5324: is no need to send any solicitation</description>
5325: <question xml:lang="en">Select how many router solicitations are sent when bringing up the interface</question>
5326: <value>0</value>
5327: <value selector="0">0</value>
5328: <value selector="1">1</value>
5329: </Value>
5330: <Value id="var-2.5.3.2.5.b" operator="equals" type="boolean">
5331: <title xml:lang="en">Accept Router Preference in Router Advertisements?</title>
5332: <description xml:lang="en">Control IPv6 privacy.</description>
5333: <question xml:lang="en">Enable/Disable IPv6 router advertisements</question>
5334: <value>0</value>
5335: <value selector="enabled">1</value>
5336: <value selector="disabled">0</value>
5337: </Value>
5338: <Value id="var-2.5.3.2.5.c" operator="equals" type="boolean">
5339: <title xml:lang="en">net.ipv6.conf.default.accept_ra_pinfo</title>
5340: <description xml:lang="en">Setting controls whether the system will accept prefix info from the router</description>
5341: <question xml:lang="en">Enable/Disable IPv6 acceptance of router prefix info</question>
5342: <value>0</value>
5343: <value selector="enabled">1</value>
5344: <value selector="disabled">0</value>
5345: </Value>
5346: <Value id="var-2.5.3.2.5.d" operator="equals" type="boolean">
5347: <title xml:lang="en">net.ipv6.conf.default.accept_ra_defrtr</title>
5348: <description xml:lang="en">
5349: Setting controls whether the system will accept Hop Limit
5350: settings from a router advertisement. Setting it to 0 prevents a router from
5351: changing your default IPv6 Hop Limit for outgoing packets.</description>
5352: <question xml:lang="en">Enable/Disable IPv6 acceptance of Hop limits from router advertisement</question>
5353: <value>0</value>
5354: <value selector="enabled">1</value>
5355: <value selector="disabled">0</value>
5356: </Value>
5357: <Value id="var-2.5.3.2.5.e" operator="equals" type="boolean">
5358: <title xml:lang="en">net.ipv6.conf.default.autoconf</title>
5359: <description xml:lang="en">Setting controls whether router advertisements can cause the system to assign a global unicast address to an interface.</description>
5360: <question xml:lang="en">Enable/Disable IPv6 acceptance of global unicast address from router advertisement</question>
5361: <value>0</value>
5362: <value selector="enabled">1</value>
5363: <value selector="disabled">0</value>
5364: </Value>
5365: <Value id="var-2.5.3.2.5.f" operator="equals" type="number">
5366: <title xml:lang="en">net.ipv6.conf.default.dad_transmits</title>
5367: <description xml:lang="en">
5368: Setting determines how many neighbor solicitations to
5369: send out per address (global and link-local) when bringing up an interface to
5370: ensure the desired address is unique on the network</description>
5371: <question xml:lang="en">Select how many neighbor solicitations send out per address to ensure uniqueness of desired address for IPv6</question>
5372: <value>0</value>
5373: <value selector="0">0</value>
5374: <value selector="1">1</value>
5375: </Value>
5376: <Value id="var-2.5.3.2.5.g" operator="equals" type="number">
5377: <title xml:lang="en">net.ipv6.conf.default.max_addresses</title>
5378: <description xml:lang="en">
5379: Setting determines how many global unicast IPv6 addresses can be
5380: assigned to each interface. The default is 16, but it should be set to exactly
5381: the number of statically configured global addresses required.</description>
5382: <question xml:lang="en">Select how many global unicast IPv6 addresses can be assigned to each interface</question>
5383: <value>16</value>
5384: <value selector="0">0</value>
5385: <value selector="1">1</value>
5386: <value selector="2">2</value>
5387: <value selector="4">4</value>
5388: <value selector="8">8</value>
5389: <value selector="16">16</value>
5390: </Value>
5391: <Rule id="rule-2.5.3.2.5.a" selected="false" weight="10.000000">
5392: <title xml:lang="en">Limit Network-Transmitted Configuration via net.ipv6.conf.default.router_solicitations</title>
5393: <description xml:lang="en">The default number of IPv6 router solicitations for network interfaces to send should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.5.a"/></description>
5394: <ident system="http://cce.mitre.org">CCE-4159-0</ident>
5395: <fixtext xml:lang="en">(1) via sysctl - net.ipv6.conf.default.router_solicitations</fixtext>
5396: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5397: <check-export export-name="oval:org.fedoraproject.f14:var:20139" value-id="var-2.5.3.2.5.a"/>
5398: <check-content-ref name="oval:org.fedoraproject.f14:def:20139" href="scap-fedora14-oval.xml"/>
5399: </check>
5400: </Rule>
5401: <Rule id="rule-2.5.3.2.5.b" selected="false" weight="10.000000">
5402: <title xml:lang="en">Limit Network-Transmitted Configuration via net.ipv6.conf.default.accept_ra_rtr_pref</title>
5403: <description xml:lang="en">The default setting for accepting router preference via IPv6 router advertisement should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.5.b"/> for interfaces.</description>
5404: <ident system="http://cce.mitre.org">CCE-4221-8</ident>
5405: <fixtext xml:lang="en">(1) via sysctl - net.ipv6.conf.default.accept_ra_rtr_pref</fixtext>
5406: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5407: <check-export export-name="oval:org.fedoraproject.f14:var:20140" value-id="var-2.5.3.2.5.b"/>
5408: <check-content-ref name="oval:org.fedoraproject.f14:def:20140" href="scap-fedora14-oval.xml"/>
5409: </check>
5410: </Rule>
5411: <Rule id="rule-2.5.3.2.5.c" selected="false" weight="10.000000">
5412: <title xml:lang="en">Limit Network-Transmitted Configuration via net.ipv6.conf.default.accept_ra_pinfo</title>
5413: <description xml:lang="en">The default setting for accepting prefix information via IPv6 router advertisement should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.5.c"/> for interfaces.</description>
5414: <ident system="http://cce.mitre.org">CCE-4058-4</ident>
5415: <fixtext xml:lang="en">(1) via sysctl - net.ipv6.conf.default.accept_ra_pinfo</fixtext>
5416: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5417: <check-export export-name="oval:org.fedoraproject.f14:var:20141" value-id="var-2.5.3.2.5.c"/>
5418: <check-content-ref name="oval:org.fedoraproject.f14:def:20141" href="scap-fedora14-oval.xml"/>
5419: </check>
5420: </Rule>
5421: <Rule id="rule-2.5.3.2.5.d" selected="false" weight="10.000000">
5422: <title xml:lang="en">Limit Network-Transmitted Configuration via net.ipv6.conf.default.accept_ra_defrtr</title>
5423: <description xml:lang="en">The default setting for accepting a default router via IPv6 router advertisement should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.5.d"/> for interfaces.</description>
5424: <ident system="http://cce.mitre.org">CCE-4128-5</ident>
5425: <fixtext xml:lang="en">(1) via sysctl - net.ipv6.conf.default.accept_ra_defrtr</fixtext>
5426: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5427: <check-export export-name="oval:org.fedoraproject.f14:var:20142" value-id="var-2.5.3.2.5.d"/>
5428: <check-content-ref name="oval:org.fedoraproject.f14:def:20142" href="scap-fedora14-oval.xml"/>
5429: </check>
5430: </Rule>
5431: <Rule id="rule-2.5.3.2.5.e" selected="false" weight="10.000000">
5432: <title xml:lang="en">Limit Network-Transmitted Configuration via net.ipv6.conf.default.autoconf</title>
5433: <description xml:lang="en">The default setting for autoconfiguring network interfaces using prefix information in IPv6 router advertisements should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.5.e"/>.</description>
5434: <ident system="http://cce.mitre.org">CCE-4287-9</ident>
5435: <fixtext xml:lang="en">(1) via sysctl - net.ipv6.conf.default.autoconf</fixtext>
5436: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5437: <check-export export-name="oval:org.fedoraproject.f14:var:20143" value-id="var-2.5.3.2.5.e"/>
5438: <check-content-ref name="oval:org.fedoraproject.f14:def:20143" href="scap-fedora14-oval.xml"/>
5439: </check>
5440: </Rule>
5441: <Rule id="rule-2.5.3.2.5.f" selected="false" weight="10.000000">
5442: <title xml:lang="en">Limit Network-Transmitted Configuration via net.ipv6.conf.default.dad_transmits</title>
5443: <description xml:lang="en">The default number of IPv6 duplicate address detection solicitations for network interfaces to send per configured address should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.5.f"/>.</description>
5444: <ident system="http://cce.mitre.org">CCE-3895-0</ident>
5445: <fixtext xml:lang="en">(1) via sysctl - net.ipv6.conf.default.dad_transmits</fixtext>
5446: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5447: <check-export export-name="oval:org.fedoraproject.f14:var:20144" value-id="var-2.5.3.2.5.f"/>
5448: <check-content-ref name="oval:org.fedoraproject.f14:def:20144" href="scap-fedora14-oval.xml"/>
5449: </check>
5450: </Rule>
5451: <Rule id="rule-2.5.3.2.5.g" selected="false" weight="10.000000">
5452: <title xml:lang="en">Limit Network-Transmitted Configuration via net.ipv6.conf.default.max_addresses</title>
5453: <description xml:lang="en">The default number of global unicast IPv6 addresses allowed per network interface should be: <sub xmlns="http://checklists.nist.gov/xccdf/1.1" idref="var-2.5.3.2.5.g"/>.</description>
5454: <ident system="http://cce.mitre.org">CCE-4137-6</ident>
5455: <fixtext xml:lang="en">(1) via sysctl - net.ipv6.conf.default.max_addresses</fixtext>
5456: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5457: <check-export export-name="oval:org.fedoraproject.f14:var:20145" value-id="var-2.5.3.2.5.g"/>
5458: <check-content-ref name="oval:org.fedoraproject.f14:def:20145" href="scap-fedora14-oval.xml"/>
5459: </check>
5460: </Rule>
5461: </Group>
5462: </Group>
5463: </Group>
5464: <Group id="group-2.5.4" hidden="false">
5465: <title xml:lang="en">TCP Wrapper</title>
5466: <description xml:lang="en">
5467: TCP Wrapper is a library which provides simple access control and
5468: standardized logging for supported applications which accept connections over a network.
5469: Historically, TCP Wrapper was used to support inetd services. Now that inetd is deprecated
5470: (see Section 3.2.1), TCP Wrapper supports only services which were built to make use of
5471: the libwrap library. To determine whether a given executable daemon /path/to/daemon
5472: supports TCP Wrapper, check the documentation, or run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5473: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5474: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ ldd /path/to/daemon | grep libwrap.so <xhtml:br/></xhtml:code>
5475: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5476: If this command returns any output, then the daemon probably supports TCP Wrapper. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5477: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5478: An alternative to TCP Wrapper support is packet filtering using iptables. Note
5479: that iptables works at the network level, while TCP Wrapper works at the application
5480: level. This means that iptables filtering is more efficient and more resistant to flaws in
5481: the software being protected, but TCP Wrapper provides support for logging, banners, and
5482: other application-level tricks which iptables cannot provide.</description>
5483: <Group id="group-2.5.4.1" hidden="false">
5484: <title xml:lang="en">How TCP Wrapper Protects Services</title>
5485: <description xml:lang="en">
5486: TCP Wrapper provides access control for the system's network
5487: services using two configuration files. When a connection is attempted: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5488: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
5489: <xhtml:li>The file
5490: /etc/hosts.allow is searched for a rule matching the connection. If one is found, the
5491: connection is allowed. </xhtml:li>
5492: <xhtml:li>Otherwise, the file /etc/hosts.deny is searched for a rule
5493: matching the connection. If one is found, the connection is rejected. </xhtml:li>
5494: <xhtml:li>If no matching
5495: rules are found in either file, then the connection is allowed. By default, TCP Wrapper
5496: does not block access to any services. </xhtml:li>
5497: </xhtml:ol>
5498: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5499: In the simplest case, each rule in /etc/hosts.allow and /etc/hosts.deny takes the form: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5500: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5501: daemon : client <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5502: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5503: where daemon is the
5504: name of the server process for which the connection is destined, and client is the
5505: partial or full hostname or IP address of the client. It is valid for daemon and client
5506: to contain one item, a comma-separated list of items, or a special keyword like ALL,
5507: which matches any service or client. (See the hosts access(5) manpage for a list of
5508: other keywords.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5509: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5510: Note: Partial hostnames start at the root domain and are delimited by
5511: the . character. So the client machine host03.dev.example.com, with IP address 10.7.2.3,
5512: could be matched by any of the specifications: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5513: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5514: .example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5515: .dev.example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5516: 10.7.2.</description>
5517: </Group>
5518: <Group id="group-2.5.4.2" hidden="false">
5519: <title xml:lang="en">Reject All Connections From Other Hosts if Appropriate</title>
5520: <description xml:lang="en">
5521: Restrict all connections to non-public services to localhost
5522: only. Suppose pubsrv1 and pubsrv2 are the names of daemons which must be accessed
5523: remotely. Configure TCP Wrapper as follows. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5524: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5525: Edit /etc/hosts.allow. Add the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5526: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5527: pubsrv1 ,pubsrv2 : ALL<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5528: ALL: localhost <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5529: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5530: Edit /etc/hosts.deny. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5531: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5532: ALL: ALL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5533: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5534: These rules deny connections to all TCP Wrapper enabled services from any
5535: host other than localhost, but allow connections from anywhere to the services which
5536: must be publicly accessible. (If no public services exist, the first line in
5537: /etc/hosts.allow may be omitted.)</description>
5538: </Group>
5539: <Group id="group-2.5.4.3" hidden="false">
5540: <title xml:lang="en">Allow Connections Only From Hosts in This Domain if Appropriate</title>
5541: <description xml:lang="en">
5542: For each daemon, domainsrv , which only needs to be contacted
5543: from inside the local domain, example.com , configure TCP Wrapper to deny remote
5544: connections. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5545: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5546: Edit /etc/hosts.allow. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5547: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5548: domainsrv : .example.com<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5549: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5550: Edit /etc/hosts.deny. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5551: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5552: domainsrv : ALL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5553: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5554: There are many possible
5555: examples of services which need to communicate only within the local domain. If a
5556: machine is a local compute server, it may be necessary for users to connect via SSH from
5557: their desktop workstations, but not from outside the domain. In that case, you should
5558: protect the daemon sshd using this method. As another example, RPC-based services such
5559: as NFS might be enabled within the domain only, in which case the daemon portmap should
5560: be protected. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5561: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5562: </description>
5563: <warning xml:lang="en">Note: This example protects only the service domainsrv . No filtering is
5564: done on other services unless a line is entered into /etc/hosts.deny which refers to
5565: those services by name, or which restricts the special service ALL.</warning>
5566: </Group>
5567: <Group id="group-2.5.4.4" hidden="false">
5568: <title xml:lang="en">Monitor Syslog for Relevant Connections and Failures</title>
5569: <description xml:lang="en">
5570: Ensure that the following line exists in /etc/syslog.conf.
5571: (This is the default, so it is likely to be correct if the configuration has not been
5572: modified): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5573: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5574: authpriv.* /var/log/secure <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5575: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5576: Configure logwatch or other log monitoring tools
5577: to periodically summarize failed connections reported by TCP Wrapper at the facility
5578: authpriv.info. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5579: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5580: By default, TCP Wrapper audits all rejected connections at the facility
5581: authpriv, level info. In the log file, TCP Wrapper rejections will contain the
5582: substring: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5583: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5584: daemon [pid ]: refused connect from ipaddr <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5585: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5586: These lines can be used to detect
5587: malicious scans, and to debug failures resulting from an incorrect TCP Wrapper
5588: configuration. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5589: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5590: If appropriate, it is possible to change the syslog facility and level
5591: used by a given TCP Wrapper rule by adding the severity option to each desired
5592: configuration line in /etc/hosts.deny: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5593: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5594: daemon : client : severity facility .level <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5595: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5596: By default, successful connections are not logged by TCP Wrapper. See Section 2.6 for
5597: more information about system auditing.</description>
5598: </Group>
5599: <Group id="group-2.5.4.5" hidden="false">
5600: <title xml:lang="en">Further Resources</title>
5601: <description xml:lang="en">
5602: For more information about TCP Wrapper, see the tcpd(8) and
5603: hosts access(5) manpages and the documentation directory /usr/share/doc/tcp
5604: wrappers-version. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5605: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5606: Some information may be available from the Tools section of the
5607: author's website, http://www.porcupine.org, and from the RHEL4 Reference Guide [6].</description>
5608: </Group>
5609: </Group>
5610: <Group id="group-2.5.5" hidden="false">
5611: <title xml:lang="en">Iptables and Ip6tables</title>
5612: <description xml:lang="en">
5613: A host-based firewall called Netfilter is included as part of the
5614: Linux kernel distributed with the system. It is activated by default. This firewall is
5615: controlled by the program iptables, and the entire capability is frequently referred to by
5616: this name. An analogous program called ip6tables handles filtering for IPv6. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5617: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5618: Unlike TCP
5619: Wrappers, which depends on the network server program to support and respect the rules
5620: written, Netfilter filtering occurs at the kernel level, before a program can even process
5621: the data from the network packet. As such, any program on the system is affected by the
5622: rules written. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5623: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5624: This section provides basic information about strengthening the iptables
5625: and ip6tables configurations included with the system. For more complete information that
5626: may allow the construction of a sophisticated ruleset tailored to your environment, please
5627: consult the references at the end of this section.</description>
5628: <Group id="group-2.5.5.1" hidden="false">
5629: <title xml:lang="en">Inspect and Activate Default Rules</title>
5630: <description xml:lang="en">
5631: View the currently-enforced iptables rules by running the
5632: command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5633: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5634: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># iptables -nL --line-numbers <xhtml:br/></xhtml:code>
5635: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5636: The command is analogous for the ip6tables program. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5637: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5638: If the firewall does not appear to be active (i.e., no rules appear), activate
5639: it and ensure that it starts at boot by issuing the following commands (and analogously
5640: for ip6tables): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5641: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5642: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># service iptables restart <xhtml:br/>
5643: # chkconfig iptables on <xhtml:br/></xhtml:code>
5644: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5645: The default iptables rules are: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5646: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5647: Chain INPUT (policy ACCEPT) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5648: num target prot opt source destination <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5649: 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5650: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5651: Chain FORWARD (policy ACCEPT) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5652: num target prot opt source destination <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5653: 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5654: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5655: Chain OUTPUT (policy ACCEPT) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5656: num target prot opt source destination <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5657: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5658: Chain RH-Firewall-1-INPUT (2 references) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5659: num target prot opt source destination <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5660: 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5661: 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5662: 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5663: 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5664: 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5665: 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5666: 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5667: 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5668: 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5669: 10 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5670: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5671: The ip6tables default rules are similar, with
5672: its rules 2 and 10 reflecting protocol naming and addressing differences. Instead of
5673: rule 8, however, ip6tables includes two rules that accept all incoming udp and tcp
5674: packets with a particular destination port range. This is because the current Netfilter
5675: implementation for IPv6 lacks reliable connection-tracking functionality.</description>
5676: <Rule id="rule-2.5.5.1.a" selected="false" weight="10.000000" severity="high">
5677: <title xml:lang="en">Verify ip6tables is enabled</title>
5678: <description xml:lang="en">The ip6tables service should be enabled.</description>
5679: <ident system="http://cce.mitre.org">CCE-4167-3</ident>
5680: <fix>chkconfig ip6tables on</fix>
5681: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5682: <check-content-ref name="oval:org.fedoraproject.f14:def:20146" href="scap-fedora14-oval.xml"/>
5683: </check>
5684: </Rule>
5685: <Rule id="rule-2.5.5.1.b" selected="false" weight="10.000000" severity="high">
5686: <title xml:lang="en">Verify iptables is enabled</title>
5687: <description xml:lang="en">The iptables service should be enabled.</description>
5688: <ident system="http://cce.mitre.org">CCE-4189-7</ident>
5689: <fix>chkconfig iptables on</fix>
5690: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5691: <check-content-ref name="oval:org.fedoraproject.f14:def:20147" href="scap-fedora14-oval.xml"/>
5692: </check>
5693: </Rule>
5694: </Group>
5695: <Group id="group-2.5.5.2" hidden="false">
5696: <title xml:lang="en">Understand the Default Ruleset</title>
5697: <description xml:lang="en">
5698: Understanding and creating firewall rules can be a challenging
5699: activity, filled with corner cases and difficult-todebug problems. Because of this,
5700: administrators should develop a thorough understanding of the default ruleset before
5701: carefully modifying it. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5702: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5703: The default ruleset is divided into four sections, each of which
5704: is called a chain: INPUT, FORWARD, OUTPUT, and RH-Firewall-1-INPUT. INPUT, OUTPUT, and
5705: FORWARD are built-in chains. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5706: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
5707: <xhtml:li>The INPUT chain is activated on packets destined for
5708: (i.e., addressed to) the system. </xhtml:li>
5709: <xhtml:li>The OUTPUT chain is activated on packets which are
5710: originating from the system. </xhtml:li>
5711: <xhtml:li>The FORWARD chain is activated for packets that the
5712: system will process and send through another interface, if so configured. </xhtml:li>
5713: <xhtml:li>The
5714: RH-Firewall-1-INPUT chain is a custom (or user-defined) chain, which is used by the
5715: INPUT and FORWARD chains. </xhtml:li>
5716: </xhtml:ul>
5717: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5718: A packet starts at the first rule in the appropriate chain and
5719: proceeds until it matches a rule. If a match occurs, then control will jump to the
5720: specified target. The default ruleset uses the built-in targets ACCEPT and REJECT, and
5721: also the user-defined target/chain RH-Firewall-1-INPUT. Jumping to the target ACCEPT
5722: means to allow the packet through, while REJECT means to drop the packet and send an
5723: error message to the sending host. A related target called DROP means to drop the packet
5724: on the floor without even sending an error message. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5725: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5726: The default policy for all of the
5727: built-in chains (shown after their names in the rule output above) is set to ACCEPT.
5728: This means that if no rules in the chain match the packets, they are allowed through.
5729: Because no rules at all are written for the OUTPUT chain, this means that iptables does
5730: not stop any packets originating from the system. The INPUT and FORWARD chains jump to
5731: the user-defined target RH-Firewall-1-INPUT for all packets. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5732: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5733: RH-Firewall-1-INPUT tries
5734: to match, in order, the following rules for both iptables and ip6tables: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5735: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
5736: <xhtml:li>Rule 1
5737: appears to accept all packets. However, this appears true only because the rules are not
5738: presented in verbose mode. Executing the command <xhtml:br/>
5739: <xhtml:br/>
5740: <xhtml:code># iptables -vnL --line-numbers <xhtml:br/></xhtml:code>
5741: <xhtml:br/>
5742: reveals
5743: that this rule applies only to the loopback (lo) interface (see column in), while all
5744: other rules apply to all interfaces. Thus, packets not coming from the loopback
5745: interface do not match and proceed to the next rule. </xhtml:li>
5746: <xhtml:li>Rule 2 explicitly allows all icmp
5747: packet types; iptables uses the code 255 to mean all icmp types. </xhtml:li>
5748: <xhtml:li>Rule 3 explicitly
5749: allows all esp packets; these are packets which contain IPsec ESP headers.</xhtml:li>
5750: <xhtml:li>Rule 4
5751: explicitly allows all ah packets; these are packets which contain an IPsec
5752: authentication header SPI. </xhtml:li>
5753: <xhtml:li>Rule 5 allows inbound communication on udp port 5353
5754: (mDNS), which the avahi daemon uses. </xhtml:li>
5755: <xhtml:li>Rules 6 and 7 allows inbound communication on
5756: both tcp and udp port 631, which the cups daemon uses. </xhtml:li>
5757: <xhtml:li>Rule 8, in the iptables rules,
5758: allows inbound packets that are part of a session initiated by the system. In ip6tables,
5759: rules 8 and 9 allow any inbound packets with a destination port address between 32768
5760: and 61000. </xhtml:li>
5761: <xhtml:li>Rule 9 (10, for ip6tables) allows inbound connections in tcp port 22, which
5762: is the SSH protocol. </xhtml:li>
5763: <xhtml:li>Rule 10 (11, for ip6tables) rejects all other packets and sends
5764: an error message to the sender. Because this is the last rule and matches any packet, it
5765: effectively prevents any packet from reaching the chain's default ACCEPT target.
5766: Preventing the acceptance of any packet that is not explicitly allowed is proper design
5767: for a firewall.</xhtml:li>
5768: </xhtml:ul></description>
5769: </Group>
5770: <Group id="group-2.5.5.3" hidden="false">
5771: <title xml:lang="en">Strengthen the Default Ruleset</title>
5772: <description xml:lang="en">
5773: The default rules can be strengthened. The system scripts that
5774: activate the firewall rules expect them to be defined in the configuration files
5775: iptables and ip6tables in the directory /etc/sysconfig. Many of the lines in these files
5776: are similar to the command line arguments that would be provided to the programs
5777: /sbin/iptables or /sbin/ip6tables – but some are quite different. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5778: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5779: The following recommendations describe how to strengthen the default
5780: ruleset configuration file. An alternative to editing this configuration file is to
5781: create a shell script that makes calls to the iptables program to load in rules, and
5782: then invokes service iptables save to write those loaded rules to
5783: /etc/sysconfig/iptables. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5784: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5785: The following alterations can be made directly to
5786: /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Instructions apply to both unless
5787: otherwise noted. Language and address conventions for regular iptables are used
5788: throughout this section; configuration for ip6tables will be either analogous or
5789: explicitly covered.</description>
5790: <warning xml:lang="en">The program
5791: system-config-securitylevel allows additional services to penetrate the default firewall
5792: rules and automatically adjusts /etc/ sysconfig/ iptables . This program is only useful
5793: if the default ruleset meets your security requirements. Otherwise, this program should
5794: not be used to make changes to the firewall configuration because it re-writes the saved
5795: configuration file. </warning>
5796: <Group id="group-2.5.5.3.1" hidden="false">
5797: <title xml:lang="en">Change the Default Policies</title>
5798: <description xml:lang="en">
5799: Change the default policy to DROP (from ACCEPT) for the INPUT
5800: and FORWARD built-in chains: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5801: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5802: *filter <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5803: :INPUT DROP [0:0] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5804: :FORWARD DROP [0:0] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5805: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5806: Changing
5807: the default policy in this way implements proper design for a firewall, i.e. any
5808: packets which are not explicitly permitted should not be accepted.</description>
5809: <Rule id="rule-2.5.5.3.1.a" selected="false" weight="10.000000" severity="high">
5810: <title xml:lang="en">Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain</title>
5811: <description xml:lang="en">Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain.</description>
5812: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
5813: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5814: <check-content-ref name="oval:org.fedoraproject.f14:def:201474" href="scap-fedora14-oval.xml"/>
5815: </check>
5816: </Rule>
5817: <Rule id="rule-2.5.5.3.1.b" selected="false" weight="10.000000" severity="high">
5818: <title xml:lang="en">Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain</title>
5819: <description xml:lang="en">Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain.</description>
5820: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
5821: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
5822: <check-content-ref name="oval:org.fedoraproject.f14:def:201475" href="scap-fedora14-oval.xml"/>
5823: </check>
5824: </Rule>
5825: </Group>
5826: <Group id="group-2.5.5.3.2" hidden="false">
5827: <title xml:lang="en">Restrict ICMP Message Types</title>
5828: <description xml:lang="en">
5829: In /etc/sysconfig/iptables, the accepted ICMP messages types
5830: can be restricted. To accept only ICMP echo reply, destination unreachable, and time
5831: exceeded messages, remove the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5832: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5833: -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5834: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5835: and insert the lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5836: -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5837: -A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5838: -A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5839: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5840: To allow the system to respond to pings, also insert the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5841: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5842: -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5843: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5844: Ping responses can also be limited to certain
5845: networks or hosts by using the -s option in the previous rule. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5846: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5847: Because IPv6 depends so
5848: heavily on ICMPv6, it is preferable to deny the ICMPv6 packets you know you don't need
5849: (e.g. ping requests) in /etc/sysconfig/ip6tables, while letting everything else
5850: through: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5851: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5852: -A RH-Firewall-1-INPUT -p icmpv6 --icmpv6-type echo-request -j DROP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5853: If you
5854: are going to statically configure the machine's address, it should ignore Router
5855: Advertisements which could add another IPv6 address to the interface or alter
5856: important network settings: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5857: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5858: -A RH-Firewall-1-INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5859: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5860: Restricting other ICMPv6 message types in
5861: /etc/sysconfig/ip6tables is not recommended because the operation of IPv6 depends
5862: heavily on ICMPv6. Thus, more care must be taken when blocking ICMPv6 types.</description>
5863: </Group>
5864: <Group id="group-2.5.5.3.3" hidden="false">
5865: <title xml:lang="en">Remove IPsec Rules</title>
5866: <description xml:lang="en">
5867: If the system will not process IPsec traffic, then remove the
5868: following rules: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5869: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5870: -A RH-Firewall-1-INPUT -p 50 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5871: -A RH-Firewall-1-INPUT -p 51 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/></description>
5872: </Group>
5873: <Group id="group-2.5.5.3.4" hidden="false">
5874: <title xml:lang="en">Log and Drop Packets with Suspicious Source Addresses</title>
5875: <description xml:lang="en">
5876: Packets with non-routable source addresses should be
5877: rejected, as they may indicate spoofing. Because the modified policy will reject
5878: non-matching packets, you only need to add these rules if you are interested in also
5879: logging these spoofing or suspicious attempts before they are dropped. If you do
5880: choose to log various suspicious traffic, add identical rules with a target of DROP
5881: after each LOG. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5882: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5883: To log and then drop these IPv4 packets, insert the following rules in
5884: /etc/sysconfig/iptables (excepting any that are intentionally used): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5885: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5886: -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5887: -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5888: -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5889: -A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5890: -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5891: -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5892: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5893: Similarly, you might wish to log packets containing some IPv6
5894: reserved addresses if they are not expected on your network: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5895: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5896: -A INPUT -i eth0 -s ::1 -j LOG --log-prefix "IPv6 DROP LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5897: -A INPUT -s 2002:E000::/20 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5898: -A INPUT -s 2002:7F00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5899: -A INPUT -s 2002:0000::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5900: -A INPUT -s 2002:FF00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5901: -A INPUT -s 2002:0A00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5902: -A INPUT -s 2002:AC10::/28 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5903: -A INPUT -s 2002:C0A8::/32 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5904: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5905: If you are not expecting to see site-local multicast or auto-tunneled traffic, you
5906: can log those: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5907: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5908: -A INPUT -s FF05::/16 -j LOG --log-prefix "IPv6 SITE-LOCAL MULTICAST: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5909: -A INPUT -s ::0.0.0.0/96 -j LOG --log-prefix "IPv4 COMPATIBLE IPv6 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5910: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5911: If you wish to block multicasts to all
5912: link-local nodes (e.g. if you are not using router autoconfiguration and do not plan
5913: to have any services that multicast to the entire local network), you can block the
5914: link-local all-nodes multicast address (before accepting incoming ICMPv6): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5915: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5916: -A INPUT -d FF02::1 -j LOG --log-prefix "Link-local All-Nodes Multicast: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5917: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5918: However, if you're
5919: going to allow IPv4 compatible IPv6 addresses (of the form ::0.0.0.0/96), you should
5920: then consider logging the non-routable IPv4-compatible addresses: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5921: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5922: -A INPUT -s ::0.0.0.0/104 -j LOG --log-prefix "IP NON-ROUTABLE ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5923: -A INPUT -s ::127.0.0.0/104 -j LOG --log-prefix "IP DROP LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5924: -A INPUT -s ::224.0.0.0.0/100 -j LOG --log-prefix "IP DROP MULTICAST D: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5925: -A INPUT -s ::255.0.0.0/104 -j LOG --log-prefix "IP BROADCAST: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5926: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5927: If you are not expecting to see any IPv4 (or IPv4-compatible) traffic
5928: on your network, consider logging it before it gets dropped: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5929: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5930: -A INPUT -s ::FFFF:0.0.0.0/96 -j LOG --log-prefix "IPv4 MAPPED IPv6 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5931: -A INPUT -s 2002::/16 -j LOG --log-prefix "IPv6 6to4 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5932: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5933: The following rule will log all traffic
5934: originating from a site-local address, which is deprecated address space: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5935: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5936: -A INPUT -s FEC0::/10 -j LOG --log-prefix "SITE-LOCAL ADDRESS TRAFFIC: "</description>
5937: </Group>
5938: <Group id="group-2.5.5.3.5" hidden="false">
5939: <title xml:lang="en">Log and Drop All Other Packets</title>
5940: <description xml:lang="en">
5941: To log before dropping all packets that are not explicitly
5942: accepted by previous rules, change the final lines from <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5943: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5944: -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5945: COMMIT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5946: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5947: to <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5948: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5949: -A RH-Firewall-1-INPUT -j LOG <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5950: -A RH-Firewall-1-INPUT -j DROP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5951: COMMIT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5952: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5953: The rule to log all dropped packets must be used
5954: with care. Chatty but otherwise non-malicious network protocols (e.g. NetBIOS) may
5955: result in voluminous logs; insertion of earlier rules to explicitly drop their packets
5956: without logging may be appropriate.</description>
5957: </Group>
5958: </Group>
5959: <Group id="group-2.5.5.4" hidden="false">
5960: <title xml:lang="en">Further Strengthening</title>
5961: <description xml:lang="en">
5962: Further strengthening, particularly as a result of
5963: customization to a particular environment, is possible for the iptables rules. Consider
5964: the following options, though their practicality depends on the network environment and
5965: usage scenario: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5966: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
5967: <xhtml:li>Restrict outgoing traffic. As shown above, the OUTPUT chain's default
5968: policy can be changed to DROP, and rules can be written to specifically allow only
5969: certain types of outbound traffic. Such a policy could prevent casual usage of insecure
5970: protocols such as ftp and telnet, or even disrupt spyware. However, it would still not
5971: prevent a sophisticated user or program from using a proxy to circumvent the intended
5972: effects, and many client programs even try to automatically tunnel through port 80 to
5973: avoid such restrictions.</xhtml:li>
5974: <xhtml:li>SYN flood protection. SYN flood protection can be provided by
5975: iptables, but might run into limiting issues for servers. For example, the iplimit match
5976: can be used to limit simultaneous connections from a given host or class. Similarly, the
5977: recent match allows the firewall to deny additional connections from any host within a
5978: given period of time (e.g. more than 3 –state NEW connections on port 22 within a minute
5979: to prevent dictionary login attacks). <xhtml:br/>
5980: <xhtml:br/>
5981: A more precise option for DoS protection is using
5982: TCP SYN cookies. (See Section 2.5.1.2 for more information.)</xhtml:li>
5983: </xhtml:ul></description>
5984: </Group>
5985: <Group id="group-2.5.5.5" hidden="false">
5986: <title xml:lang="en">Further Resources</title>
5987: <description xml:lang="en">
5988: More complex, restrictive, and powerful rulesets can be
5989: created, but this requires careful customization that relies on knowledge of the
5990: particular environment. The following resources provide more detailed information: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
5991: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
5992: <xhtml:li>The iptables(8) man page </xhtml:li>
5993: <xhtml:li>The Netfilter Project's documentation at http://www.netfilter.org</xhtml:li>
5994: <xhtml:li>The Red Hat Enterprise Linux Reference Guide</xhtml:li>
5995: </xhtml:ul></description>
5996: </Group>
5997: </Group>
5998: <Group id="group-2.5.6" hidden="false">
5999: <title xml:lang="en">Secure Sockets Layer Support</title>
6000: <description xml:lang="en">
6001: The Secure Sockets Layer (SSL) protocol provides encrypted and
6002: authenticated network communications, and many network services include support for it.
6003: Using SSL is recommended, especially to avoid any plaintext transmission of sensitive
6004: data, even over a local network. The SSL implementation included with the system is called
6005: OpenSSL. Recent implementations of SSL may also be referred to as Transport Layer Security
6006: (TLS). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6007: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6008: SSL uses public key cryptography to provide authentication and encryption. Public
6009: key cryptography involves two keys, one called the public key and the other called the
6010: private key. These keys are mathematically related such that data encrypted with one key
6011: can only be decrypted by the other, and vice versa. As their names suggest, public keys
6012: can be distributed to anyone while a private key must remain known only to its owner. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6013: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6014: SSL uses certificates, which are files that hold cryptographic data: a public key, and a
6015: signature of that public key. In SSL authentication, a server presents a client with its
6016: certificate as a means of demonstrating that it is who it claims it is. If everything goes
6017: correctly, the client can verify the server's certificate by determining that the
6018: signature inside the certificate could only have been generated by a third party whom the
6019: client trusts. This third party is called a Certificate Authority (CA). Each client system
6020: should also have certificates from trusted CAs, and the client uses these CA certificates
6021: to verify the authenticity of the server's certificate. After authenticating a server
6022: using its certificate and a CA certificate, SSL provides encryption by using the server
6023: certificate to securely negotiate a shared secret key. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6024: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6025: If your server must communicate
6026: using SSL with systems that might not be able to securely accept a new CA certificate
6027: prior to any SSL communication, then paying an established CA (whose certificates your
6028: clients already have) to sign your server certificates is recommended. The steps for doing
6029: this vary by vendor. Once the signed certificates have been obtained, configuration of the
6030: services is the same whether they were purchased from a vendor or signed by your own CA.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6031: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6032: For setting up an internal network and encrypting local traffic, creating your own CA to
6033: sign SSL certificates can be appropriate. The major steps in this process are: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6034: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
6035: <xhtml:li>Create a CA to sign certificates </xhtml:li>
6036: <xhtml:li>Create SSL certificates for servers using that CA</xhtml:li>
6037: <xhtml:li>Enableclient support by distributing the CA's certificate</xhtml:li>
6038: </xhtml:ol></description>
6039: <Group id="group-2.5.6.1" hidden="false">
6040: <title xml:lang="en">Create a CA to Sign Certificates</title>
6041: <description xml:lang="en">
6042: The following instructions apply to OpenSSL since it is
6043: included with the system, but creating a CA is possible with any standards-compliant SSL
6044: toolkit. The security of certificates depends on the security of the CA that signed
6045: them, so performing these steps on a secure machine is critical. The system used as a CA
6046: should be physically secure and not connected to any network. It should receive any
6047: certificate signing requests (CSRs) via removable media and output certificates onto
6048: removable media. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6049: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6050: The script /etc/pki/tls/misc/CA is included to assist in the process of
6051: setting up a CA. This script uses many settings in /etc/pki/tls/openssl.cnf. The
6052: settings in this file can be changed to suit your needs and allow easier selection of
6053: default settings, particularly in the [req distinguished name] section. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6054: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6055: To create the CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6056: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6057: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/misc <xhtml:br/>
6058: # ./CA -newca <xhtml:br/></xhtml:code>
6059: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6060: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
6061: <xhtml:li>When prompted, press enter to create a new CA key with the default name cakey.pem.</xhtml:li>
6062: <xhtml:li>When prompted, enter a password that will protect the private key, then enter the same password
6063: again to verify it.</xhtml:li>
6064: <xhtml:li>At the prompts, fill out as much of the CA information as is relevant for your site. You must specify
6065: a common name, or generation of the CA certificate will fail. </xhtml:li>
6066: <xhtml:li>Next, you will be prompted for the password, so that the script can re-open the private key in order
6067: to write the certificate.</xhtml:li>
6068: </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6069: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6070: This step performs the following actions:
6071: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
6072: <xhtml:li>creates the directory
6073: /etc/pki/CA (by default), which contains files necessary for the operation of a
6074: certificate authority. These are:</xhtml:li>
6075: <xhtml:ul>
6076: <xhtml:li>serial, which contains the current serial number for certificates signed by the CA</xhtml:li>
6077: <xhtml:li>index.txt, which is a text database file that contains information about certificates signed</xhtml:li>
6078: <xhtml:li>crl, which is a directory for holding revoked certificates</xhtml:li>
6079: <xhtml:li>private, a directory which stores the CA's private key</xhtml:li>
6080: </xhtml:ul>
6081: <xhtml:li>creates a public-private key pair for the CA in the file /etc/pki/CA/private/cakey.pem. The
6082: private key must be kept private in order to ensure the security of the certificates the CA will later sign.</xhtml:li>
6083: <xhtml:li>signs the public key (using the corresponding private key, in a process called self-signing) to create the CA
6084: certificate, which is then stored in /etc/pki/CA/cacert.pem. </xhtml:li>
6085: <xhtml:li/>
6086: </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6087: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6088: When the CA later signs a server certificate using its private
6089: key, it means that it is vouching for the authenticity of that server. A client can then
6090: use the CA's certificate (which contains its public key) to verify the authenticity of
6091: the server certificate. To accomplish this, it is necessary to distribute the CA
6092: certificate to any clients as covered in Section 2.5.6.3.</description>
6093: </Group>
6094: <Group id="group-2.5.6.2" hidden="false">
6095: <title xml:lang="en">Create SSL Certificates for Servers</title>
6096: <description xml:lang="en">
6097: Creating an SSL certificate for a server involves the following steps: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6098: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
6099: <xhtml:li>A public-private key pair for the server must be generated.</xhtml:li>
6100: <xhtml:li>A certificate signing request (CSR) must be created from the key pair.</xhtml:li>
6101: <xhtml:li>The CSR must be signed by a
6102: certificate authority (CA) to create the server certificate. If a CA has been set up as
6103: described in Section 2.5.6.1, it can sign the CSR.</xhtml:li>
6104: <xhtml:li>The server certificate and keys must be installed on the server. </xhtml:li>
6105: </xhtml:ol>
6106: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6107: Instructions on how to generate and sign SSL certificates are provided for the following
6108: common services:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6109: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
6110: <xhtml:li>Mail server, in Section 3.11.4.6.</xhtml:li>
6111: <xhtml:li>Dovecot, in Section 3.17.2.2. </xhtml:li>
6112: <xhtml:li>Apache, in Section 3.16.4.1.</xhtml:li>
6113: </xhtml:ul></description>
6114: </Group>
6115: <Group id="group-2.5.6.3" hidden="false">
6116: <title xml:lang="en">Enable Client Support</title>
6117: <description xml:lang="en">
6118: The system ships with certificates from well-known commercial
6119: CAs. If your server certificates were signed by one of these established CAs, then this
6120: step is not necessary since the clients should include the CA certificate already. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6121: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6122: If your servers use certificates signed by your own CA, some user applications will warn
6123: that the server's certificate cannot be verified because the CA is not recognized. Other
6124: applications may simply fail to accept the certificate and refuse to operate, or
6125: continue operating without ever having properly verified the server certificate. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6126: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6127: To avoid this warning, and properly authenticate the servers, your CA certificate must be
6128: exported to every application on every client system that will be connecting to an
6129: SSL-enabled server.</description>
6130: <Group id="group-2.5.6.3.1" hidden="false">
6131: <title xml:lang="en">Adding a Trusted CA for Firefox</title>
6132: <description xml:lang="en">
6133: Firefox needs to have a certificate from the CA that signed
6134: the web server's certificate, so that it can authenticate the web server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6135: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6136: To import a new CA certificate into Firefox 1.5:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6137: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
6138: <xhtml:li>Launch Firefox and choose Preferences from the Edit menu. </xhtml:li>
6139: <xhtml:li>Click the Advanced button.</xhtml:li>
6140: <xhtml:li>Select the Security pane.</xhtml:li>
6141: <xhtml:li>Click the View Certificates button.</xhtml:li>
6142: <xhtml:li>Click the Authorities tab. </xhtml:li>
6143: <xhtml:li>Click the Import button at the bottom of the screen.</xhtml:li>
6144: <xhtml:li>Navigate to the CA certificate and import it.</xhtml:li>
6145: </xhtml:ol></description>
6146: </Group>
6147: <Group id="group-2.5.6.3.2" hidden="false">
6148: <title xml:lang="en">Adding a Trusted CA for Thunderbird</title>
6149: <description xml:lang="en">
6150: Thunderbird needs to have a certificate from the CA that
6151: signed the mail server's certificates, so that it can authenticate the mail server(s).<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6152: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6153: To import a new CA certificate into Thunderbird 2: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6154: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
6155: <xhtml:li>Launch Thunderbird and choose Account Settings from the Edit menu.</xhtml:li>
6156: <xhtml:li>Click the Advanced button.</xhtml:li>
6157: <xhtml:li>Select the Certificates tab</xhtml:li>
6158: <xhtml:li>Click the View Certificates button.</xhtml:li>
6159: <xhtml:li>Select the Authorities tab.</xhtml:li>
6160: <xhtml:li>Click the Import button at the bottom of the screen.</xhtml:li>
6161: <xhtml:li>Navigate to the CA certificate and import it. Determine whether the CA should
6162: be used to identify web sites, e-mail users, and software developers and trust it for
6163: each accordingly.</xhtml:li>
6164: </xhtml:ol></description>
6165: </Group>
6166: <Group id="group-2.5.6.3.3" hidden="false">
6167: <title xml:lang="en">Adding a Trusted CA for Evolution</title>
6168: <description xml:lang="en">
6169: The Evolution e-mail client needs to have a certificate from
6170: the CA that signed the mail server's certificates, so that it can authenticate the
6171: mail server(s). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6172: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6173: To import a new CA certificate into Evolution: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6174: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
6175: <xhtml:li>Launch Evolution and choose Preferences from the Edit menu.</xhtml:li>
6176: <xhtml:li>Select Certificates from the icon list on the left.</xhtml:li>
6177: <xhtml:li>Select the Authorities tab.</xhtml:li>
6178: <xhtml:li>Click the Import button.</xhtml:li>
6179: <xhtml:li/>
6180: <xhtml:li/>
6181: <xhtml:li>Navigate to the CA certificate and import it.</xhtml:li>
6182: </xhtml:ol></description>
6183: </Group>
6184: </Group>
6185: <Group id="group-2.5.6.4" hidden="false">
6186: <title xml:lang="en">Further Resources</title>
6187: <description xml:lang="en">
6188: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
6189: <xhtml:li>The OpenSSL Project home page at http://www.openssl.org</xhtml:li>
6190: <xhtml:li>The openssl(1) man page</xhtml:li>
6191: <xhtml:li>Jeremy Mates's how-to: http://sial.org/howto/openssl</xhtml:li>
6192: </xhtml:ul></description>
6193: </Group>
6194: </Group>
6195: <Group id="group-2.5.7" hidden="false">
6196: <title xml:lang="en">Uncommon Network Protocols</title>
6197: <description xml:lang="en">
6198: The system includes support for several network protocols which are not commonly used. Although security vul-
6199: nerabilities in kernel networking code are not frequently discovered, the consequences can be dramatic. Ensuring
6200: uncommon network protocols are disabled reduces the system’s risk to attacks targeted at its implementation of
6201: those protocols.</description>
6202: <Group id="group-2.5.7.1" hidden="false">
6203: <title xml:lang="en">Disable Support for DCCP</title>
6204: <description xml:lang="en">
6205: To prevent the DCCP kernel module from being loaded, add the following line to /etc/modprobe.conf:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6206: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6207: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install dccp /bin/true<xhtml:br/></xhtml:code>
6208: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6209: The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to
6210: support streaming media and telephony.</description>
6211: <Rule id="rule-2.5.7.1.a" selected="false" weight="10.000000" severity="medium">
6212: <title xml:lang="en">Disable Support for DCCP</title>
6213: <description xml:lang="en">Support for DCCP should be disabled.</description>
6214: <fixtext xml:lang="en">(1) via /etc/modprobe.conf</fixtext>
6215: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6216: <check-content-ref name="oval:org.fedoraproject.f14:def:201476" href="scap-fedora14-oval.xml"/>
6217: </check>
6218: </Rule>
6219: </Group>
6220: <Group id="group-2.5.7.2" hidden="false">
6221: <title xml:lang="en">Disable Support for SCTP</title>
6222: <description xml:lang="en">
6223: To prevent the SCTP kernel module from being loaded, add the following line to /etc/modprobe.conf:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6224: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6225: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install sctp /bin/true<xhtml:br/></xhtml:code>
6226: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6227: The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea
6228: of message-oriented communication, with several streams of messages within one connection.</description>
6229: <Rule id="rule-2.5.7.2.a" selected="false" weight="10.000000" severity="medium">
6230: <title xml:lang="en">Disable Support for SCTP</title>
6231: <description xml:lang="en">Support for SCTP should be disabled.</description>
6232: <fixtext xml:lang="en">(1) via /etc/modprobe.conf</fixtext>
6233: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6234: <check-content-ref name="oval:org.fedoraproject.f14:def:201477" href="scap-fedora14-oval.xml"/>
6235: </check>
6236: </Rule>
6237: </Group>
6238: <Group id="group-2.5.7.3" hidden="false">
6239: <title xml:lang="en">Disable Support for RDS</title>
6240: <description xml:lang="en">
6241: To prevent the RDS kernel module from being loaded, add the following line to /etc/modprobe.conf:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6242: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6243: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install rds /bin/true<xhtml:br/></xhtml:code>
6244: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6245: The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-
6246: bandwidth, low-latency communications between nodes in a cluster.</description>
6247: <Rule id="rule-2.5.7.3.a" selected="false" weight="10.000000" severity="medium">
6248: <title xml:lang="en">Disable Support for RDS</title>
6249: <description xml:lang="en">Support for RDS should be disabled.</description>
6250: <fixtext xml:lang="en">(1) via /etc/modprobe.conf</fixtext>
6251: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6252: <check-content-ref name="oval:org.fedoraproject.f14:def:201478" href="scap-fedora14-oval.xml"/>
6253: </check>
6254: </Rule>
6255: </Group>
6256: <Group id="group-2.5.7.4" hidden="false">
6257: <title xml:lang="en">Disable Support for TIPC</title>
6258: <description xml:lang="en">
6259: To prevent the TIPC kernel module from being loaded, add the following line to /etc/modprobe.conf:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6260: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6261: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install rds /bin/true<xhtml:br/></xhtml:code>
6262: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6263: The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between
6264: nodes in a cluster..</description>
6265: <Rule id="rule-2.5.7.4.a" selected="false" weight="10.000000" severity="medium">
6266: <title xml:lang="en">Disable Support for TIPC</title>
6267: <description xml:lang="en">Support for TIPC should be disabled.</description>
6268: <fixtext xml:lang="en">(1) via /etc/modprobe.conf</fixtext>
6269: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6270: <check-content-ref name="oval:org.fedoraproject.f14:def:201479" href="scap-fedora14-oval.xml"/>
6271: </check>
6272: </Rule>
6273: </Group>
6274: </Group>
6275: </Group>
6276: <Group id="group-2.6" hidden="false">
6277: <title xml:lang="en">Logging and Auditing</title>
6278: <description xml:lang="en">
6279: Successful local or network attacks on systems do not necessarily
6280: leave clear evidence of what happened. It is necessary to build a configuration in advance
6281: that collects this evidence, both in order to determine that something anomalous has
6282: occurred, and in order to respond appropriately. In addition, a well-configured logging and
6283: audit infrastructure will show evidence of any misconfiguration which might leave the system
6284: vulnerable to attack. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6285: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6286: Logging and auditing take different approaches to collecting data. A
6287: logging infrastructure provides a framework for individual programs running on the system to
6288: report whatever events are considered interesting: the sshd program may report each
6289: successful or failed login attempt, while the sendmail program may report each time it sends
6290: an e-mail on behalf of a local or remote user. An auditing infrastructure, on the other
6291: hand, reports each instance of certain low-level events, such as entry to the setuid system
6292: call, regardless of which program caused the event to occur. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6293: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6294: Auditing has the advantage of
6295: being more comprehensive, but the disadvantage of reporting a large amount of information,
6296: most of which is uninteresting. Logging (particularly using a standard framework like
6297: syslog) has the advantage of being compatible with a wide variety of client applications,
6298: and of reporting only information considered important by each application, but the
6299: disadvantage that the information reported is not consistent between applications. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6300: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6301: A robust
6302: infrastructure will perform both logging and auditing, and will use configurable automated
6303: methods of summarizing the reported data, so that system administrators can remove or
6304: compress reports of events known to be uninteresting in favor of alert monitoring for events
6305: known to be interesting. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6306: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6307: This section discusses how to configure logging, log monitoring,
6308: and auditing, using tools included with RHEL5. It is recommended that syslog be used for
6309: logging, with logwatch providing summarization, and that auditd be used for auditing, with
6310: aureport providing summarization.</description>
6311: <Group id="group-2.6.1" hidden="false">
6312: <title xml:lang="en">Configure Syslog</title>
6313: <description xml:lang="en">
6314: Syslog has been the default Unix logging mechanism for many years. This section
6315: discusses how to configure syslog for best effect, and how to use tools provided with the
6316: system to maintain and monitor your logs.</description>
6317: <Rule id="rule-2.6.1.a" selected="false" weight="10.000000" severity="medium">
6318: <title xml:lang="en">Configure Rsyslog</title>
6319: <description xml:lang="en">The rsyslog service should be enabled.</description>
6320: <ident system="http://cce.mitre.org">CCE-3679-8</ident>
6321: <fix>chkconfig rsyslog on</fix>
6322: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6323: <check-content-ref name="oval:org.fedoraproject.f14:def:20148" href="scap-fedora14-oval.xml"/>
6324: </check>
6325: </Rule>
6326: <Group id="group-2.6.1.1" hidden="false">
6327: <title xml:lang="en">Ensure All Important Messages are Captured</title>
6328: <description xml:lang="en"><xhtml:span xmlns:xhtml="http://www.w3.org/1999/xhtml">Edit the file /etc/syslog.conf. Add or correct whichever of the
6329: following lines are appropriate for your environment: <xhtml:br/>
6330: <xhtml:br/>
6331: auth,info.* /var/log/messages<xhtml:br/>
6332: kern.* /var/log/kern.log <xhtml:br/>
6333: daemon.* /var/log/daemon.log <xhtml:br/>
6334: syslog.* /var/log/syslog<xhtml:br/>
6335: lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log<xhtml:br/></xhtml:span>
6336: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6337: When a message is sent to syslog for logging, it is sent with a facility name (such as
6338: mail, auth, or local2), and a priority (such as debug, notice, or emerg). Each line of
6339: syslog's configuration file is a directive which specifies a set of facility/priority
6340: pairs, and then gives a filename or host to which log messages of matching types should
6341: be sent. In order for a message to match a type, the facility must match, and the
6342: priority must be the priority named in the rule or any higher priority. (See
6343: syslog.conf(5) for an ordered list of priorities.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6344: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6345: Older versions of syslog mandated a
6346: very restrictive format for the syslog.conf file. However, the version of syslog shipped
6347: with RHEL5 allows any sort of whitespace (spaces or tabs, not just tabs) to separate the
6348: selection criteria from the message disposition, and allows the use of facility.* as a
6349: wildcard matching a given facility at any priority. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6350: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6351: The default RHEL5 syslog
6352: configuration stores the facilities authpriv, cron, and mail in named logs. This guide
6353: describes the implementation of the following configuration, but any configuration which
6354: stores the important facilities and is usable by the administrators will suffice:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6355: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
6356: <xhtml:li>Store each of the facilities kern, daemon, and syslog in its own log, so that it will be
6357: easy to access information about messages from those facilities. </xhtml:li>
6358: <xhtml:li>Restrict the
6359: information stored in /var/log/messages to only the facilities auth and user, and store
6360: all messages from those facilities. Messages can easily become cluttered otherwise. </xhtml:li>
6361: <xhtml:li>Store information about all facilities which should not be in use at this site in a file
6362: called /var/log/ unused.log. If any messages are logged to this file at some future
6363: point, this may be an indication that an unknown service is running, and should be
6364: investigated. In addition, if news and uucp are not in use at this site, remove the
6365: directive from the default syslog.conf which stores those facilities. </xhtml:li>
6366: </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6367: Making use of the
6368: local facilities is also recommended. Specific configuration is beyond the scope of this
6369: guide, but applications such as SSH can easily be configured to log to a local facility
6370: which is not being used for anything else. If this is done, reconfigure /etc/syslog.conf
6371: to store this facility in an appropriate named log or in /var/log/messages, rather than
6372: in /var/log/unused.log.</description>
6373: </Group>
6374: <Group id="group-2.6.1.2" hidden="false">
6375: <title xml:lang="en">Confirm Existence and Permissions of System Log Files</title>
6376: <description xml:lang="en">
6377: For each log file LOGFILE referenced in /etc/syslog.conf, run
6378: the commands: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6379: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6380: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># touch LOGFILE<xhtml:br/>
6381: # chown root:root LOGFILE <xhtml:br/>
6382: # chmod 0600 LOGFILE <xhtml:br/></xhtml:code>
6383: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6384: Syslog will
6385: refuse to log to a file which does not exist. All messages intended for that file will
6386: be silently discarded, so it is important to verify that all log files exist. Some logs
6387: may contain sensitive information, so it is better to restrict permissions so that only
6388: administrative users can read or write logfiles.</description>
6389: <Value id="var-2.6.1.2.a" operator="equals" type="string">
6390: <title xml:lang="en">User who owns log files</title>
6391: <description xml:lang="en">Specify user owner of all logfiles specified in /etc/syslog.conf.</description>
6392: <question xml:lang="en">Specify user owner of all logfiles specified in /etc/syslog.conf</question>
6393: <value>root</value>
6394: <value selector="root">root</value>
6395: </Value>
6396: <Value id="var-2.6.1.2.b" operator="equals" type="string">
6397: <title xml:lang="en">group who owns log files</title>
6398: <description xml:lang="en">Specify group owner of all logfiles specified in /etc/syslog.conf.</description>
6399: <question xml:lang="en">Specify group owner of all logfiles specified in /etc/syslog.conf</question>
6400: <value>root</value>
6401: <value selector="root">root</value>
6402: </Value>
6403: <Value id="var-2.6.1.2.c" operator="equals" type="string">
6404: <title xml:lang="en">File permissions on logfiles</title>
6405: <description xml:lang="en">Specify file permissions of all logfiles specified in /etc/syslog.conf.</description>
6406: <question xml:lang="en">Specify permissions of all logfiles specified in /etc/syslog.conf</question>
6407: <value>110000000</value>
6408: <value selector="400">100000000</value>
6409: <value selector="600">110000000</value>
6410: <value selector="700">111000000</value>
6411: </Value>
6412: <Rule id="rule-2.6.1.2.a" selected="false" weight="10.000000" severity="medium">
6413: <title xml:lang="en">Confirm user that owns System Log Files</title>
6414: <description xml:lang="en">All syslog log files should be owned by root.</description>
6415: <ident system="http://cce.mitre.org">CCE-4366-1</ident>
6416: <fixtext xml:lang="en">(1) via chown</fixtext>
6417: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6418: <check-export export-name="oval:org.fedoraproject.f14:var:20149" value-id="var-2.6.1.2.a"/>
6419: <check-content-ref name="oval:org.fedoraproject.f14:def:20149" href="scap-fedora14-oval.xml"/>
6420: </check>
6421: </Rule>
6422: <Rule id="rule-2.6.1.2.b" selected="false" weight="10.000000" severity="medium">
6423: <title xml:lang="en">Confirm group that owns System Log Files</title>
6424: <description xml:lang="en">All syslog log files should be group owned by root.</description>
6425: <ident system="http://cce.mitre.org">CCE-3701-0</ident>
6426: <fixtext xml:lang="en">(1) via chown</fixtext>
6427: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6428: <check-export export-name="oval:org.fedoraproject.f14:var:20150" value-id="var-2.6.1.2.b"/>
6429: <check-content-ref name="oval:org.fedoraproject.f14:def:20150" href="scap-fedora14-oval.xml"/>
6430: </check>
6431: </Rule>
6432: <Rule id="rule-2.6.1.2.c" selected="false" weight="10.000000" severity="medium">
6433: <title xml:lang="en">Confirm Permissions of System Log Files</title>
6434: <description xml:lang="en">File permissions for all syslog log files should be set correctly.</description>
6435: <ident system="http://cce.mitre.org">CCE-4233-3</ident>
6436: <fixtext xml:lang="en">(1) via chmod</fixtext>
6437: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6438: <check-export export-name="oval:org.fedoraproject.f14:var:20151" value-id="var-2.6.1.2.c"/>
6439: <check-content-ref name="oval:org.fedoraproject.f14:def:20151" href="scap-fedora14-oval.xml"/>
6440: </check>
6441: </Rule>
6442: </Group>
6443: <Group id="group-2.6.1.3" hidden="false">
6444: <title xml:lang="en">Send Logs to a Remote Loghost</title>
6445: <description xml:lang="en">
6446: Edit /etc/syslog.conf. Add or correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6447: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6448: *.* @loghost.example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6449: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6450: where loghost.example.com is the name of your central log server.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6451: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6452: If system logs are to be useful in detecting malicious activities, it is necessary to
6453: send logs to a remote server. An intruder who has compromised the root account on a
6454: machine may delete the log entries which indicate that the system was attacked before
6455: they are seen by an administrator. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6456: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6457: However, it is recommended that logs be stored on the
6458: local host in addition to being sent to the loghost, because syslog uses the UDP
6459: protocol to send messages over a network. UDP does not guarantee reliable delivery, and
6460: moderately busy sites will lose log messages occasionally, especially in periods of high
6461: traffic which may be the result of an attack. In addition, remote syslog messages are
6462: not authenticated in any way, so it is easy for an attacker to introduce spurious
6463: messages to the central log server. Also, some problems cause loss of network
6464: connectivity, which will prevent the sending of messages to the central server. For all
6465: of these reasons, it is better to store log messages both centrally and on each host, so
6466: that they can be correlated if necessary.</description>
6467: <Rule id="rule-2.6.1.3.a" selected="false" weight="10.000000" severity="medium">
6468: <title xml:lang="en">Send Logs to a Remote Loghost</title>
6469: <description xml:lang="en">Syslog logs should be sent to a remote loghost</description>
6470: <ident system="http://cce.mitre.org">CCE-4260-6</ident>
6471: <fixtext xml:lang="en">(1) via /etc/syslog.conf</fixtext>
6472: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6473: <check-content-ref name="oval:org.fedoraproject.f14:def:20152" href="scap-fedora14-oval.xml"/>
6474: </check>
6475: </Rule>
6476: </Group>
6477: <Group id="group-2.6.1.4" hidden="false">
6478: <title xml:lang="en">Enable syslogd to Accept Remote Messages on Loghosts Only</title>
6479: <description xml:lang="en">
6480: Is this machine the central log server for your organization?
6481: If so, edit the file /etc/sysconfig/syslog. Add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6482: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6483: SYSLOGD_OPTIONS="-m 0 -r -s example.com " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6484: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6485: where example.com is the name of your domain.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6486: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6487: If the machine is not a log server, edit /etc/sysconfig/syslog, and instead add or
6488: correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6489: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6490: SYSLOGD_OPTIONS="-m 0" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6491: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6492: By default, RHEL5's syslog does not listen over
6493: the network for log messages. The -r flag enables syslogd to listen over a network, and
6494: should be used only if necessary. The -s example.com flag strips the domain name
6495: example.com from each sending machine's hostname before logging messages from that host,
6496: to reduce the amount of redundant information placed in log files. See the syslogd(8)
6497: man page for further information.</description>
6498: <Rule id="rule-2.6.1.4.a" selected="false" weight="10.000000" severity="medium">
6499: <title xml:lang="en">Disable syslogd from Accepting Remote Messages on Loghosts Only</title>
6500: <description xml:lang="en">Syslogd should reject remote messages</description>
6501: <ident system="http://cce.mitre.org">CCE-3382-9</ident>
6502: <fixtext xml:lang="en">(1) via /etc/sysconfig/syslog</fixtext>
6503: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6504: <check-content-ref name="oval:org.fedoraproject.f14:def:20153" href="scap-fedora14-oval.xml"/>
6505: </check>
6506: </Rule>
6507: </Group>
6508: <Group id="group-2.6.1.5" hidden="false">
6509: <title xml:lang="en">Ensure All Logs are Rotated by logrotate</title>
6510: <description xml:lang="en">
6511: Edit the file /etc/logrotate.d/syslog. Find the first line,
6512: which should look like this (wrapped for clarity): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6513: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6514: /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \
6515: /var/log/boot.log /var/log/cron { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6516: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6517: Edit this line so
6518: that it contains a one-space-separated listing of each log file referenced in
6519: /etc/syslog.conf. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6520: All logs in use on a system must be rotated regularly, or the log
6521: files will consume disk space over time, eventually interfering with system operation.
6522: The file /etc/logrotate.d/syslog is the configuration file used by the logrotate program
6523: to maintain all log files written by syslog. By default, it rotates logs weekly and
6524: stores four archival copies of each log. These settings can be modified by editing
6525: /etc/logrotate.conf, but the defaults are sufficient for purposes of this guide. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6526: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6527: Note
6528: that logrotate is run nightly by the cron job /etc/cron.daily/logrotate. If particularly
6529: active logs need to be rotated more often than once a day, some other mechanism must be
6530: used.</description>
6531: <Rule id="rule-2.6.1.5.a" selected="false" weight="10.000000" severity="medium">
6532: <title xml:lang="en">Ensure All Logs are Rotated by logrotate</title>
6533: <description xml:lang="en">The logrotate (syslog rotater) service should be enabled.</description>
6534: <ident system="http://cce.mitre.org">CCE-4182-2</ident>
6535: <fixtext xml:lang="en">(1) via cron</fixtext>
6536: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6537: <check-content-ref name="oval:org.fedoraproject.f14:def:20154" href="scap-fedora14-oval.xml"/>
6538: </check>
6539: </Rule>
6540: </Group>
6541: <Group id="group-2.6.1.6" hidden="false">
6542: <title xml:lang="en">Monitor Suspicious Log Messages using Logwatch</title>
6543: <description xml:lang="en">
6544: The system includes an extensible program called Logwatch for
6545: reporting on unusual items in syslog. Logwatch is valuable because it provides a parser
6546: for the syslog entry format and a number of signatures for types of lines which are
6547: considered to be mundane or noteworthy. Logwatch has a number of downsides: the
6548: signatures can be inaccurate and are not always categorized consistently, and you must
6549: be able to program in Perl in order to customize the signature database. However, it is
6550: recommended that all Linux sites which do not have time to deploy a third-party log
6551: monitoring application run Logwatch in its default configuration. This provides some
6552: useful information about system activity in exchange for very little administrator
6553: effort. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6554: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6555: This guide recommends that Logwatch be run only on the central logserver, if
6556: your site has one, in order to focus administrator attention by sending all daily logs
6557: in a single e-mail.</description>
6558: <Rule id="rule-2.6.1.6.a" selected="false" weight="10.000000" severity="medium">
6559: <title xml:lang="en">Monitor Suspicious Log Messages using Logwatch</title>
6560: <description xml:lang="en">The logwatch service should be enabled</description>
6561: <ident system="http://cce.mitre.org">CCE-4323-2</ident>
6562: <fixtext xml:lang="en">(1) via cron</fixtext>
6563: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6564: <check-content-ref name="oval:org.fedoraproject.f14:def:20155" href="scap-fedora14-oval.xml"/>
6565: </check>
6566: </Rule>
6567: <Group id="group-2.6.1.6.1" hidden="false">
6568: <title xml:lang="en">Configure Logwatch on the Central Log Server</title>
6569: <description xml:lang="en">
6570: Is this machine the central log server? If so, edit the file
6571: /etc/logwatch/conf/logwatch.conf. Add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6572: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6573: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">HostLimit = no<xhtml:br/>
6574: SplitHosts = yes <xhtml:br/>
6575: MultiEmail = no <xhtml:br/></xhtml:code>
6576: Service = -zz-disk_space <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6577: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6578: Ensure that logwatch.pl is run nightly from cron. (This is the default): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6579: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6580: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/cron.daily <xhtml:br/>
6581: # ln -s /usr/share/logwatch/scripts/logwatch.pl 0logwatch <xhtml:br/></xhtml:code>
6582: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6583: On a central logserver, you want
6584: Logwatch to summarize all syslog entries, including those which did not originate on
6585: the logserver itself. The HostLimit setting tells Logwatch to report on all hosts, not
6586: just the one on which it is running. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6587: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6588: If SplitHosts is set, Logwatch will separate
6589: entries by hostname. This makes the report longer but significantly more usable. If it
6590: is not set, then Logwatch will not report which host generated a given log entry, and
6591: that information is almost always necessary. If MultiEmail is set, then each host's
6592: information will be sent in a separate e-mail message. This is a matter of preference.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6593: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6594: The Service directive -zz-disk space tells Logwatch not to run the zz-disk space
6595: report, which reports on free disk space. Since all log monitoring is being done on
6596: the central logserver, the disk space listing will always be that of the logserver,
6597: regardless of which host is being monitored. This is confusing, so disable that
6598: service. Note that this does mean that Logwatch will not monitor disk usage
6599: information. Many workarounds are possible, such as running df on each host daily via
6600: cron and sending the output to syslog so that it will be reported to the logserver.</description>
6601: </Group>
6602: <Group id="group-2.6.1.6.2" hidden="false">
6603: <title xml:lang="en">Disable Logwatch on Clients if a Logserver Exists</title>
6604: <description xml:lang="en">
6605: Does your site have a central logserver which has been
6606: configured to report on logs received from all systems? If so: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6607: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6608: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rm /etc/cron.daily/0logwatch <xhtml:br/></xhtml:code>
6609: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6610: If no logserver exists, it will be necessary for each
6611: machine to run Logwatch individually. Using a central logserver provides the security
6612: and reliability benefits discussed earlier, and also makes monitoring logs easier and
6613: less time-intensive for administrators.</description>
6614: </Group>
6615: </Group>
6616: </Group>
6617: <Group id="group-2.6.2" hidden="false">
6618: <title xml:lang="en">System Accounting with auditd</title>
6619: <description xml:lang="en">
6620: The audit service is the current Linux recommendation for
6621: kernel-level auditing. By default, the service audits about SELinux AVC denials and
6622: certain types of security-relevant events such as system logins, account modifications,
6623: and authentication events performed by programs such as sudo. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6624: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6625: Under its default
6626: configuration, auditd has modest disk space requirements, and should not noticeably impact
6627: system performance. The audit service, in its default configuration, is strongly
6628: recommended for all sites, regardless of whether they are running SELinux. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6629: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6630: DoD or federal networks often have substantial auditing requirements and auditd can be
6631: configured to meet these requirements.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6632: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6633: Typical DoD requirements include:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6634: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6635: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
6636: <xhtml:li>Ensure Auditing is Configured to Collect Certain System Events
6637: <xhtml:ul>
6638: <xhtml:li>Information on the Use of Print Command (unsuccessful and successful)</xhtml:li>
6639: <xhtml:li>Startup and Shutdown Events (unsuccessful and successful)</xhtml:li>
6640: </xhtml:ul>
6641: </xhtml:li>
6642: <xhtml:li>Ensure the auditing software can record the following for each audit event:
6643: <xhtml:ul>
6644: <xhtml:li>Date and time of the event</xhtml:li>
6645: <xhtml:li>Userid that initiated the event</xhtml:li>
6646: <xhtml:li>Type of event</xhtml:li>
6647: <xhtml:li>Success or failure of the event</xhtml:li>
6648: <xhtml:li>For I&A events, the origin of the request (e.g., terminal ID)</xhtml:li>
6649: <xhtml:li>For events that introduce an object into a user’s address space, and for object deletion events, the
6650: name of the object, and in MLS systems, the objects security level.</xhtml:li>
6651: </xhtml:ul>
6652: </xhtml:li>
6653: <xhtml:li>Ensure files are backed up no less than weekly onto a different system than the system being audited or
6654: backup media.</xhtml:li>
6655: <xhtml:li>Ensure old logs are closed out and new audit logs are started daily</xhtml:li>
6656: <xhtml:li>Ensure the configuration is immutable. With the -e 2 setting a reboot will be required to change any audit
6657: rules.</xhtml:li>
6658: <xhtml:li>Ensure that the audit data files have permissions of 640, or more restrictive.</xhtml:li>
6659: </xhtml:ul>
6660: </description>
6661: <Group id="group-2.6.2.1" hidden="false">
6662: <title xml:lang="en">Enable the auditd Service</title>
6663: <description xml:lang="en">
6664: Ensure that the auditd service is enabled (this is the default): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6665: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6666: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig auditd on <xhtml:br/></xhtml:code>
6667: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6668: By default, auditd logs only SELinux denials, which are
6669: helpful for debugging SELinux and discovering intrusion attempts, and certain types of
6670: security events, such as modifications to user accounts (useradd, passwd, etc), login
6671: events, and calls to sudo. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6672: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6673: Data is stored in /var/log/audit/audit.log. By default,
6674: auditd rotates 4 logs by size (5MB), retaining a maximum of 20MB of data in total, and
6675: refuses to write entries when the disk is too full. This minimizes the risk of audit
6676: data filling its partition and impacting other services. However, it is possible to lose
6677: audit data if the system is busy.</description>
6678: <Rule id="rule-2.6.2.1.a" selected="false" weight="10.000000" severity="medium">
6679: <title xml:lang="en">Enable the auditd Service</title>
6680: <description xml:lang="en">The auditd service should be enabled.</description>
6681: <ident system="http://cce.mitre.org">CCE-4292-9</ident>
6682: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
6683: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6684: <check-content-ref name="oval:org.fedoraproject.f14:def:20156" href="scap-fedora14-oval.xml"/>
6685: </check>
6686: </Rule>
6687: </Group>
6688: <Group id="group-2.6.2.2" hidden="false">
6689: <title xml:lang="en">Configure auditd Data Retention</title>
6690: <description xml:lang="en">
6691: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
6692: <xhtml:li>Determine STOREMB , the amount of audit data (in megabytes) which should be retained in each log
6693: file. Edit the file /etc/audit/auditd.conf. Add or modify the following line:<xhtml:br/>
6694: <xhtml:br/>
6695: max_log_file = STOREMB</xhtml:li>
6696: <xhtml:li>Use a dedicated partition (or logical volume) for log files. It is straightforward to create such a partition
6697: or logical volume during system installation time. The partition should be larger than the maximum
6698: space which auditd will ever use, which is the maximum size of each log file (max log file) multiplied
6699: by the number of log files (num logs). Ensure the partition is mounted on /var/log/audit.</xhtml:li>
6700: <xhtml:li>If your site requires that the machine be disabled when auditing cannot be performed, configure auditd
6701: to halt the system when disk space for auditing runs low. Edit /etc/audit/auditd.conf, and add or
6702: correct the following lines:<xhtml:br/>
6703: <xhtml:br/>
6704: space_left_action = email<xhtml:br/>
6705: action_mail_acct = root<xhtml:br/>
6706: admin_space_left_action = halt<xhtml:br/></xhtml:li>
6707: </xhtml:ul>
6708: The default action to take when the logs reach their maximum size is to rotate the log files, discarding the
6709: oldest one. If it is more important to retain all possible auditing information, even if that opens the possibility
6710: of running out of space and taking the action defined by admin space left action, add or correct the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6711: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6712: max_log_file_action = keep_logs<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6713: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6714: By default, auditd retains 4 log files of size 5Mb apiece. For a busy system or a system which is thoroughly
6715: auditing system activity, this is likely to be insufficient.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6716: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6717: The log file size needed will depend heavily on what types of events are being audited. First configure auditing
6718: to log all the events of interest. Then monitor the log size manually for awhile to determine what file size will
6719: allow you to keep the required data for the correct time period.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6720: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6721: Using a dedicated partition for /var/log/audit prevents the auditd logs from disrupting system functionality if
6722: they fill, and, more importantly, prevents other activity in /var from filling the partition and stopping the audit
6723: trail. (The audit logs are size-limited and therefore unlikely to grow without bound unless configured to do so.)
6724: Some machines may have requirements that no actions occur which cannot be audited. If this is the case, then
6725: auditd can be configured to halt the machine if it runs out of space.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6726: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6727: Note: Since older logs are rotated, configuring auditd this way does not prevent older logs from being rotated
6728: away before they can be viewed.
6729: </description>
6730: <warning xml:lang="en">If your system is configured to halt when logging cannot be performed, make sure this can never
6731: happen under normal circumstances! Ensure that /var/ log/ audit is on its own partition, and
6732: that this partition is larger than the maximum amount of data auditd will retain normally.</warning>
6733: </Group>
6734: <Group id="group-2.6.2.3" hidden="false">
6735: <title xml:lang="en">Enable Auditing for Processes Which Start Prior to the Audit Daemon</title>
6736: <description xml:lang="en">
6737: To ensure that all processes can be audited, even those which start prior to the audit daemon, add the
6738: argument audit=1 to the kernel line in /etc/grub.conf, in the manner below:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6739: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6740: kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6741: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6742: Each process on the system carries an ”auditable” flag which indicates whether its activities can be audited.
6743: Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel
6744: argument ensures that it is set for every process during boot.
6745: </description>
6746: <Rule id="rule-2.6.2.3.a" selected="false" weight="10.000000" severity="medium">
6747: <title xml:lang="en">Enable Auditing for Processes Which Start Prior to the Audit Daemon</title>
6748: <description xml:lang="en">
6749: To ensure that all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1
6750: to the kernel line in /etc/grub.conf, in the manner below:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6751: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1</description>
6752: <fixtext xml:lang="en">(1) via /etc/grub.conf add audit=1 to kernel line</fixtext>
6753: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6754: <check-content-ref name="oval:org.fedoraproject.f14:def:20157" href="scap-fedora14-oval.xml"/>
6755: </check>
6756: </Rule>
6757: </Group>
6758: <Group id="group-2.6.2.4" hidden="false">
6759: <title xml:lang="en">Configure auditd Rules for Comprehensive Auditing</title>
6760: <description xml:lang="en">
6761: The auditd program can perform comprehensive monitoring of system activity. This section describes rec-
6762: ommended configuration settings for comprehensive auditing, but a full description of the auditing system’s
6763: capabilities is beyond the scope of this guide. The mailing list linux-audit@redhat.com may be a good source
6764: of further information.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6765: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6766: The audit subsystem supports extensive collection of events, including:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6767: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
6768: <xhtml:li>Tracing of arbitrary system calls (identified by name or number) on entry or exit.</xhtml:li>
6769: <xhtml:li>Filtering by PID, UID, call success, system call argument (with some limitations), etc.</xhtml:li>
6770: <xhtml:li>Monitoring of specific files for modifications to the file’s contents or metadata.</xhtml:li>
6771: </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6772: Auditing rules are controlled in the file /etc/audit/audit.rules. Add rules to it to meet the auditing re-
6773: quirements for your organization. Each line in /etc/audit/audit.rules represents a series of arguments that
6774: can be passed to auditctl and can be individually tested as such. See documentation in /usr/share/doc/
6775: audit-version and in the related man pages for more details.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6776: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6777: Recommended audit rules are provided in /usr/share/doc/audit-version /stig.rules. In order to activate
6778: those rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6779: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6780: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cp /usr/share/doc/audit-version /stig.rules /etc/audit/audit.rules<xhtml:br/></xhtml:code>
6781: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6782: and then edit /etc/audit/audit.rules and comment out the lines containing arch= which are not appropriate
6783: for your system’s architecture. Then review and understand the following rules, ensuring rules are activated as
6784: needed for the appropriate architecture.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6785: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6786: After reviewing all the rules, reading the following sections, and editing as needed, activate the new rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6787: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6788: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># service auditd restart</xhtml:code></description>
6789: <Group id="group-2.6.2.4.1" hidden="false">
6790: <title xml:lang="en">Records Events that Modify Date and Time Information</title>
6791: <description xml:lang="en">
6792: Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your
6793: system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6794: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6795: -a always,exit -F arch=ARCH -S adjtimex -S settimeofday -S stime -k time-change<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6796: -a always,exit -F arch=ARCH -S clock_settime -k time-change<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6797: -w /etc/localtime -p wa -k time-change
6798: </description>
6799: <Rule id="rule-2.6.2.4.1.a" selected="false" weight="10.000000" severity="medium">
6800: <title xml:lang="en">Records Events that Modify Date and Time Information</title>
6801: <description xml:lang="en">Audit rules about time</description>
6802: <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
6803: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6804: <check-content-ref name="oval:org.fedoraproject.f14:def:201575" href="scap-fedora14-oval.xml"/>
6805: </check>
6806: </Rule>
6807: </Group>
6808: <Group id="group-2.6.2.4.2" hidden="false">
6809: <title xml:lang="en">Record Events that Modify User/Group Information</title>
6810: <description xml:lang="en">
6811: Add the following to /etc/audit/audit.rules, in order to capture events that modify account changes:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6812: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6813: -w /etc/group -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6814: -w /etc/passwd -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6815: -w /etc/gshadow -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6816: -w /etc/shadow -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6817: -w /etc/security/opasswd -p wa -k identity
6818: </description>
6819: <Rule id="rule-2.6.2.4.2.a" selected="false" weight="10.000000" severity="medium">
6820: <title xml:lang="en">Record Events that Modify User/Group Information</title>
6821: <description xml:lang="en">Audit rules about User/Group Information</description>
6822: <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
6823: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
6824: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6825: <check-content-ref name="oval:org.fedoraproject.f14:def:20158" href="scap-fedora14-oval.xml"/>
6826: </check>
6827: </Rule>
6828: </Group>
6829: <Group id="group-2.6.2.4.3" hidden="false">
6830: <title xml:lang="en">Record Events that Modify the System’s Network Environment</title>
6831: <description xml:lang="en">
6832: Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your
6833: system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6834: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6835: -a exit,always -F arch=ARCH -S sethostname -S setdomainname -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6836: -w /etc/issue -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6837: -w /etc/issue.net -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6838: -w /etc/hosts -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6839: -w /etc/sysconfig/network -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6840: </description>
6841: <Rule id="rule-2.6.2.4.3.a" selected="false" weight="10.000000" severity="medium">
6842: <title xml:lang="en">Record Events that Modify the System’s Network Environment</title>
6843: <description xml:lang="en">Audit rules about the System’s Network Environment</description>
6844: <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
6845: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
6846: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6847: <check-content-ref name="oval:org.fedoraproject.f14:def:20159" href="scap-fedora14-oval.xml"/>
6848: </check>
6849: </Rule>
6850: </Group>
6851: <Group id="group-2.6.2.4.4" hidden="false">
6852: <title xml:lang="en">Record Events that Modify the System’s Mandatory Access Controls</title>
6853: <description xml:lang="en">
6854: Add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6855: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6856: -w /etc/selinux/ -p wa -k MAC-policy
6857: </description>
6858: <Rule id="rule-2.6.2.4.4.a" selected="false" weight="10.000000" severity="medium">
6859: <title xml:lang="en">Record Events that Modify the System’s Mandatory Access Controls</title>
6860: <description xml:lang="en">Audit rules about the System’s Mandatory Access Controls</description>
6861: <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
6862: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
6863: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6864: <check-content-ref name="oval:org.fedoraproject.f14:def:20160" href="scap-fedora14-oval.xml"/>
6865: </check>
6866: </Rule>
6867: </Group>
6868: <Group id="group-2.6.2.4.5" hidden="false">
6869: <title xml:lang="en">Ensure auditd Collects Logon and Logout Events</title>
6870: <description xml:lang="en">
6871: At a minimum the audit system should collect login info for all users and root. Add the following to
6872: /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6873: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6874: -w /var/log/faillog -p wa -k logins<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6875: -w /var/log/lastlog -p wa -k logins
6876: </description>
6877: <Rule id="rule-2.6.2.4.5.a" selected="false" weight="10.000000" severity="medium">
6878: <title xml:lang="en">Ensure auditd Collects Logon and Logout Events</title>
6879: <description xml:lang="en">Audit rules about the Logon and Logout Events</description>
6880: <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
6881: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6882: <check-content-ref name="oval:org.fedoraproject.f14:def:20161" href="scap-fedora14-oval.xml"/>
6883: </check>
6884: </Rule>
6885: </Group>
6886: <Group id="group-2.6.2.4.6" hidden="false">
6887: <title xml:lang="en">Ensure auditd Collects Process and Session Initiation Information</title>
6888: <description xml:lang="en">
6889: At a minimum the audit system should collect process information for all users and root. Add the following
6890: to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6891: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6892: -w /var/run/utmp -p wa -k session<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6893: -w /var/log/btmp -p wa -k session<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6894: -w /var/log/wtmp -p wa -k session
6895: </description>
6896: <Rule id="rule-2.6.2.4.6.a" selected="false" weight="10.000000" severity="medium">
6897: <title xml:lang="en">Ensure auditd Collects Process and Session Initiation Information</title>
6898: <description xml:lang="en">Audit rules about the Process and Session Initiation Information</description>
6899: <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
6900: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6901: <check-content-ref name="oval:org.fedoraproject.f14:def:20162" href="scap-fedora14-oval.xml"/>
6902: </check>
6903: </Rule>
6904: </Group>
6905: <Group id="group-2.6.2.4.7" hidden="false">
6906: <title xml:lang="en">Ensure auditd Collects Discretionary Access Control Permission Modification Events</title>
6907: <description xml:lang="en">
6908: At a minimum the audit system should collect file permission changes for all users and root. Add the
6909: following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6910: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6911: -a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6912: -F auid!=4294967295 -k perm_mod<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6913: -a always,exit -F arch=ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6914: -F auid!=4294967295 -k perm_mod<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6915: -a always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6916: lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
6917: </description>
6918: <Rule id="rule-2.6.2.4.7.a" selected="false" weight="10.000000" severity="medium">
6919: <title xml:lang="en">Ensure auditd Collects Discretionary Access Control Permission Modification Events</title>
6920: <description xml:lang="en">Audit rules about the Discretionary Access Control Permission Modification Events</description>
6921: <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
6922: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
6923: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6924: <check-content-ref name="oval:org.fedoraproject.f14:def:20163" href="scap-fedora14-oval.xml"/>
6925: </check>
6926: </Rule>
6927: </Group>
6928: <Group id="group-2.6.2.4.8" hidden="false">
6929: <title xml:lang="en">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</title>
6930: <description xml:lang="en">
6931: At a minimum the audit system should collect unauthorized file accesses for all users and root. Add the
6932: following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6933: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6934: -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6935: -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6936: -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6937: -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
6938: </description>
6939: <Rule id="rule-2.6.2.4.8.a" selected="false" weight="10.000000" severity="medium">
6940: <title xml:lang="en">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</title>
6941: <description xml:lang="en">Audit rules about the Unauthorized Access Attempts to Files (unsuccessful)</description>
6942: <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
6943: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
6944: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6945: <check-content-ref name="oval:org.fedoraproject.f14:def:20164" href="scap-fedora14-oval.xml"/>
6946: </check>
6947: </Rule>
6948: </Group>
6949: <Group id="group-2.6.2.4.9" hidden="false">
6950: <title xml:lang="en">Ensure auditd Collects Information on the Use of Privileged Commands</title>
6951: <description xml:lang="en">
6952: At a minimum the audit system should collect the execution of privileged commands for all users and root.
6953: Add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6954: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6955: -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6956: -k privileged
6957: </description>
6958: <Rule id="rule-2.6.2.4.9.a" selected="false" weight="10.000000" severity="medium">
6959: <title xml:lang="en">Ensure auditd Collects Information on the Use of Privileged Commands</title>
6960: <description xml:lang="en">Audit rules about the Information on the Use of Privileged Commands</description>
6961: <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
6962: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
6963: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6964: <check-content-ref name="oval:org.fedoraproject.f14:def:20165" href="scap-fedora14-oval.xml"/>
6965: </check>
6966: </Rule>
6967: </Group>
6968: <Group id="group-2.6.2.4.10" hidden="false">
6969: <title xml:lang="en">Ensure auditd Collects Information on Exporting to Media (successful)</title>
6970: <description xml:lang="en">
6971: At a minimum the audit system should collect media exportation events for all users and root. Add the
6972: following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6973: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6974: -a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
6975: </description>
6976: <Rule id="rule-2.6.2.4.10.a" selected="false" weight="10.000000" severity="medium">
6977: <title xml:lang="en">Ensure auditd Collects Information on Exporting to Media (successful)</title>
6978: <description xml:lang="en">Audit rules about the Information on Exporting to Media (successful)</description>
6979: <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
6980: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
6981: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
6982: <check-content-ref name="oval:org.fedoraproject.f14:def:20166" href="scap-fedora14-oval.xml"/>
6983: </check>
6984: </Rule>
6985: </Group>
6986: <Group id="group-2.6.2.4.11" hidden="false">
6987: <title xml:lang="en">Ensure auditd Collects Files Deletion Events by User (successful and unsuccessful)</title>
6988: <description xml:lang="en">
6989: At a minimum the audit system should collect file deletion events for all users and root. Add the following
6990: to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6991: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6992: -a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
6993: -F auid!=4294967295 -k delete
6994: </description>
6995: <Rule id="rule-2.6.2.4.11.a" selected="false" weight="10.000000" severity="medium">
6996: <title xml:lang="en">Ensure auditd Collects Files Deletion Events by User (successful and unsuccessful)</title>
6997: <description xml:lang="en">Audit rules about the Files Deletion Events by User (successful and unsuccessful)</description>
6998: <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
6999: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
7000: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7001: <check-content-ref name="oval:org.fedoraproject.f14:def:20167" href="scap-fedora14-oval.xml"/>
7002: </check>
7003: </Rule>
7004: </Group>
7005: <Group id="group-2.6.2.4.12" hidden="false">
7006: <title xml:lang="en">Ensure auditd Collects System Administrator Actions</title>
7007: <description xml:lang="en">
7008: At a minimum the audit system should collect administrator actions for all users and root. Add the following
7009: to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7010: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7011: -w /etc/sudoers -p wa -k actions</description>
7012: <Rule id="rule-2.6.2.4.12.a" selected="false" weight="10.000000" severity="medium">
7013: <title xml:lang="en">Ensure auditd Collects System Administrator Actions</title>
7014: <description xml:lang="en">Audit rules about the System Administrator Actions</description>
7015: <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
7016: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
7017: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7018: <check-content-ref name="oval:org.fedoraproject.f14:def:20168" href="scap-fedora14-oval.xml"/>
7019: </check>
7020: </Rule>
7021: </Group>
7022: <Group id="group-2.6.2.4.13" hidden="false">
7023: <title xml:lang="en">Ensure auditd Collects Information on Kernel Module Loading and Unloading</title>
7024: <description xml:lang="en">
7025: Add the following to /etc/audit/audit.rules in order to capture kernel module loading and unloading
7026: events:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7027: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7028: -w /sbin/insmod -p x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7029: -w /sbin/rmmod -p x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7030: -w /sbin/modprobe -p x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7031: -a always,exit -S init_module -S delete_module -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7032: </description>
7033: <Rule id="rule-2.6.2.4.13.a" selected="false" weight="10.000000" severity="medium">
7034: <title xml:lang="en">Ensure auditd Collects Information on Kernel Module Loading and Unloading</title>
7035: <description xml:lang="en">Audit rules about the Information on Kernel Module Loading and Unloading</description>
7036: <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
7037: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7038: <check-content-ref name="oval:org.fedoraproject.f14:def:201685" href="scap-fedora14-oval.xml"/>
7039: </check>
7040: </Rule>
7041: </Group>
7042: <Group id="group-2.6.2.4.14" hidden="false">
7043: <title xml:lang="en">Make the auditd Configuration Immutable</title>
7044: <description xml:lang="en">
7045: Add the following to /etc/audit/audit.rules in order to make the configuration immutable:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7046: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7047: -e 2<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7048: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7049: With this setting, a reboot will be required to change any audit rules.
7050: </description>
7051: <Rule id="rule-2.6.2.4.14.a" selected="false" weight="10.000000" severity="medium">
7052: <title xml:lang="en">Make the auditd Configuration Immutable</title>
7053: <description xml:lang="en">Force a reboot to change audit rules</description>
7054: <fixtext xml:lang="en">(1) via /etc/audit/audit.rules</fixtext>
7055: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
7056: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7057: <check-content-ref name="oval:org.fedoraproject.f14:def:20169" href="scap-fedora14-oval.xml"/>
7058: </check>
7059: </Rule>
7060: </Group>
7061: </Group>
7062: <Group id="group-2.6.2.5" hidden="false">
7063: <title xml:lang="en">Summarize and Review Audit Logs using aureport</title>
7064: <description xml:lang="en">
7065: Familiarize yourself with the aureport(8) man page, then design a short series of audit reporting commands
7066: suitable for exploring the audit logs on a daily (or more frequent) basis. These commands can be added as a cron
7067: job by placing an appropriately named file in /etc/cron.daily. See the next section for information on how to
7068: ensure that the audit system collects all events needed.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7069: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7070: For example, to generate a daily report of every user to login to the machine, the following command could be
7071: run from cron:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7072: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7073: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># aureport -l -i -ts yesterday -te today<xhtml:br/></xhtml:code>
7074: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7075: To review all audited activity for unusual behavior, a good place to start is to see a summary of which audit
7076: rules have been triggering:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7077: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7078: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">aureport --key --summary<xhtml:br/></xhtml:code>
7079: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7080: If access violations stand out, review them with:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7081: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7082: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ausearch --key access --raw | aureport --file --summary<xhtml:br/></xhtml:code>
7083: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7084: To review what executables are doing:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7085: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7086: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ausearch --key access --raw | aureport -x --summary<xhtml:br/></xhtml:code>
7087: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7088: If access violations have been occurring on a particular file (such as /etc/shadow) and you want to determine
7089: which user is doing this:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7090: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7091: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ausearch --key access --file /etc/shadow --raw | aureport --user --summary -i<xhtml:br/></xhtml:code>
7092: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7093: Check for anomalous activity (such as device changing to promiscuous mode, processes ending abnormally, login
7094: failure limits being reached) using:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7095: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7096: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># aureport --anomaly<xhtml:br/></xhtml:code>
7097: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7098: The foundation to audit analysis is using keys to classify the events. Information about using ausearch to find
7099: an SELinux problem can be found in Section 2.4.6.
7100: </description>
7101: </Group>
7102: </Group>
7103: </Group>
7104: </Group>
7105: <Group id="group-3" hidden="false">
7106: <title xml:lang="en">Services</title>
7107: <Group id="group-3.1" hidden="false">
7108: <title xml:lang="en">Disable All Unneeded Services at Boot Time</title>
7109: <description xml:lang="en">
7110: The best protection against vulnerable software is running less
7111: software. This section describes how to review the software which Red Hat Enterprise Linux
7112: installs on a system and disable software which is not needed. It then enumerates the
7113: software packages installed on a default RHEL5 system and provides guidance about which ones
7114: can be safely disabled.</description>
7115: <Group id="group-3.1.1" hidden="false">
7116: <title xml:lang="en">Determine which Services are Enabled at Boot</title>
7117: <description xml:lang="en">
7118: Run the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7119: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7120: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig --list | grep :on <xhtml:br/></xhtml:code>
7121: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7122: The first column
7123: of this output is the name of a service which is currently enabled at boot. Review each
7124: listed service to determine whether it can be disabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7125: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7126: If it is appropriate to disable
7127: some service srvname , do so using the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7128: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7129: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig srvname off <xhtml:br/></xhtml:code>
7130: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7131: Use the guidance below for information about unfamiliar services.</description>
7132: </Group>
7133: <Group id="group-3.1.2" hidden="false">
7134: <title xml:lang="en">Guidance on Default Services</title>
7135: <description xml:lang="en">
7136: The table in this section contains a list of all services which
7137: are enabled at boot by a default RHEL5 installation. For each service, one of the
7138: following recommendations is made: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7139: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
7140: <xhtml:li>Enable: The service provides a significant capability
7141: with limited risk exposure. Leave the service enabled. </xhtml:li>
7142: <xhtml:li>Configure: The service either is
7143: required for most systems to function properly or provides an important security function.
7144: It should be left enabled by most environments. However, it must be configured securely on
7145: all machines, and different options may be needed for workstations than for servers. See
7146: the referenced section for recommended configuration of this service.</xhtml:li>
7147: <xhtml:li>Disable if
7148: possible: The service opens the system to some risk, but may be required by some
7149: environments. See the appropriate section of the guide, and disable the service if at all
7150: possible.</xhtml:li>
7151: <xhtml:li>Servers only: The service provides some function to other machines over the
7152: network. If that function is needed in the target environment, the service should remain
7153: enabled only on a small number of dedicated servers, and should be disabled on all other
7154: machines on the network. </xhtml:li>
7155: </xhtml:ul>
7156: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7157: <xhtml:table xmlns:xhtml="http://www.w3.org/1999/xhtml">
7158: <xhtml:thead>
7159: <xhtml:tr>
7160: <xhtml:td>Service name</xhtml:td>
7161: <xhtml:td>Action</xhtml:td>
7162: <xhtml:td>Reference</xhtml:td>
7163: </xhtml:tr>
7164: </xhtml:thead>
7165: <xhtml:tbody>
7166: <xhtml:tr><xhtml:td>acpid</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>3.3.15.2</xhtml:td></xhtml:tr>
7167: <xhtml:tr><xhtml:td>anacron</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.4</xhtml:td></xhtml:tr>
7168: <xhtml:tr><xhtml:td>apmd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.15.1</xhtml:td></xhtml:tr>
7169: <xhtml:tr><xhtml:td>atd</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>3.4</xhtml:td></xhtml:tr>
7170: <xhtml:tr><xhtml:td>auditd</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>2.6.2</xhtml:td></xhtml:tr>
7171: <xhtml:tr><xhtml:td>autofs</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>2.2.2.3</xhtml:td></xhtml:tr>
7172: <xhtml:tr><xhtml:td>avahi-daemon</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.7</xhtml:td></xhtml:tr>
7173: <xhtml:tr><xhtml:td>bluetooth</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.14</xhtml:td></xhtml:tr>
7174: <xhtml:tr><xhtml:td>cpuspeed</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>3.3.15.3 </xhtml:td></xhtml:tr>
7175: <xhtml:tr><xhtml:td>crond</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>3.4</xhtml:td></xhtml:tr>
7176: <xhtml:tr><xhtml:td>cups</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.8</xhtml:td></xhtml:tr>
7177: <xhtml:tr><xhtml:td>firstboot</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.1</xhtml:td></xhtml:tr>
7178: <xhtml:tr><xhtml:td>gpm</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.2</xhtml:td></xhtml:tr>
7179: <xhtml:tr><xhtml:td>haldaemon</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.13.2</xhtml:td></xhtml:tr>
7180: <xhtml:tr><xhtml:td>hidd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.14.2</xhtml:td></xhtml:tr>
7181: <xhtml:tr><xhtml:td>hplip</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.8.4.1</xhtml:td></xhtml:tr>
7182: <xhtml:tr><xhtml:td>ip6tables</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>2.5.5</xhtml:td></xhtml:tr>
7183: <xhtml:tr><xhtml:td>iptables</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>2.5.5</xhtml:td></xhtml:tr>
7184: <xhtml:tr><xhtml:td>irqbalance</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>3.3.3</xhtml:td></xhtml:tr>
7185: <xhtml:tr><xhtml:td>isdn</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.4</xhtml:td></xhtml:tr>
7186: <xhtml:tr><xhtml:td>kdump</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.5</xhtml:td></xhtml:tr>
7187: <xhtml:tr><xhtml:td>kudzu</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.6 </xhtml:td></xhtml:tr>
7188: <xhtml:tr><xhtml:td>mcstrans</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>2.4.3.2 (SELinux) </xhtml:td></xhtml:tr>
7189: <xhtml:tr><xhtml:td>mdmonitor</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.7 </xhtml:td></xhtml:tr>
7190: <xhtml:tr><xhtml:td>messagebus</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.13.1</xhtml:td></xhtml:tr>
7191: <xhtml:tr><xhtml:td>microcode</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.8</xhtml:td></xhtml:tr>
7192: <xhtml:tr><xhtml:td>netfs</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.13 (NFS)</xhtml:td></xhtml:tr>
7193: <xhtml:tr><xhtml:td>network</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>3.3.9</xhtml:td></xhtml:tr>
7194: <xhtml:tr><xhtml:td>nfslock</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.13 (NFS)</xhtml:td></xhtml:tr>
7195: <xhtml:tr><xhtml:td>pcscd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.10</xhtml:td></xhtml:tr>
7196: <xhtml:tr><xhtml:td>portmap</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.13 (NFS) </xhtml:td></xhtml:tr>
7197: <xhtml:tr><xhtml:td>readahead_early</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.12</xhtml:td></xhtml:tr>
7198: <xhtml:tr><xhtml:td>readahead_later</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.12</xhtml:td></xhtml:tr>
7199: <xhtml:tr><xhtml:td>restorecond</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>2.4.3.3 (SELinux)</xhtml:td></xhtml:tr>
7200: <xhtml:tr><xhtml:td>rhnsd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>2.1.2.2 </xhtml:td></xhtml:tr>
7201: <xhtml:tr><xhtml:td>rpcgssd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.13 (NFS) </xhtml:td></xhtml:tr>
7202: <xhtml:tr><xhtml:td>rpcidmapd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.13 (NFS) </xhtml:td></xhtml:tr>
7203: <xhtml:tr><xhtml:td>sendmail</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>3.11</xhtml:td></xhtml:tr>
7204: <xhtml:tr><xhtml:td>setroubleshoot</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>2.4.3.1 (SELinux)</xhtml:td></xhtml:tr>
7205: <xhtml:tr><xhtml:td>smartd</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>3.3.11 </xhtml:td></xhtml:tr>
7206: <xhtml:tr><xhtml:td>sshd</xhtml:td><xhtml:td>Servers only</xhtml:td><xhtml:td>3.5</xhtml:td></xhtml:tr>
7207: <xhtml:tr><xhtml:td>syslog</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>2.6.1</xhtml:td></xhtml:tr>
7208: <xhtml:tr><xhtml:td>xfs</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.6 (X11) </xhtml:td></xhtml:tr>
7209: <xhtml:tr><xhtml:td>yum-updatesd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>2.1.2.3.2</xhtml:td></xhtml:tr>
7210: </xhtml:tbody>
7211: </xhtml:table>
7212: </description>
7213: </Group>
7214: <Group id="group-3.1.3" hidden="false">
7215: <title xml:lang="en">Guidance for Unfamiliar Services</title>
7216: <description xml:lang="en">
7217: If the system is running any services which have not been
7218: covered, determine what these services do, and disable them if they are not needed or if
7219: they pose a high risk. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7220: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7221: If a service srvname is unknown, try running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7222: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7223: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ rpm -qf /etc/init.d/srvname <xhtml:br/></xhtml:code>
7224: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7225: to discover which RPM package installed the service. Then, run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7226: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7227: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ rpm -qi rpmname <xhtml:br/></xhtml:code>
7228: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7229: for a brief description of what that RPM does.</description>
7230: </Group>
7231: </Group>
7232: <Group id="group-3.2" hidden="false">
7233: <title xml:lang="en">Obsolete Services</title>
7234: <description xml:lang="en">
7235: This section discusses a number of network-visible services which
7236: have historically caused problems for system security, and for which disabling or severely
7237: limiting the service has been the best available guidance for some time. As a result of this
7238: consensus, these services are not installed as part of RHEL5 by default. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7239: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7240: Organizations which
7241: are running these services should prioritize switching to more secure services which provide
7242: the needed functionality. If it is absolutely necessary to run one of these services for
7243: legacy reasons, care should be taken to restrict the service as much as possible, for
7244: instance by configuring host firewall software (see Section 2.5.5) to restrict access to the
7245: vulnerable service to only those remote hosts which have a known need to use it.</description>
7246: <Group id="group-3.2.1" hidden="false">
7247: <title xml:lang="en">Inetd and Xinetd</title>
7248: <description xml:lang="en">
7249: Is there an operational need to run the deprecated inetd or
7250: xinetd software packages? If not, ensure that they are removed from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7251: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7252: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase inetd xinetd <xhtml:br/></xhtml:code>
7253: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7254: Beginning with Red Hat Enterprise Linux 5, the xinetd service is no
7255: longer installed by default. This change represents increased awareness that the dedicated
7256: network listener model does not improve security or reliability of services, and that
7257: restriction of network listeners is better handled using a granular model such as SELinux
7258: than using xinetd's limited security options.</description>
7259: <Rule id="rule-3.2.1.a" selected="false" weight="10.000000" severity="medium">
7260: <title xml:lang="en">Disable Inetd</title>
7261: <description xml:lang="en">The inetd service should be disabled.</description>
7262: <ident system="http://cce.mitre.org">CCE-4234-1</ident>
7263: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7264: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7265: <check-content-ref name="oval:org.fedoraproject.f14:def:20170" href="scap-fedora14-oval.xml"/>
7266: </check>
7267: </Rule>
7268: <Rule id="rule-3.2.1.b" selected="false" weight="10.000000" severity="medium">
7269: <title xml:lang="en">Disable Xinetd</title>
7270: <description xml:lang="en">The xinetd service should be disabled.</description>
7271: <ident system="http://cce.mitre.org">CCE-4252-3</ident>
7272: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7273: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7274: <check-content-ref name="oval:org.fedoraproject.f14:def:20171" href="scap-fedora14-oval.xml"/>
7275: </check>
7276: </Rule>
7277: <Rule id="rule-3.2.1.c" selected="false" weight="10.000000">
7278: <title xml:lang="en">Uninstall Inetd</title>
7279: <description xml:lang="en">The inetd package should be uninstalled.</description>
7280: <ident system="http://cce.mitre.org">CCE-4023-8</ident>
7281: <fixtext xml:lang="en">(1) via yum</fixtext>
7282: <fix># yum erase inetd</fix>
7283: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7284: <check-content-ref name="oval:org.fedoraproject.f14:def:20172" href="scap-fedora14-oval.xml"/>
7285: </check>
7286: </Rule>
7287: <Rule id="rule-3.2.1.d" selected="false" weight="10.000000">
7288: <title xml:lang="en">Uninstall Xinetd</title>
7289: <description xml:lang="en">The xinetd package should be uninstalled.</description>
7290: <ident system="http://cce.mitre.org">CCE-4164-0</ident>
7291: <fixtext xml:lang="en">(1) via yum</fixtext>
7292: <fix># yum erase xinetd</fix>
7293: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7294: <check-content-ref name="oval:org.fedoraproject.f14:def:20173" href="scap-fedora14-oval.xml"/>
7295: </check>
7296: </Rule>
7297: </Group>
7298: <Group id="group-3.2.2" hidden="false">
7299: <title xml:lang="en">Telnet</title>
7300: <description xml:lang="en">
7301: Is there a mission-critical reason for users to access the system
7302: via the insecure telnet protocol, rather than the more secure SSH protocol? If not, ensure
7303: that the telnet server is removed from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7304: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7305: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase telnet-server <xhtml:br/></xhtml:code>
7306: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7307: The telnet
7308: protocol uses unencrypted network communication, which means that data from the login
7309: session, including passwords and all other information transmitted during the session, can
7310: be stolen by eavesdroppers on the network, and also that outsiders can easily hijack the
7311: session to gain authenticated access to the telnet server. Organizations which use telnet
7312: should be actively working to migrate to a more secure protocol. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7313: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7314: See Section 3.5 for information about the SSH service.</description>
7315: <Group id="group-3.2.2.1" hidden="false">
7316: <title xml:lang="en">Remove Telnet Clients</title>
7317: <description xml:lang="en">
7318: In order to prevent users from casually attempting to use a telnet server, and thus exposing their credentials
7319: over the network, remove the telnet package, which contains a telnet client program:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7320: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7321: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase telnet<xhtml:br/></xhtml:code>
7322: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7323: If Kerberos is not used, remove the krb5-workstation package, which also includes a telnet client:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7324: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7325: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase krb5-workstation<xhtml:br/></xhtml:code>
7326: </description>
7327: <Rule id="rule-3.2.2.1.a" selected="false" weight="10.000000" severity="high">
7328: <title xml:lang="en">Remove the telnet client command from the System</title>
7329: <description xml:lang="en">The telnet package should be uninstalled.</description>
7330: <fixtext xml:lang="en">(1) via yum</fixtext>
7331: <fix># yum erase telnet</fix>
7332: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7333: <check-content-ref name="oval:org.fedoraproject.f14:def:20175" href="scap-fedora14-oval.xml"/>
7334: </check>
7335: </Rule>
7336: <Rule id="rule-3.2.2.1.b" selected="false" weight="10.000000">
7337: <title xml:lang="en">Remove the kerberos telnet client from the System</title>
7338: <description xml:lang="en">The krb5-workstation package should be uninstalled.</description>
7339: <fixtext xml:lang="en">(1) via yum</fixtext>
7340: <fix># yum erase rsh-server</fix>
7341: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7342: <check-content-ref name="oval:org.fedoraproject.f14:def:20176" href="scap-fedora14-oval.xml"/>
7343: </check>
7344: </Rule>
7345: </Group>
7346: <Rule id="rule-3.2.2.a" selected="false" weight="10.000000" severity="high">
7347: <title xml:lang="en">Uninstall Telnet server</title>
7348: <description xml:lang="en">The telnet-server package should be uninstalled.</description>
7349: <ident system="http://cce.mitre.org">CCE-4330-7</ident>
7350: <fixtext xml:lang="en">(1) via yum</fixtext>
7351: <fix># yum erase telnet-server</fix>
7352: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7353: <check-content-ref name="oval:org.fedoraproject.f14:def:20174" href="scap-fedora14-oval.xml"/>
7354: </check>
7355: </Rule>
7356: <Rule id="rule-3.2.2.b" selected="false" weight="10.000000" severity="high">
7357: <title xml:lang="en">Disable telnet service</title>
7358: <description xml:lang="en">telnet service should be disabled.</description>
7359: <ident system="http://cce.mitre.org">CCE-3390-2</ident>
7360: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7361: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7362: <check-content-ref name="oval:org.fedoraproject.f14:def:201745" href="scap-fedora14-oval.xml"/>
7363: </check>
7364: </Rule>
7365: </Group>
7366: <Group id="group-3.2.3" hidden="false">
7367: <title xml:lang="en">Rlogin, Rsh, and Rcp</title>
7368: <description xml:lang="en">The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.</description>
7369: <Group id="group-3.2.3.1" hidden="false">
7370: <title xml:lang="en">Remove the Rsh Server Commands from the System</title>
7371: <description xml:lang="en">
7372: Is there a mission-critical reason for users to access the
7373: system via the insecure rlogin, rsh, or rcp commands rather than the more secure ssh and
7374: scp? If not, ensure that the rsh server is removed from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7375: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7376: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase rsh-server <xhtml:br/></xhtml:code>
7377: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7378: SSH was designed to be a drop-in replacement for the r-commands, which suffer
7379: from the same hijacking and eavesdropping problems as telnet. There is unlikely to be a
7380: case in which these commands cannot be replaced with SSH.</description>
7381: <Rule id="rule-3.2.3.1.a" selected="false" weight="10.000000" severity="high">
7382: <title xml:lang="en">Remove the Rsh Server Commands from the System</title>
7383: <description xml:lang="en">The rsh-server package should be uninstalled.</description>
7384: <ident system="http://cce.mitre.org">CCE-4308-3</ident>
7385: <fixtext xml:lang="en">(1) via yum</fixtext>
7386: <fix># yum erase rsh-server</fix>
7387: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7388: <check-content-ref name="oval:org.fedoraproject.f14:def:20177" href="scap-fedora14-oval.xml"/>
7389: </check>
7390: </Rule>
7391: <Rule id="rule-3.2.3.1.b" selected="false" weight="10.000000" severity="high">
7392: <title xml:lang="en">disable rcp</title>
7393: <description xml:lang="en">The rcp service should be disabled.</description>
7394: <ident system="http://cce.mitre.org">CCE-3974-3</ident>
7395: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7396: <fix># chkconfig rcp off</fix>
7397: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7398: <check-content-ref name="oval:org.fedoraproject.f14:def:201774" href="scap-fedora14-oval.xml"/>
7399: </check>
7400: </Rule>
7401: <Rule id="rule-3.2.3.1.c" selected="false" weight="10.000000" severity="high">
7402: <title xml:lang="en">disable rsh</title>
7403: <description xml:lang="en">The rsh service should be disabled.</description>
7404: <ident system="http://cce.mitre.org">CCE-4141-8</ident>
7405: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7406: <fix># chkconfig rsh off</fix>
7407: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7408: <check-content-ref name="oval:org.fedoraproject.f14:def:201775" href="scap-fedora14-oval.xml"/>
7409: </check>
7410: </Rule>
7411: <Rule id="rule-3.2.3.1.d" selected="false" weight="10.000000" severity="high">
7412: <title xml:lang="en">disable rlogin</title>
7413: <description xml:lang="en">The rlogin service should be disabled.</description>
7414: <ident system="http://cce.mitre.org">CCE-3537-8</ident>
7415: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7416: <fix># chkconfig rlogin off</fix>
7417: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7418: <check-content-ref name="oval:org.fedoraproject.f14:def:201776" href="scap-fedora14-oval.xml"/>
7419: </check>
7420: </Rule>
7421: </Group>
7422: <Group id="group-3.2.3.2" hidden="false">
7423: <title xml:lang="en">Remove .rhosts Support from PAM Configuration Files</title>
7424: <description xml:lang="en">
7425: Check that pam_rhosts authentication is not used by any PAM
7426: services. Run the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7427: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7428: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># grep -l pam_rhosts /etc/pam.d/* <xhtml:br/></xhtml:code>
7429: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7430: This command should return no output. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7431: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7432: The RHEL5 default is not to rely on .rhosts or /etc/hosts.equiv for any
7433: PAM-based services, so, on an uncustomized system, this command should return no output.
7434: If any files do use pam_rhosts, modify them to make use of a more secure authentication
7435: method instead. For more information about PAM, see Section 2.3.3.</description>
7436: <Rule id="rule-3.2.3.2.a" selected="false" weight="10.000000" severity="medium">
7437: <title xml:lang="en">Remove .rhosts Support from PAM Configuration Files</title>
7438: <description xml:lang="en">Check that pam_rhosts authentication is not used by any PAM services.</description>
7439: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7440: <check-content-ref name="oval:org.fedoraproject.f14:def:20178" href="scap-fedora14-oval.xml"/>
7441: </check>
7442: </Rule>
7443: </Group>
7444: <Group id="group-3.2.3.3" hidden="false">
7445: <title xml:lang="en">Remove the Rsh Client Commands from the System</title>
7446: <description xml:lang="en">
7447: In order to prevent users from casually attempting to make use of an rsh server and thus exposing their
7448: credentials over the network, remove the rsh package, which contains client programs for many of r-commands
7449: described above:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7450: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7451: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase rsh<xhtml:br/></xhtml:code>
7452: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7453: Users should be trained to use the SSH client, and never attempt to connect to an rsh or telnet server. The
7454: krb5-workstation package also contains r-command client programs and should be removed as described in
7455: Section 3.2.2.1, if Kerberos is not in use.
7456: </description>
7457: <Rule id="rule-3.2.3.3.a" selected="false" weight="10.000000" severity="high">
7458: <title xml:lang="en">Remove the Rsh Client Commands from the System</title>
7459: <description xml:lang="en">The rsh package, which contains client programs for many of r-commands should be uninstalled.</description>
7460: <fixtext xml:lang="en">(1) via yum</fixtext>
7461: <fix># yum erase rsh</fix>
7462: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7463: <check-content-ref name="oval:org.fedoraproject.f14:def:20179" href="scap-fedora14-oval.xml"/>
7464: </check>
7465: </Rule>
7466: </Group>
7467: </Group>
7468: <Group id="group-3.2.4" hidden="false">
7469: <title xml:lang="en">NIS</title>
7470: <description xml:lang="en">
7471: The NIS client service ypbind is not activated by default. In the
7472: event that it was activated at some point, disable it by executing the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7473: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7474: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig ypbind off <xhtml:br/></xhtml:code>
7475: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7476: The NIS server package is not installed by default. In the event that
7477: it was installed at some point, remove it from the system by executing the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7478: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7479: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase ypserv <xhtml:br/></xhtml:code>
7480: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7481: The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and
7482: its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized
7483: authentication services. NIS should not be used because it suffers from security problems
7484: inherent in its design, such as inadequate protection of important authentication
7485: information.</description>
7486: <Rule id="rule-3.2.4.a" selected="false" weight="10.000000" severity="medium">
7487: <title xml:lang="en">Uninstall NIS</title>
7488: <description xml:lang="en">The ypserv package should be uninstalled.</description>
7489: <ident system="http://cce.mitre.org">CCE-4348-9</ident>
7490: <fixtext xml:lang="en">(1) via yum</fixtext>
7491: <fix># yum erase ypserv</fix>
7492: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7493: <check-content-ref name="oval:org.fedoraproject.f14:def:20180" href="scap-fedora14-oval.xml"/>
7494: </check>
7495: </Rule>
7496: <Rule id="rule-3.2.4.b" selected="false" weight="10.000000" severity="medium">
7497: <title xml:lang="en">Disable NIS</title>
7498: <description xml:lang="en">The ypbind service should be disabled.</description>
7499: <ident system="http://cce.mitre.org">CCE-3705-1</ident>
7500: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7501: <fix># chkconfig ypbind off</fix>
7502: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7503: <check-content-ref name="oval:org.fedoraproject.f14:def:20181" href="scap-fedora14-oval.xml"/>
7504: </check>
7505: </Rule>
7506: </Group>
7507: <Group id="group-3.2.5" hidden="false">
7508: <title xml:lang="en">TFTP Server</title>
7509: <description xml:lang="en">
7510: Is there an operational need to run the deprecated TFTP server
7511: software? If not, ensure that it is removed from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7512: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7513: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase tftp-server <xhtml:br/></xhtml:code>
7514: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7515: TFTP is a lightweight version of the FTP protocol which has traditionally been used to
7516: configure networking equipment. However, TFTP provides little security, and modern
7517: versions of networking operating systems frequently support configuration via SSH or
7518: other more secure protocols. A TFTP server should be run only if no more secure method of
7519: supporting existing equipment can be found.</description>
7520: <Rule id="rule-3.2.5.a" selected="false" weight="10.000000">
7521: <title xml:lang="en">Uninstall TFTP Server</title>
7522: <description xml:lang="en">The tftp-server package should be uninstalled.</description>
7523: <ident system="http://cce.mitre.org">CCE-3916-4</ident>
7524: <fixtext xml:lang="en">(1) via yum</fixtext>
7525: <fix># yum erase tftp-server</fix>
7526: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7527: <check-content-ref name="oval:org.fedoraproject.f14:def:20182" href="scap-fedora14-oval.xml"/>
7528: </check>
7529: </Rule>
7530: <Rule id="rule-3.2.5.b" selected="false" weight="10.000000" severity="low">
7531: <title xml:lang="en">Disable TFTP Server</title>
7532: <description xml:lang="en">The tftp service should be disabled.</description>
7533: <ident system="http://cce.mitre.org">CCE-4273-9</ident>
7534: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7535: <fix># chkconfig tftp off</fix>
7536: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7537: <check-content-ref name="oval:org.fedoraproject.f14:def:201825" href="scap-fedora14-oval.xml"/>
7538: </check>
7539: </Rule>
7540: </Group>
7541: </Group>
7542: <Group id="group-3.3" hidden="false">
7543: <title xml:lang="en">BaseServices</title>
7544: <description xml:lang="en">
7545: This section addresses the base services that are configured to
7546: start up on boot in a RHEL5 default installation. Some of these services listen on the
7547: network and should be treated with particular discretion. The other services are local
7548: system utilities that may or may not be extraneous. Each of these services should be
7549: disabled if not required.</description>
7550: <Group id="group-3.3.1" hidden="false">
7551: <title xml:lang="en">Installation Helper Service (firstboot)</title>
7552: <description xml:lang="en">
7553: Firstboot is a daemon specific to the Red Hat installation
7554: process. It handles 'one-time' configuration following successful installation of the
7555: operating system. As such, there is no reason for this service to remain enabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7556: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7557: Disable firstboot by issuing the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7558: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7559: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig firstboot off</xhtml:code></description>
7560: <Rule id="rule-3.3.1.a" selected="false" weight="10.000000" severity="low">
7561: <title xml:lang="en">Installation Helper Service (firstboot)</title>
7562: <description xml:lang="en">The firstboot service should be disabled.</description>
7563: <ident system="http://cce.mitre.org">CCE-3412-4</ident>
7564: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7565: <fix># chkconfig firstboot off</fix>
7566: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7567: <check-content-ref name="oval:org.fedoraproject.f14:def:20183" href="scap-fedora14-oval.xml"/>
7568: </check>
7569: </Rule>
7570: </Group>
7571: <Group id="group-3.3.2" hidden="false">
7572: <title xml:lang="en">Console Mouse Service (gpm)</title>
7573: <description xml:lang="en">
7574: GPM is the service that controls the text console mouse pointer.
7575: (The X Windows mouse pointer is unaffected by this service.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7576: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7577: If mouse functionality in the console is not required, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7578: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7579: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig gpm off <xhtml:br/></xhtml:code>
7580: Although it is
7581: preferable to run as few services as possible, the console mouse pointer can be useful for
7582: preventing administrator mistakes in runlevel 3 by enabling copy-and-paste operations.</description>
7583: <Rule id="rule-3.3.2.a" selected="false" weight="10.000000" severity="low">
7584: <title xml:lang="en">Console Mouse Service (gpm)</title>
7585: <description xml:lang="en">The gpm service should be disabled.</description>
7586: <ident system="http://cce.mitre.org">CCE-4229-1</ident>
7587: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7588: <fix># chkconfig gpm off</fix>
7589: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7590: <check-content-ref name="oval:org.fedoraproject.f14:def:20184" href="scap-fedora14-oval.xml"/>
7591: </check>
7592: </Rule>
7593: </Group>
7594: <Group id="group-3.3.3" hidden="false">
7595: <title xml:lang="en">Interrupt Distribution on Multiprocessor Systems (irqbalance)</title>
7596: <description xml:lang="en">
7597: The goal of the irqbalance service is to optimize the balance
7598: between power savings and performance through distribution of hardware interrupts across
7599: multiple processors. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7600: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7601: In a server environment with multiple processors, this provides a
7602: useful service and should be left enabled. If a machine has only one processor, the
7603: service may be disabled: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7604: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7605: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig irqbalance off</xhtml:code></description>
7606: <Rule id="rule-3.3.3.a" selected="false" weight="10.000000" severity="low">
7607: <title xml:lang="en">Interrupt Distribution on Multiprocessor Systems (irqbalance)</title>
7608: <description xml:lang="en">The irqbalance service should be disabled.</description>
7609: <ident system="http://cce.mitre.org">CCE-4123-6</ident>
7610: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7611: <fix># chkconfig irqbalance off</fix>
7612: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7613: <check-content-ref name="oval:org.fedoraproject.f14:def:20185" href="scap-fedora14-oval.xml"/>
7614: </check>
7615: </Rule>
7616: </Group>
7617: <Group id="group-3.3.4" hidden="false">
7618: <title xml:lang="en">ISDN Support (isdn)</title>
7619: <description xml:lang="en">
7620: The ISDN service facilitates Internet connectivity in the
7621: presence of an ISDN modem. If an ISDN modem is not being used, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7622: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7623: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig isdn off</xhtml:code></description>
7624: <Rule id="rule-3.3.4.a" selected="false" weight="10.000000" severity="low">
7625: <title xml:lang="en">ISDN Support (isdn)</title>
7626: <description xml:lang="en">The isdn service should be disabled.</description>
7627: <ident system="http://cce.mitre.org">CCE-4286-1</ident>
7628: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7629: <fix># chkconfig isdn off</fix>
7630: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7631: <check-content-ref name="oval:org.fedoraproject.f14:def:20186" href="scap-fedora14-oval.xml"/>
7632: </check>
7633: </Rule>
7634: </Group>
7635: <Group id="group-3.3.5" hidden="false">
7636: <title xml:lang="en">Kdump Kernel Crash Analyzer (kdump)</title>
7637: <description xml:lang="en">
7638: Kdump is a new kernel crash dump analyzer. It uses kexec to boot
7639: a secondary kernel ('capture' kernel) following a system crash. The kernel dump from the
7640: system crash is loaded into the capture kernel for analysis. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7641: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7642: Unless the system is used for kernel development or testing, disable the service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7643: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7644: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig kdump off</xhtml:code></description>
7645: <Rule id="rule-3.3.5.a" selected="false" weight="10.000000" severity="low">
7646: <title xml:lang="en">Kdump Kernel Crash Analyzer (kdump)</title>
7647: <description xml:lang="en">The kdump service should be disabled.</description>
7648: <ident system="http://cce.mitre.org">CCE-3425-6</ident>
7649: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7650: <fix># chkconfig kdump off</fix>
7651: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7652: <check-content-ref name="oval:org.fedoraproject.f14:def:20187" href="scap-fedora14-oval.xml"/>
7653: </check>
7654: </Rule>
7655: </Group>
7656: <Group id="group-3.3.6" hidden="false">
7657: <title xml:lang="en">Kudzu Hardware Probing Utility (kudzu)</title>
7658: <description xml:lang="en">
7659: Is there a mission-critical reason for console users to add new
7660: hardware to the system? If not: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7661: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7662: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig kudzu off <xhtml:br/></xhtml:code>
7663: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7664: Kudzu, Red Hat's hardware detection
7665: program, represents an unnecessary security risk as it allows unprivileged users to
7666: perform hardware configuration without authorization. Unless this specific functionality
7667: is required, Kudzu should be disabled.</description>
7668: <Rule id="rule-3.3.6.a" selected="false" weight="10.000000" severity="low">
7669: <title xml:lang="en">Kudzu Hardware Probing Utility (kudzu)</title>
7670: <description xml:lang="en">The kudzu service should be disabled.</description>
7671: <ident system="http://cce.mitre.org">CCE-4211-9</ident>
7672: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7673: <fix># chkconfig kudzu off</fix>
7674: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7675: <check-content-ref name="oval:org.fedoraproject.f14:def:20188" href="scap-fedora14-oval.xml"/>
7676: </check>
7677: </Rule>
7678: </Group>
7679: <Group id="group-3.3.7" hidden="false">
7680: <title xml:lang="en">Software RAID Monitor (mdmonitor)</title>
7681: <description xml:lang="en">
7682: The mdmonitor service is used for monitoring a software RAID
7683: (hardware RAID setups do not use this service). This service is extraneous unless software
7684: RAID is in use (which is not common). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7685: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7686: If software RAID monitoring is not required, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7687: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7688: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig mdmonitor off</xhtml:code></description>
7689: <Rule id="rule-3.3.7.a" selected="false" weight="10.000000" severity="low">
7690: <title xml:lang="en">Software RAID Monitor (mdmonitor)</title>
7691: <description xml:lang="en">The mdmonitor service should be disabled.</description>
7692: <ident system="http://cce.mitre.org">CCE-3854-7</ident>
7693: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7694: <fix># chkconfig mdmonitor off</fix>
7695: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7696: <check-content-ref name="oval:org.fedoraproject.f14:def:20189" href="scap-fedora14-oval.xml"/>
7697: </check>
7698: </Rule>
7699: </Group>
7700: <Group id="group-3.3.8" hidden="false">
7701: <title xml:lang="en">IA32 Microcode Utility(microcodectl)</title>
7702: <description xml:lang="en">
7703: microcode ctl is a microcode utility for use with Intel IA32
7704: processors (Pentium Pro, PII, Celeron, PIII, Xeon, Pentium 4, etc) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7705: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7706: If the system is not running an Intel IA32 processor, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7707: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7708: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig microcode ctl off</xhtml:code></description>
7709: <Rule id="rule-3.3.8.a" selected="false" weight="10.000000" severity="low">
7710: <title xml:lang="en">IA32 Microcode Utility(microcodectl)</title>
7711: <description xml:lang="en">The microcode_ctl service should be disabled.</description>
7712: <ident system="http://cce.mitre.org">CCE-4356-2</ident>
7713: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7714: <fix># chkconfig microcode ctl off</fix>
7715: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7716: <check-content-ref name="oval:org.fedoraproject.f14:def:20190" href="scap-fedora14-oval.xml"/>
7717: </check>
7718: </Rule>
7719: </Group>
7720: <Group id="group-3.3.9" hidden="false">
7721: <title xml:lang="en">Network Service (network)</title>
7722: <description xml:lang="en">
7723: The network service allows associated network interfaces to
7724: access the network. This section contains general guidance for controlling the operation
7725: of the service. For kernel parameters which affect networking, see Section</description>
7726: <Group id="group-3.3.9.1" hidden="false">
7727: <title xml:lang="en">Disable All Networking if Not Needed</title>
7728: <description xml:lang="en">
7729: If the system is a standalone machine with no need for network
7730: access or even communication over the loopback device, then disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7731: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7732: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig network off</xhtml:code></description>
7733: <Rule id="rule-3.3.9.1.a" selected="false" weight="10.000000" severity="low">
7734: <title xml:lang="en">Disable All Networking if Not Needed)</title>
7735: <description xml:lang="en">The network service should be disabled.</description>
7736: <ident system="http://cce.mitre.org">CCE-4369-5</ident>
7737: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7738: <fix># chkconfig network off</fix>
7739: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7740: <check-content-ref name="oval:org.fedoraproject.f14:def:20191" href="scap-fedora14-oval.xml"/>
7741: </check>
7742: </Rule>
7743: </Group>
7744: <Group id="group-3.3.9.2" hidden="false">
7745: <title xml:lang="en">Disable All External Network Interfaces if Not Needed</title>
7746: <description xml:lang="en">
7747: If the system does not require network communications but still
7748: needs to use the loopback interface, remove all files of the form ifcfg-interface except
7749: for ifcfg-lo from /etc/sysconfig/network-scripts: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7750: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7751: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rm /etc/sysconfig/network-scripts/ifcfg-interface</xhtml:code></description>
7752: <Rule id="rule-3.3.9.2.a" selected="false" weight="10.000000" severity="medium">
7753: <title xml:lang="en">Disable All External Network Interfaces if Not Needed</title>
7754: <description xml:lang="en">All files of the form ifcfg-interface except for ifcfg-lo in /etc/sysconfig/network-scripts should be removed</description>
7755: <fixtext xml:lang="en">via /etc/sysconfig/network-scripts</fixtext>
7756: <fix># rm /etc/sysconfig/network-scripts/ifcfg-interface</fix>
7757: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7758: <check-content-ref name="oval:org.fedoraproject.f14:def:20192" href="scap-fedora14-oval.xml"/>
7759: </check>
7760: </Rule>
7761: </Group>
7762: <Group id="group-3.3.9.3" hidden="false">
7763: <title xml:lang="en">Disable Zeroconf Networking</title>
7764: <description xml:lang="en">
7765: Zeroconf networking allows the system to assign itself an IP
7766: address and engage in IP communication without a statically-assigned address or even a
7767: DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7768: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7769: To disable Zeroconf automatic route assignment in the 169.245.0.0 subnet, add or correct
7770: the following line in /etc/sysconfig/network: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7771: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7772: NOZEROCONF=yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7773: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7774: Zeroconf addresses are in
7775: the network 169.254.0.0. The networking scripts add entries to the system's routing
7776: table for these addresses. Zeroconf address assignment commonly occurs when the system
7777: is configured to use DHCP but fails to receive an address assignment from the DHCP
7778: server.</description>
7779: <Rule id="rule-3.3.9.3.a" selected="false" weight="10.000000" severity="medium">
7780: <title xml:lang="en">Disable Zeroconf Networking</title>
7781: <description xml:lang="en">Disable Zeroconf automatic route assignment in the 169.245.0.0 subnet.</description>
7782: <ident system="http://cce.mitre.org">CCE-4369-5</ident>
7783: <fixtext xml:lang="en">(1) via /etc/sysconfig/network</fixtext>
7784: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7785: <check-content-ref name="oval:org.fedoraproject.f14:def:20193" href="scap-fedora14-oval.xml"/>
7786: </check>
7787: </Rule>
7788: </Group>
7789: </Group>
7790: <Group id="group-3.3.10" hidden="false">
7791: <title xml:lang="en">Smart Card Support (pcscd)</title>
7792: <description xml:lang="en">
7793: The pcscd service provides support for Smart Cards and Smart Card
7794: Readers. If Smart Cards are not in use on the system, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7795: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7796: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig pcscd off</xhtml:code></description>
7797: <Rule id="rule-3.3.10.a" selected="false" weight="10.000000" severity="low">
7798: <title xml:lang="en">Smart Card Support (pcscd)</title>
7799: <description xml:lang="en">The pcscd service should be disabled.</description>
7800: <ident system="http://cce.mitre.org">CCE-4100-4</ident>
7801: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7802: <fix># chkconfig pcscd off</fix>
7803: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7804: <check-content-ref name="oval:org.fedoraproject.f14:def:20194" href="scap-fedora14-oval.xml"/>
7805: </check>
7806: </Rule>
7807: </Group>
7808: <Group id="group-3.3.11" hidden="false">
7809: <title xml:lang="en">SMART Disk Monitoring Support (smartd)</title>
7810: <description xml:lang="en">
7811: SMART (Self-Monitoring, Analysis, and Reporting Technology) is a
7812: feature of hard drives that allows them to detect symptoms of disk failure and relay an
7813: appropriate warning. This technology is considered to bring relatively low security risk,
7814: and can be useful. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7815: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7816: Leave this service running if the system's hard drives are
7817: SMART-capable. Otherwise, disable it: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7818: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7819: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig smartd off</xhtml:code></description>
7820: <Rule id="rule-3.3.11.a" selected="false" weight="10.000000" severity="low">
7821: <title xml:lang="en">SMART Disk Monitoring Support (smartd)</title>
7822: <description xml:lang="en">The smartd service should be disabled.</description>
7823: <ident system="http://cce.mitre.org">CCE-3455-3</ident>
7824: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7825: <fix># chkconfig smartd off</fix>
7826: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7827: <check-content-ref name="oval:org.fedoraproject.f14:def:20195" href="scap-fedora14-oval.xml"/>
7828: </check>
7829: </Rule>
7830: </Group>
7831: <Group id="group-3.3.12" hidden="false">
7832: <title xml:lang="en">Boot Caching (readahead early/readahead later)</title>
7833: <description xml:lang="en">
7834: The following services provide one-time caching of files
7835: belonging to some boot services, with the goal of allowing the system to boot faster. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7836: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7837: It is recommended that this service be disabled on most machines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7838: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7839: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig readahead_early off <xhtml:br/>
7840: # chkconfig readahead_later off <xhtml:br/></xhtml:code>
7841: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7842: The readahead services do not substantially increase a
7843: system's risk exposure, but they also do not provide great benefit. Unless the system is
7844: running a specialized application for which the file caching substantially improves system
7845: boot time, this guide recommends disabling the services.</description>
7846: <Rule id="rule-3.3.12.a" selected="false" weight="10.000000" severity="low">
7847: <title xml:lang="en">Boot Caching (readahead early/readahead later)</title>
7848: <description xml:lang="en">The readahead_early service should be disabled.</description>
7849: <ident system="http://cce.mitre.org">CCE-4421-4</ident>
7850: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7851: <fix># chkconfig readahead early off</fix>
7852: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7853: <check-content-ref name="oval:org.fedoraproject.f14:def:20196" href="scap-fedora14-oval.xml"/>
7854: </check>
7855: </Rule>
7856: <Rule id="rule-3.3.12.b" selected="false" weight="10.000000" severity="low">
7857: <title xml:lang="en">Boot Caching (readahead early/readahead later)</title>
7858: <description xml:lang="en">The readahead_later service should be disabled.</description>
7859: <ident system="http://cce.mitre.org">CCE-4302-6</ident>
7860: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7861: <fix># chkconfig readahead later off</fix>
7862: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7863: <check-content-ref name="oval:org.fedoraproject.f14:def:20197" href="scap-fedora14-oval.xml"/>
7864: </check>
7865: </Rule>
7866: </Group>
7867: <Group id="group-3.3.13" hidden="false">
7868: <title xml:lang="en">Application Support Services</title>
7869: <description xml:lang="en">
7870: The following services are software projects of freedesktop.org
7871: that are meant to provide system integration through a series of common APIs for
7872: applications. They are heavily integrated into the X Windows environment. If the system is
7873: not using X Windows, these services can typically be disabled.</description>
7874: <Group id="group-3.3.13.1" hidden="false">
7875: <title xml:lang="en">D-Bus IPC Service (messagebus)</title>
7876: <description xml:lang="en">
7877: D-Bus is an IPC mechanism that provides a common channel for
7878: inter-process communication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7879: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7880: If no services which require D-Bus are in use, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7881: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7882: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig messagebus off <xhtml:br/></xhtml:code>
7883: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7884: A number of default services make use of D-Bus,
7885: including X Windows (Section 3.6), Bluetooth (Section 3.3.14) and Avahi (Section 3.7).
7886: This guide recommends that D-Bus and all its dependencies be disabled unless there is a
7887: mission-critical need for them. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7888: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7889: Stricter configuration of D-Bus is possible and
7890: documented in the man page dbus-daemon(1). D-Bus maintains two separate configuration
7891: files, located in /etc/dbus-1/, one for system-specific configuration and the other for
7892: session-specific configuration.</description>
7893: <Rule id="rule-3.3.13.1.a" selected="false" weight="10.000000" severity="low">
7894: <title xml:lang="en">D-Bus IPC Service (messagebus)</title>
7895: <description xml:lang="en">The messagebus service should be disabled.</description>
7896: <ident system="http://cce.mitre.org">CCE-3822-4</ident>
7897: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7898: <fix># chkconfig messagebus off</fix>
7899: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7900: <check-content-ref name="oval:org.fedoraproject.f14:def:20198" href="scap-fedora14-oval.xml"/>
7901: </check>
7902: </Rule>
7903: </Group>
7904: <Group id="group-3.3.13.2" hidden="false">
7905: <title xml:lang="en">HAL Daemon (haldaemon)</title>
7906: <description xml:lang="en">
7907: The haldaemon service provides a dynamic way of managing device
7908: interfaces. It automates device configuration and provides an API for making devices
7909: accessible to applications through the D-Bus interface.</description>
7910: <Rule id="rule-3.3.13.2.a" selected="false" weight="10.000000" severity="low">
7911: <title xml:lang="en">HAL Daemon (haldaemon)</title>
7912: <description xml:lang="en">The haldaemon service should be disabled.</description>
7913: <ident system="http://cce.mitre.org">CCE-4364-6</ident>
7914: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7915: <fix># chkconfig haldaemon off</fix>
7916: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
7917: <check-content-ref name="oval:org.fedoraproject.f14:def:20199" href="scap-fedora14-oval.xml"/>
7918: </check>
7919: </Rule>
7920: <Group id="group-3.3.13.2.1" hidden="false">
7921: <title xml:lang="en">Disable HAL Daemon if Possible</title>
7922: <description xml:lang="en">
7923: HAL provides valuable attack surfaces to attackers as an
7924: intermediary to privileged operations and should be disabled unless necessary: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7925: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7926: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig haldaemon off</xhtml:code></description>
7927: </Group>
7928: <Group id="group-3.3.13.2.2" hidden="false">
7929: <title xml:lang="en">Configure HAL Daemon if Necessary</title>
7930: <description xml:lang="en">
7931: HAL provides a limited user the ability to mount system
7932: devices. This is primarily used by X utilities such as gnome-volume-manager to perform
7933: automounting of removable media.
7934: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7935: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7936: HAL configuration is currently
7937: only possible through a series of fdi files located in
7938: /usr/share/hal/fdi/
7939: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7940: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7941: Note: The HAL future road map includes a
7942: mandatory framework for managing administrative privileges called
7943: PolicyKit.
7944: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7945: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7946: To prevent users from accessing devices through HAL,
7947: create the
7948: file
7949: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7950: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7951: /etc/hal/fdi/policy/99-policy-all-drives.fdi
7952: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7953: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7954: with the contents: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7955: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7956: <?xml version="1.0"
7957: encoding="UTF-8"?><deviceinfo
7958: version="0.2"><device><match key="info.capabilities"
7959: contains="volume"><merge key="volume.ignore"
7960: type="bool">true</merge></match></device></deviceinfo>
7961: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7962: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7963: The
7964: above code matches any device labeled with the volume capability (any device capable
7965: of being mounted will be labeled this way) and sets the corresponding volume.ignore
7966: key to true, indicating that the volume should be ignored. This both makes the volume
7967: invisible to the UI, and denies mount attempts by unprivileged users.
7968: </description>
7969: </Group>
7970: </Group>
7971: </Group>
7972: <Group id="group-3.3.14" hidden="false">
7973: <title xml:lang="en">Bluetooth Support</title>
7974: <description xml:lang="en">
7975: Bluetooth provides a way to transfer information between devices
7976: such as mobile phones, laptops, PCs, printers, digital cameras, and video game consoles
7977: over a short-range wireless link. Any wireless communication presents a serious security
7978: risk to sensitive or classified systems. Section 2.5.2 contains information on the related
7979: topic of wireless networking. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7980: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7981: Removal of hardware is the only way to ensure that the
7982: Bluetooth wireless capability remains disabled. If it is completely impractical to remove
7983: the Bluetooth hardware module, and site policy still allows the device to enter sensitive
7984: spaces, every effort to disable the capability via software should be made. In general,
7985: acquisition policy should include provisions to prevent the purchase of equipment that
7986: will be used in sensitive spaces and includes Bluetooth capabilities.</description>
7987: <Group id="group-3.3.14.1" hidden="false">
7988: <title xml:lang="en">Bluetooth Host Controller Interface Daemon (bluetooth)</title>
7989: <description xml:lang="en">
7990: The bluetooth service enables the system to use Bluetooth
7991: devices. If the system requires no Bluetooth devices, disable this service:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
7992: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig bluetooth off</xhtml:code></description>
7993: <Rule id="rule-3.3.14.1.a" selected="false" weight="10.000000" severity="medium">
7994: <title xml:lang="en">Bluetooth Host Controller Interface Daemon (bluetooth)</title>
7995: <description xml:lang="en">The bluetooth service should be disabled.</description>
7996: <ident system="http://cce.mitre.org">CCE-4355-4</ident>
7997: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
7998: <fix># chkconfig bluetooth off</fix>
7999: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8000: <check-content-ref name="oval:org.fedoraproject.f14:def:20200" href="scap-fedora14-oval.xml"/>
8001: </check>
8002: </Rule>
8003: </Group>
8004: <Group id="group-3.3.14.2" hidden="false">
8005: <title xml:lang="en">Bluetooth Input Devices (hidd)</title>
8006: <description xml:lang="en">
8007: The hidd service provides support for Bluetooth input devices.
8008: If the system has no Bluetooth input devices (e.g. keyboard or mouse), disable this
8009: service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8010: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8011: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig hidd off</xhtml:code></description>
8012: <Rule id="rule-3.3.14.2.a" selected="false" weight="10.000000" severity="low">
8013: <title xml:lang="en">Bluetooth Input Devices (hidd)</title>
8014: <description xml:lang="en">The hidd service should be disabled.</description>
8015: <ident system="http://cce.mitre.org">CCE-4377-8</ident>
8016: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
8017: <fix># chkconfig hidd off</fix>
8018: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8019: <check-content-ref name="oval:org.fedoraproject.f14:def:20201" href="scap-fedora14-oval.xml"/>
8020: </check>
8021: </Rule>
8022: </Group>
8023: <Group id="group-3.3.14.3" hidden="false">
8024: <title xml:lang="en">Disable Bluetooth Kernel Modules</title>
8025: <description xml:lang="en">
8026: The kernel's module loading system can be configured to prevent
8027: loading of the Bluetooth module. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8028: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8029: Add the following to /etc/modprobe.conf to prevent the
8030: loading of the Bluetooth module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8031: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8032: alias net-pf-31 off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8033: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8034: The unexpected name, net-pf-31, is
8035: a result of how the kernel requests modules for network protocol families; it is an
8036: alias for the bluetooth module.</description>
8037: <Rule id="rule-3.3.14.3.a" selected="false" weight="10.000000" severity="medium">
8038: <title xml:lang="en">Disable Bluetooth Kernel Modules</title>
8039: <description xml:lang="en">Prevent loading of the Bluetooth module.</description>
8040: <fixtext xml:lang="en">(1) via /etc/modprobe.conf</fixtext>
8041: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8042: <check-content-ref name="oval:org.fedoraproject.f14:def:202015" href="scap-fedora14-oval.xml"/>
8043: </check>
8044: </Rule>
8045: </Group>
8046: </Group>
8047: <Group id="group-3.3.15" hidden="false">
8048: <title xml:lang="en">Power Management Support</title>
8049: <description xml:lang="en">
8050: The following services provide an interface to power management
8051: functions. These functions include monitoring battery power, system hibernate/suspend, CPU
8052: throttling, and various power-save utilities.</description>
8053: <Group id="group-3.3.15.1" hidden="false">
8054: <title xml:lang="en">Advanced Power Management Subsystem (apmd)</title>
8055: <description xml:lang="en">
8056: The apmd service provides last generation power management
8057: support. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8058: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8059: If the system is capable of ACPI support, or if power management is not
8060: necessary, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8061: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8062: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig apmd off <xhtml:br/></xhtml:code>
8063: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8064: APM is being replaced by ACPI and
8065: should be considered deprecated. As such, it can be disabled if ACPI is supported by
8066: your hardware and kernel. If the file /proc/acpi/info exists and contains ACPI version
8067: information, then APM can safely be disabled without loss of functionality.</description>
8068: <Rule id="rule-3.3.15.1.a" selected="false" weight="10.000000" severity="low">
8069: <title xml:lang="en">Advanced Power Management Subsystem (apmd)</title>
8070: <description xml:lang="en">The apmd service should be disabled.</description>
8071: <ident system="http://cce.mitre.org">CCE-4289-5</ident>
8072: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
8073: <fix># chkconfig apmd off</fix>
8074: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8075: <check-content-ref name="oval:org.fedoraproject.f14:def:20202" href="scap-fedora14-oval.xml"/>
8076: </check>
8077: </Rule>
8078: </Group>
8079: <Group id="group-3.3.15.2" hidden="false">
8080: <title xml:lang="en">Advanced Configuration and Power Interface (acpid)</title>
8081: <description xml:lang="en">
8082: The acpid service provides next generation power management
8083: support. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8084: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8085: Unless power management features are not necessary, leave this service enabled.</description>
8086: <Rule id="rule-3.3.15.2.a" selected="false" weight="10.000000" severity="low">
8087: <title xml:lang="en">Advanced Configuration and Power Interface (acpid)</title>
8088: <description xml:lang="en">The acpid service should be disabled.</description>
8089: <ident system="http://cce.mitre.org">CCE-4298-6</ident>
8090: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
8091: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8092: <check-content-ref name="oval:org.fedoraproject.f14:def:20203" href="scap-fedora14-oval.xml"/>
8093: </check>
8094: </Rule>
8095: </Group>
8096: <Group id="group-3.3.15.3" hidden="false">
8097: <title xml:lang="en">CPU Throttling (cpuspeed)</title>
8098: <description xml:lang="en">
8099: The cpuspeed service uses hardware support to throttle the CPU
8100: when the system is idle. Unless CPU power optimization is unnecessary, leave this
8101: service enabled.</description>
8102: <Rule id="rule-3.3.15.3.a" selected="false" weight="10.000000" severity="low">
8103: <title xml:lang="en">CPU Throttling (cpuspeed)</title>
8104: <description xml:lang="en">The cpuspeed service should be disabled.</description>
8105: <ident system="http://cce.mitre.org">CCE-4051-9</ident>
8106: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
8107: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8108: <check-content-ref name="oval:org.fedoraproject.f14:def:20204" href="scap-fedora14-oval.xml"/>
8109: </check>
8110: </Rule>
8111: </Group>
8112: </Group>
8113: </Group>
8114: <Group id="group-3.4" hidden="false">
8115: <title xml:lang="en">Cron and At Daemons</title>
8116: <description xml:lang="en">
8117: The cron and at services are used to allow commands to be executed
8118: at a later time. The cron service is required by almost all systems to perform necessary
8119: maintenance tasks, while at may or may not be required on a given system. Both daemons
8120: should be configured defensively.</description>
8121: <Rule id="rule-3.4.a" selected="false" weight="10.000000" severity="high">
8122: <title xml:lang="en">Enable cron Daemon</title>
8123: <description xml:lang="en">The crond service should be enabled.</description>
8124: <ident system="http://cce.mitre.org">CCE-4324-0</ident>
8125: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
8126: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8127: <check-content-ref name="oval:org.fedoraproject.f14:def:20205" href="scap-fedora14-oval.xml"/>
8128: </check>
8129: </Rule>
8130: <Group id="group-3.4.1" hidden="false">
8131: <title xml:lang="en">Disable anacron if Possible</title>
8132: <description xml:lang="en">
8133: Is this a machine which is designed to run all the time, such as
8134: a server or a workstation which is left on at night? If so: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8135: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8136: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase anacron<xhtml:br/></xhtml:code>
8137: The
8138: anacron subsystem is designed to provide cron functionality for machines which may be shut
8139: down during the normal times that system cron jobs run, frequently in the middle of the
8140: night. Laptops and workstations which are shut down at night should keep anacron enabled,
8141: so that standard system cron jobs will run when the machine boots. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8142: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8143: However, on machines
8144: which do not need this additional functionality, anacron represents another piece of
8145: privileged software which could contain vulnerabilities. Therefore, it should be removed
8146: when possible to reduce system risk.</description>
8147: <Rule id="rule-3.4.1.a" selected="false" weight="10.000000" severity="low">
8148: <title xml:lang="en">Disable anacron if Possible</title>
8149: <description xml:lang="en">The anacron service should be disabled.</description>
8150: <ident system="http://cce.mitre.org">CCE-4406-5</ident>
8151: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
8152: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8153: <check-content-ref name="oval:org.fedoraproject.f14:def:20206" href="scap-fedora14-oval.xml"/>
8154: </check>
8155: </Rule>
8156: <Rule id="rule-3.4.1.b" selected="false" weight="10.000000">
8157: <title xml:lang="en">Uninstall anacron if Possible</title>
8158: <description xml:lang="en">The anacron package should be uninstalled.</description>
8159: <ident system="http://cce.mitre.org">CCE-4428-9</ident>
8160: <fixtext xml:lang="en">(1) via yum</fixtext>
8161: <fix># yum erase anacron</fix>
8162: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8163: <check-content-ref name="oval:org.fedoraproject.f14:def:20207" href="scap-fedora14-oval.xml"/>
8164: </check>
8165: </Rule>
8166: </Group>
8167: <Group id="group-3.4.2" hidden="false">
8168: <title xml:lang="en">Restrict Permissions on Files Used by cron</title>
8169: <description xml:lang="en">
8170: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
8171: <xhtml:li>Restrict the permissions on the primary system crontab file: <xhtml:br/>
8172: <xhtml:br/>
8173: <xhtml:code># chown root:root /etc/crontab <xhtml:br/>
8174: # chmod 600 /etc/crontab</xhtml:code></xhtml:li>
8175: <xhtml:li>If anacron has not been removed,
8176: restrict the permissions on its primary configuration file: <xhtml:br/>
8177: <xhtml:br/>
8178: <xhtml:code># chown root:root /etc/anacrontab <xhtml:br/>
8179: # chmod 600 /etc/anacrontab </xhtml:code></xhtml:li>
8180: <xhtml:li>Restrict the permission on all system
8181: crontab directories: <xhtml:br/>
8182: <xhtml:br/>
8183: <xhtml:code># cd /etc <xhtml:br/>
8184: # chown -R root:root cron.hourly cron.daily cron.weekly cron.monthly cron.d <xhtml:br/>
8185: # chmod -R go-rwx cron.hourly cron.daily cron.weekly cron.monthly cron.d </xhtml:code></xhtml:li>
8186: <xhtml:li>Restrict the permissions on the spool directory for user crontab files: <xhtml:br/>
8187: <xhtml:br/>
8188: <xhtml:code># chown root:root /var/spool/cron <xhtml:br/>
8189: # chmod -R go-rwx /var/spool/cron </xhtml:code></xhtml:li>
8190: </xhtml:ol> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8191: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8192: Cron and anacron make use of a
8193: number of configuration files and directories. The system crontabs need only be edited by
8194: root, and user crontabs are edited using the setuid root crontab command. If unprivileged
8195: users can modify system cron configuration files, they may be able to gain elevated
8196: privileges, so all unnecessary access to these files should be disabled.</description>
8197: <Value id="var-3.4.2.system.crontab.primary.group" operator="equals" type="string">
8198: <title xml:lang="en">group owner of /etc/crontab</title>
8199: <description xml:lang="en">Specify group owner of /etc/crontab.</description>
8200: <question xml:lang="en">Specify group owner of /etc/crontab</question>
8201: <value>root</value>
8202: <value selector="root">root</value>
8203: </Value>
8204: <Value id="var-3.4.2.system.crontab.primary.user" operator="equals" type="string">
8205: <title xml:lang="en">user owner of /etc/crontab</title>
8206: <description xml:lang="en">Specify user owner of /etc/crontab.</description>
8207: <question xml:lang="en">Specify user owner of /etc/crontab</question>
8208: <value>root</value>
8209: <value selector="root">root</value>
8210: </Value>
8211: <Value id="var-3.4.2.system.crontab.primary.permissions" operator="equals" type="string">
8212: <title xml:lang="en">permissions on /etc/crontab file</title>
8213: <description xml:lang="en">Specify file permissions on /etc/crontab.</description>
8214: <question xml:lang="en">Specify permissions of /etc/crontab</question>
8215: <value>110100100</value>
8216: <value selector="644">110100100</value>
8217: <value selector="400">100000000</value>
8218: <value selector="600">110000000</value>
8219: <value selector="700">111000000</value>
8220: </Value>
8221: <Value id="var-3.4.2.system.anacrontab.group" operator="equals" type="string">
8222: <title xml:lang="en">group owner of /etc/anacrontab</title>
8223: <description xml:lang="en">Specify group owner of /etc/ancrontab.</description>
8224: <question xml:lang="en">Specify group owner of /etc/anacrontab</question>
8225: <value>root</value>
8226: <value selector="root">root</value>
8227: </Value>
8228: <Value id="var-3.4.2.system.anacrontab.user" operator="equals" type="string">
8229: <title xml:lang="en">user owner of /etc/anacrontab</title>
8230: <description xml:lang="en">Specify user owner of /etc/anacrontab.</description>
8231: <question xml:lang="en">Specify user owner of /etc/anacrontab</question>
8232: <value>root</value>
8233: <value selector="root">root</value>
8234: </Value>
8235: <Value id="var-3.4.2.system.anacrontab.permissions" operator="equals" type="string">
8236: <title xml:lang="en">permissions on /etc/anacrontab file</title>
8237: <description xml:lang="en">Specify file permissions on /etc/crontab.</description>
8238: <question xml:lang="en">Specify permissions of /etc/anacrontab</question>
8239: <value>110100100</value>
8240: <value selector="644">110100100</value>
8241: <value selector="400">100000000</value>
8242: <value selector="600">110000000</value>
8243: <value selector="700">111000000</value>
8244: </Value>
8245: <Value id="var-3.4.2.system.crontab.directories.group" operator="equals" type="string">
8246: <title xml:lang="en">group owner of cron.hourly cron.daily cron.weekly cron.monthly cron.d</title>
8247: <description xml:lang="en">Specify group owner of /etc/cron.* files and directories.</description>
8248: <question xml:lang="en">Specify group owner of /etc/cron.* files and directories</question>
8249: <value>root</value>
8250: <value selector="root">root</value>
8251: </Value>
8252: <Value id="var-3.4.2.system.crontab.directories.user" operator="equals" type="string">
8253: <title xml:lang="en">user owner of cron.hourly cron.daily cron.weekly cron.monthly cron.d</title>
8254: <description xml:lang="en">Specify user owner of /etc/cron.* files and directories.</description>
8255: <question xml:lang="en">Specify user owner of /etc/cron.* files and directories</question>
8256: <value>root</value>
8257: <value selector="root">root</value>
8258: </Value>
8259: <Value id="var-3.4.2.system.crontab.directories.permissions" operator="equals" type="string">
8260: <title xml:lang="en">permissions on cron.hourly cron.daily cron.weekly cron.monthly cron.d</title>
8261: <description xml:lang="en">Specify file and directory permissions on /etc/cron.*.</description>
8262: <question xml:lang="en">Specify permissions of /etc/cron.* files and directories</question>
8263: <value>111101101</value>
8264: <value selector="755">111101101</value>
8265: <value selector="400">100000000</value>
8266: <value selector="600">110000000</value>
8267: <value selector="700">111000000</value>
8268: </Value>
8269: <Value id="var-3.4.2.spool.directory.group" operator="equals" type="string">
8270: <title xml:lang="en">group owner of /var/spool/cron</title>
8271: <description xml:lang="en">Specify group owner of /var/spool/cron.</description>
8272: <question xml:lang="en">Specify group owner of /var/spool/cron</question>
8273: <value>root</value>
8274: <value selector="root">root</value>
8275: </Value>
8276: <Value id="var-3.4.2.spool.directory.user" operator="equals" type="string">
8277: <title xml:lang="en">user owner of /var/spool/cron</title>
8278: <description xml:lang="en">Specify user owner of /var/spool/cron.</description>
8279: <value>root</value>
8280: <value selector="root">root</value>
8281: </Value>
8282: <Value id="var-3.4.2.spool.directory.permissions" operator="equals" type="string">
8283: <title xml:lang="en">permissions on /var/spool/cron file</title>
8284: <description xml:lang="en">Specify file permissions on /var/spool/cron.</description>
8285: <question xml:lang="en">Specify file permissions of /var/spool/cron</question>
8286: <value>111000000</value>
8287: <value selector="400">100000000</value>
8288: <value selector="600">110000000</value>
8289: <value selector="700">111000000</value>
8290: </Value>
8291: <Rule id="rule-3.4.2.1.a" selected="false" weight="10.000000" severity="medium">
8292: <title xml:lang="en">Set group owner on /etc/crontab</title>
8293: <description xml:lang="en">The /etc/crontab file should be owned by the appropriate group.</description>
8294: <ident system="http://cce.mitre.org">CCE-3626-9</ident>
8295: <fixtext xml:lang="en">(1) via chown</fixtext>
8296: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8297: <check-export export-name="oval:org.fedoraproject.f14:var:20208" value-id="var-3.4.2.system.crontab.primary.group"/>
8298: <check-content-ref name="oval:org.fedoraproject.f14:def:20208" href="scap-fedora14-oval.xml"/>
8299: </check>
8300: </Rule>
8301: <Rule id="rule-3.4.2.1.b" selected="false" weight="10.000000" severity="medium">
8302: <title xml:lang="en">Set user owner on /etc/crontab</title>
8303: <description xml:lang="en">The /etc/crontab file should be owned by the appropriate user.</description>
8304: <ident system="http://cce.mitre.org">CCE-3851-3</ident>
8305: <fixtext xml:lang="en">(1) via chown</fixtext>
8306: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8307: <check-export export-name="oval:org.fedoraproject.f14:var:20209" value-id="var-3.4.2.system.crontab.primary.user"/>
8308: <check-content-ref name="oval:org.fedoraproject.f14:def:20209" href="scap-fedora14-oval.xml"/>
8309: </check>
8310: </Rule>
8311: <Rule id="rule-3.4.2.1.c" selected="false" weight="10.000000" severity="medium">
8312: <title xml:lang="en">Set Permissions on /etc/crontab</title>
8313: <title xml:lang="en">Restrict Permissions on Files Used by cron</title>
8314: <description xml:lang="en">File permissions for /etc/crontab should be set correctly.</description>
8315: <ident system="http://cce.mitre.org">CCE-4388-5</ident>
8316: <fixtext xml:lang="en">(1) via chmod</fixtext>
8317: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8318: <check-export export-name="oval:org.fedoraproject.f14:var:20210" value-id="var-3.4.2.system.crontab.primary.permissions"/>
8319: <check-content-ref name="oval:org.fedoraproject.f14:def:20210" href="scap-fedora14-oval.xml"/>
8320: </check>
8321: </Rule>
8322: <Rule id="rule-3.4.2.2.a" selected="false" weight="10.000000" severity="medium">
8323: <title xml:lang="en">Set group owner on /etc/anacrontab</title>
8324: <description xml:lang="en">The /etc/anacrontab file should be owned by the appropriate group.</description>
8325: <ident system="http://cce.mitre.org">CCE-3604-6</ident>
8326: <fixtext xml:lang="en">(1) via chown</fixtext>
8327: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8328: <check-export export-name="oval:org.fedoraproject.f14:var:20211" value-id="var-3.4.2.system.anacrontab.group"/>
8329: <check-content-ref name="oval:org.fedoraproject.f14:def:20211" href="scap-fedora14-oval.xml"/>
8330: </check>
8331: </Rule>
8332: <Rule id="rule-3.4.2.2.b" selected="false" weight="10.000000" severity="medium">
8333: <title xml:lang="en">Set user owner on /etc/anacrontab</title>
8334: <description xml:lang="en">The /etc/anacrontab file should be owned by the appropriate user.</description>
8335: <ident system="http://cce.mitre.org">CCE-4379-4</ident>
8336: <fixtext xml:lang="en">(1) via chown</fixtext>
8337: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8338: <check-export export-name="oval:org.fedoraproject.f14:var:20212" value-id="var-3.4.2.system.anacrontab.user"/>
8339: <check-content-ref name="oval:org.fedoraproject.f14:def:20212" href="scap-fedora14-oval.xml"/>
8340: </check>
8341: </Rule>
8342: <Rule id="rule-3.4.2.2.c" selected="false" weight="10.000000" severity="medium">
8343: <title xml:lang="en">Set Permissions on /etc/anacrontab</title>
8344: <description xml:lang="en">File permissions for /etc/anacrontab should be set correctly.</description>
8345: <ident system="http://cce.mitre.org">CCE-4304-2</ident>
8346: <fixtext xml:lang="en">(1) via chmod</fixtext>
8347: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8348: <check-export export-name="oval:org.fedoraproject.f14:var:20213" value-id="var-3.4.2.system.anacrontab.permissions"/>
8349: <check-content-ref name="oval:org.fedoraproject.f14:def:20213" href="scap-fedora14-oval.xml"/>
8350: </check>
8351: </Rule>
8352: <Rule id="rule-3.4.2.3.a" selected="false" weight="10.000000" severity="medium">
8353: <title xml:lang="en">Set group owner on /etc/cron.hourly</title>
8354: <description xml:lang="en">The /etc/cron.hourly file should be owned by the appropriate group.</description>
8355: <ident system="http://cce.mitre.org">CCE-4054-3</ident>
8356: <fixtext xml:lang="en">(1) via chown</fixtext>
8357: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8358: <check-export export-name="oval:org.fedoraproject.f14:var:20214" value-id="var-3.4.2.system.crontab.directories.group"/>
8359: <check-content-ref name="oval:org.fedoraproject.f14:def:20214" href="scap-fedora14-oval.xml"/>
8360: </check>
8361: </Rule>
8362: <Rule id="rule-3.4.2.3.b" selected="false" weight="10.000000" severity="medium">
8363: <title xml:lang="en">Set group owner on /etc/cron.daily</title>
8364: <description xml:lang="en">The /etc/cron.daily file should be owned by the appropriate group.</description>
8365: <ident system="http://cce.mitre.org">CCE-3481-9</ident>
8366: <fixtext xml:lang="en">(1) via chown</fixtext>
8367: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8368: <check-export export-name="oval:org.fedoraproject.f14:var:20214" value-id="var-3.4.2.system.crontab.directories.group"/>
8369: <check-content-ref name="oval:org.fedoraproject.f14:def:20215" href="scap-fedora14-oval.xml"/>
8370: </check>
8371: </Rule>
8372: <Rule id="rule-3.4.2.3.c" selected="false" weight="10.000000" severity="medium">
8373: <title xml:lang="en">Set group owner on /etc/cron.weekly</title>
8374: <description xml:lang="en">The /etc/cron.weekly file should be owned by the appropriate group.</description>
8375: <ident system="http://cce.mitre.org">CCE-4331-5</ident>
8376: <fixtext xml:lang="en">(1) via chown</fixtext>
8377: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8378: <check-export export-name="oval:org.fedoraproject.f14:var:20214" value-id="var-3.4.2.system.crontab.directories.group"/>
8379: <check-content-ref name="oval:org.fedoraproject.f14:def:20216" href="scap-fedora14-oval.xml"/>
8380: </check>
8381: </Rule>
8382: <Rule id="rule-3.4.2.3.d" selected="false" weight="10.000000" severity="medium">
8383: <title xml:lang="en">Set group owner on /etc/cron.monthly</title>
8384: <description xml:lang="en">The /etc/cron.monthly file should be owned by the appropriate group.</description>
8385: <ident system="http://cce.mitre.org">CCE-4322-4</ident>
8386: <fixtext xml:lang="en">(1) via chown</fixtext>
8387: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8388: <check-export export-name="oval:org.fedoraproject.f14:var:20214" value-id="var-3.4.2.system.crontab.directories.group"/>
8389: <check-content-ref name="oval:org.fedoraproject.f14:def:20217" href="scap-fedora14-oval.xml"/>
8390: </check>
8391: </Rule>
8392: <Rule id="rule-3.4.2.3.e" selected="false" weight="10.000000" severity="medium">
8393: <title xml:lang="en">Set group owner on /etc/cron.d</title>
8394: <description xml:lang="en">The /etc/cron.d file should be owned by the appropriate group.</description>
8395: <ident system="http://cce.mitre.org">CCE-4212-7</ident>
8396: <fixtext xml:lang="en">(1) via chown</fixtext>
8397: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8398: <check-export export-name="oval:org.fedoraproject.f14:var:20214" value-id="var-3.4.2.system.crontab.directories.group"/>
8399: <check-content-ref name="oval:org.fedoraproject.f14:def:20218" href="scap-fedora14-oval.xml"/>
8400: </check>
8401: </Rule>
8402: <Rule id="rule-3.4.2.3.f" selected="false" weight="10.000000" severity="medium">
8403: <title xml:lang="en">Set user owner on /etc/cron.hourly</title>
8404: <description xml:lang="en">The /etc/cron.hourly file should be owned by the appropriate user.</description>
8405: <ident system="http://cce.mitre.org">CCE-3983-4</ident>
8406: <fixtext xml:lang="en">(1) via chown</fixtext>
8407: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8408: <check-export export-name="oval:org.fedoraproject.f14:var:20219" value-id="var-3.4.2.system.crontab.directories.user"/>
8409: <check-content-ref name="oval:org.fedoraproject.f14:def:20219" href="scap-fedora14-oval.xml"/>
8410: </check>
8411: </Rule>
8412: <Rule id="rule-3.4.2.3.g" selected="false" weight="10.000000" severity="medium">
8413: <title xml:lang="en">Set user owner on /etc/cron.daily</title>
8414: <description xml:lang="en">The /etc/cron.daily file should be owned by the appropriate user.</description>
8415: <ident system="http://cce.mitre.org">CCE-4022-0</ident>
8416: <fixtext xml:lang="en">(1) via chown</fixtext>
8417: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8418: <check-export export-name="oval:org.fedoraproject.f14:var:20219" value-id="var-3.4.2.system.crontab.directories.user"/>
8419: <check-content-ref name="oval:org.fedoraproject.f14:def:20220" href="scap-fedora14-oval.xml"/>
8420: </check>
8421: </Rule>
8422: <Rule id="rule-3.4.2.3.h" selected="false" weight="10.000000" severity="medium">
8423: <title xml:lang="en">Set user owner on /etc/cron.weekly</title>
8424: <description xml:lang="en">The /etc/cron.weekly file should be owned by the appropriate user.</description>
8425: <ident system="http://cce.mitre.org">CCE-3833-1</ident>
8426: <fixtext xml:lang="en">(1) via chown</fixtext>
8427: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8428: <check-export export-name="oval:org.fedoraproject.f14:var:20219" value-id="var-3.4.2.system.crontab.directories.user"/>
8429: <check-content-ref name="oval:org.fedoraproject.f14:def:20221" href="scap-fedora14-oval.xml"/>
8430: </check>
8431: </Rule>
8432: <Rule id="rule-3.4.2.3.i" selected="false" weight="10.000000" severity="medium">
8433: <title xml:lang="en">Set user owner on /etc/cron.monthly</title>
8434: <description xml:lang="en">The /etc/cron.monthly file should be owned by the appropriate user.</description>
8435: <ident system="http://cce.mitre.org">CCE-4441-2</ident>
8436: <fixtext xml:lang="en">(1) via chown</fixtext>
8437: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8438: <check-export export-name="oval:org.fedoraproject.f14:var:20219" value-id="var-3.4.2.system.crontab.directories.user"/>
8439: <check-content-ref name="oval:org.fedoraproject.f14:def:20222" href="scap-fedora14-oval.xml"/>
8440: </check>
8441: </Rule>
8442: <Rule id="rule-3.4.2.3.j" selected="false" weight="10.000000" severity="medium">
8443: <title xml:lang="en">Set user owner on /etc/cron.d</title>
8444: <description xml:lang="en">The /etc/cron.d file should be owned by the appropriate user.</description>
8445: <ident system="http://cce.mitre.org">CCE-4380-2</ident>
8446: <fixtext xml:lang="en">(1) via chown</fixtext>
8447: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8448: <check-export export-name="oval:org.fedoraproject.f14:var:20219" value-id="var-3.4.2.system.crontab.directories.user"/>
8449: <check-content-ref name="oval:org.fedoraproject.f14:def:20223" href="scap-fedora14-oval.xml"/>
8450: </check>
8451: </Rule>
8452: <Rule id="rule-3.4.2.3.k" selected="false" weight="10.000000" severity="medium">
8453: <title xml:lang="en">Set permissions on /etc/cron.hourly</title>
8454: <description xml:lang="en">File permissions for /etc/cron.hourly should be set correctly.</description>
8455: <ident system="http://cce.mitre.org">CCE-4106-1</ident>
8456: <fixtext xml:lang="en">(1) via chmod</fixtext>
8457: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8458: <check-export export-name="oval:org.fedoraproject.f14:var:20224" value-id="var-3.4.2.system.crontab.directories.permissions"/>
8459: <check-content-ref name="oval:org.fedoraproject.f14:def:20224" href="scap-fedora14-oval.xml"/>
8460: </check>
8461: </Rule>
8462: <Rule id="rule-3.4.2.3.l" selected="false" weight="10.000000" severity="medium">
8463: <title xml:lang="en">Set permissions on /etc/cron.daily</title>
8464: <description xml:lang="en">File permissions for /etc/cron.daily should be set correctly.</description>
8465: <ident system="http://cce.mitre.org">CCE-4450-3</ident>
8466: <fixtext xml:lang="en">(1) via chmod</fixtext>
8467: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8468: <check-export export-name="oval:org.fedoraproject.f14:var:20224" value-id="var-3.4.2.system.crontab.directories.permissions"/>
8469: <check-content-ref name="oval:org.fedoraproject.f14:def:20225" href="scap-fedora14-oval.xml"/>
8470: </check>
8471: </Rule>
8472: <Rule id="rule-3.4.2.3.m" selected="false" weight="10.000000" severity="medium">
8473: <title xml:lang="en">Set permissions on /etc/cron.weekly</title>
8474: <description xml:lang="en">File permissions for /etc/cron.weekly should be set correctly.</description>
8475: <ident system="http://cce.mitre.org">CCE-4203-6</ident>
8476: <fixtext xml:lang="en">(1) via chmod</fixtext>
8477: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8478: <check-export export-name="oval:org.fedoraproject.f14:var:20224" value-id="var-3.4.2.system.crontab.directories.permissions"/>
8479: <check-content-ref name="oval:org.fedoraproject.f14:def:20226" href="scap-fedora14-oval.xml"/>
8480: </check>
8481: </Rule>
8482: <Rule id="rule-3.4.2.3.n" selected="false" weight="10.000000" severity="medium">
8483: <title xml:lang="en">Set permissions on /etc/cron.monthly</title>
8484: <description xml:lang="en">File permissions for /etc/cron.monthly should be set correctly.</description>
8485: <ident system="http://cce.mitre.org">CCE-4251-5</ident>
8486: <fixtext xml:lang="en">(1) via chmod</fixtext>
8487: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8488: <check-export export-name="oval:org.fedoraproject.f14:var:20224" value-id="var-3.4.2.system.crontab.directories.permissions"/>
8489: <check-content-ref name="oval:org.fedoraproject.f14:def:20227" href="scap-fedora14-oval.xml"/>
8490: </check>
8491: </Rule>
8492: <Rule id="rule-3.4.2.3.o" selected="false" weight="10.000000" severity="medium">
8493: <title xml:lang="en">Set permissions on /etc/cron.d</title>
8494: <description xml:lang="en">File permissions for /etc/cron.d should be set correctly.</description>
8495: <ident system="http://cce.mitre.org">CCE-4250-7</ident>
8496: <fixtext xml:lang="en">(1) via chmod</fixtext>
8497: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8498: <check-export export-name="oval:org.fedoraproject.f14:var:20224" value-id="var-3.4.2.system.crontab.directories.permissions"/>
8499: <check-content-ref name="oval:org.fedoraproject.f14:def:20228" href="scap-fedora14-oval.xml"/>
8500: </check>
8501: </Rule>
8502: <Rule id="rule-3.4.2.4.a" selected="false" weight="10.000000" severity="medium">
8503: <title xml:lang="en">Restrict group owner on /var/spool/cron directory</title>
8504: <description xml:lang="en">The /var/spool/cron directory should be owned by the appropriate group.</description>
8505: <fixtext xml:lang="en">(1) via chown</fixtext>
8506: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8507: <check-export export-name="oval:org.fedoraproject.f14:var:20229" value-id="var-3.4.2.spool.directory.group"/>
8508: <check-content-ref name="oval:org.fedoraproject.f14:def:20229" href="scap-fedora14-oval.xml"/>
8509: </check>
8510: </Rule>
8511: <Rule id="rule-3.4.2.4.b" selected="false" weight="10.000000" severity="medium">
8512: <title xml:lang="en">Restrict user owner on /var/spool/cron directory</title>
8513: <description xml:lang="en">The /var/spool/cron directory should be owned by the appropriate user.</description>
8514: <fixtext xml:lang="en">(1) via chown</fixtext>
8515: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8516: <check-export export-name="oval:org.fedoraproject.f14:var:20230" value-id="var-3.4.2.spool.directory.user"/>
8517: <check-content-ref name="oval:org.fedoraproject.f14:def:20230" href="scap-fedora14-oval.xml"/>
8518: </check>
8519: </Rule>
8520: <Rule id="rule-3.4.2.4.c" selected="false" weight="10.000000" severity="medium">
8521: <title xml:lang="en">Restrict Permissions on /var/spool/cron directory</title>
8522: <description xml:lang="en">Directory permissions for /var/spool/cron should be set correctly.</description>
8523: <fixtext xml:lang="en">(1) via chmod</fixtext>
8524: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8525: <check-export export-name="oval:org.fedoraproject.f14:var:20231" value-id="var-3.4.2.spool.directory.permissions"/>
8526: <check-content-ref name="oval:org.fedoraproject.f14:def:20231" href="scap-fedora14-oval.xml"/>
8527: </check>
8528: </Rule>
8529: </Group>
8530: <Group id="group-3.4.3" hidden="false">
8531: <title xml:lang="en">Disable at if Possible</title>
8532: <description xml:lang="en">Unless the at daemon is required, disable it with the following command:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8533: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8534: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig atd off<xhtml:br/></xhtml:code>
8535: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8536: Many of the periodic or delayed execution features of the at daemon can be provided through the cron daemon
8537: instead.
8538: </description>
8539: <Rule id="rule-3.4.3.a" selected="false" weight="10.000000" severity="low">
8540: <title xml:lang="en">Disable at Daemon</title>
8541: <description xml:lang="en">The atd service should be disabled.</description>
8542: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
8543: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8544: <check-content-ref name="oval:org.fedoraproject.f14:def:202052" href="scap-fedora14-oval.xml"/>
8545: </check>
8546: </Rule>
8547: <Rule id="rule-3.4.3.b" selected="false" weight="10.000000">
8548: <title xml:lang="en">uninstall at Daemon</title>
8549: <description xml:lang="en">The at package should be removed.</description>
8550: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
8551: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8552: <check-content-ref name="oval:org.fedoraproject.f14:def:202053" href="scap-fedora14-oval.xml"/>
8553: </check>
8554: </Rule>
8555: </Group>
8556: <Group id="group-3.4.4" hidden="false">
8557: <title xml:lang="en">Restrict at and cron to Authorized Users</title>
8558: <description xml:lang="en">
8559: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
8560: <xhtml:li>Remove the cron.deny file: <xhtml:br/>
8561: <xhtml:br/>
8562: <xhtml:code># rm /etc/cron.deny</xhtml:code></xhtml:li>
8563: <xhtml:li>Edit /etc/cron.allow, adding one line for each user allowed to use the crontab command to
8564: create cron jobs. </xhtml:li>
8565: <xhtml:li>Remove the at.deny file: <xhtml:br/>
8566: <xhtml:br/>
8567: <xhtml:code># rm /etc/at.deny </xhtml:code></xhtml:li>
8568: <xhtml:li>Edit /etc/at.allow, adding one line for each user allowed to use the at command to create at jobs. </xhtml:li>
8569: </xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8570: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8571: The
8572: /etc/cron.allow and /etc/at.allow files contain lists of users who are allowed to use cron
8573: and at to delay execution of processes. If these files exist and if the corresponding
8574: files /etc/cron.deny and /etc/at.deny do not exist, then only users listed in the relevant
8575: allow files can run the crontab and at commands to submit jobs to be run at scheduled
8576: intervals. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8577: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8578: On many systems, only the system administrator needs the ability to schedule
8579: jobs. Note that even if a given user is not listed in cron.allow, cron jobs can still be
8580: run as that user. The cron.allow file controls only administrative access to the crontab
8581: command for scheduling and modifying cron jobs.</description>
8582: <Rule id="rule-3.4.4.a" selected="false" weight="10.000000" severity="medium">
8583: <title xml:lang="en">Remove /etc/cron.deny</title>
8584: <description xml:lang="en">/etc/cron.deny file should not exist.</description>
8585: <fix>rm /etc/cron.deny</fix>
8586: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8587: <check-content-ref name="oval:org.fedoraproject.f14:def:20232" href="scap-fedora14-oval.xml"/>
8588: </check>
8589: </Rule>
8590: <Rule id="rule-3.4.4.b" selected="false" weight="10.000000" severity="medium">
8591: <title xml:lang="en">Remove /etc/at.deny</title>
8592: <description xml:lang="en">/etc/at.deny file should not exist.</description>
8593: <fix>rm /etc/at.deny</fix>
8594: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8595: <check-content-ref name="oval:org.fedoraproject.f14:def:20233" href="scap-fedora14-oval.xml"/>
8596: </check>
8597: </Rule>
8598: </Group>
8599: </Group>
8600: <Group id="group-3.5" hidden="false">
8601: <title xml:lang="en">SSH Server</title>
8602: <description xml:lang="en">
8603: The SSH protocol is recommended for remote login and remote file
8604: transfer. SSH provides confidentiality and integrity for data exchanged between two systems,
8605: as well as server authentication, through the use of public key cryptography. The
8606: implementation included with the system is called OpenSSH, and more detailed documentation
8607: is available from its website, http://www.openssh.org. Its server program is called sshd and
8608: provided by the RPM package openssh-server.</description>
8609: <Group id="group-3.5.1" hidden="false">
8610: <title xml:lang="en">Disable OpenSSH Server if Possible</title>
8611: <description xml:lang="en">
8612: Unless the system needs to provide the remote login and file
8613: transfer capabilities of SSH, disable and remove the OpenSSH server and its configuration.</description>
8614: <Group id="group-3.5.1.1" hidden="false">
8615: <title xml:lang="en">Disable and Remove OpenSSH Software</title>
8616: <description xml:lang="en">
8617: Disable and remove openssh-server with the commands: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8618: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8619: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig sshd off <xhtml:br/>
8620: # yum erase openssh-server <xhtml:br/></xhtml:code>
8621: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8622: Users of the system will still be able to
8623: use the SSH client program /usr/bin/ssh to access SSH servers on other systems.</description>
8624: <Rule id="rule-3.5.1.1.a" selected="false" weight="10.000000" severity="low">
8625: <title xml:lang="en">Disable OpenSSH Software</title>
8626: <description xml:lang="en">The sshd service should be disabled.</description>
8627: <ident system="http://cce.mitre.org">CCE-4268-9</ident>
8628: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
8629: <fix># chkconfig sshd off</fix>
8630: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8631: <check-content-ref name="oval:org.fedoraproject.f14:def:20234" href="scap-fedora14-oval.xml"/>
8632: </check>
8633: </Rule>
8634: <Rule id="rule-3.5.1.1.b" selected="false" weight="10.000000">
8635: <title xml:lang="en">Remove OpenSSH Software</title>
8636: <description xml:lang="en">SSH should be uninstalled</description>
8637: <ident system="http://cce.mitre.org">CCE-4272-1</ident>
8638: <fixtext xml:lang="en">(1) via yum</fixtext>
8639: <fix># yum erase openssh-server</fix>
8640: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8641: <check-content-ref name="oval:org.fedoraproject.f14:def:20235" href="scap-fedora14-oval.xml"/>
8642: </check>
8643: </Rule>
8644: </Group>
8645: <Group id="group-3.5.1.2" hidden="false">
8646: <title xml:lang="en">Remove SSH Server iptables Firewall Exception</title>
8647: <description xml:lang="en">
8648: Edit the files /etc/sysconfig/iptables and
8649: /etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate and delete the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8650: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8651: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8652: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8653: By default, inbound connections to SSH's port are allowed. If the SSH server is not
8654: being used, this exception should be removed from the firewall configuration. See
8655: Section 2.5.5 for more information about Iptables.</description>
8656: <Rule id="rule-3.5.1.2.a" selected="false" weight="10.000000" severity="high">
8657: <title xml:lang="en">Remove SSH Server iptables Firewall Exception</title>
8658: <description xml:lang="en">Inbound connections to the ssh port should be denied</description>
8659: <ident system="http://cce.mitre.org">CCE-4295-2</ident>
8660: <fixtext xml:lang="en">(1) /etc/sysconfig/iptables</fixtext>
8661: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8662: <check-content-ref name="oval:org.fedoraproject.f14:def:20236" href="scap-fedora14-oval.xml"/>
8663: </check>
8664: </Rule>
8665: <Rule id="rule-3.5.1.2.b" selected="false" weight="10.000000" severity="high">
8666: <title xml:lang="en">Remove SSH Server ip6tables Firewall Exception</title>
8667: <description xml:lang="en">Inbound connections to the ssh port should be denied</description>
8668: <fixtext xml:lang="en">(1) /etc/sysconfig/ip6tables</fixtext>
8669: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8670: <check-content-ref name="oval:org.fedoraproject.f14:def:20237" href="scap-fedora14-oval.xml"/>
8671: </check>
8672: </Rule>
8673: </Group>
8674: </Group>
8675: <Group id="group-3.5.2" hidden="false">
8676: <title xml:lang="en">Configure OpenSSH Server if Necessary</title>
8677: <description xml:lang="en">
8678: If the system needs to act as an SSH server, then certain changes
8679: should be made to the OpenSSH daemon configuration file /etc/ssh/sshd config. The
8680: following recommendations can be applied to this file. See the sshd config(5) man page for
8681: more detailed information.</description>
8682: <Group id="group-3.5.2.1" hidden="false">
8683: <title xml:lang="en">Ensure Only Protocol 2 Connections Allowed</title>
8684: <description xml:lang="en">
8685: Only SSH protocol version 2 connections should be permitted.
8686: Version 1 of the protocol contains security vulnerabilities. The default setting shipped
8687: in the configuration file is correct, but it is important enough to check. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8688: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8689: Verify that the following line appears: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8690: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8691: Protocol 2</description>
8692: <Rule id="rule-3.5.2.1.a" selected="false" weight="10.000000" severity="high">
8693: <title xml:lang="en">Ensure Only Protocol 2 Connections Allowed</title>
8694: <description xml:lang="en">SSH version 1 protocol support should be disabled.</description>
8695: <ident system="http://cce.mitre.org">CCE-4325-7</ident>
8696: <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
8697: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8698: <check-content-ref name="oval:org.fedoraproject.f14:def:20238" href="scap-fedora14-oval.xml"/>
8699: </check>
8700: </Rule>
8701: </Group>
8702: <Group id="group-3.5.2.2" hidden="false">
8703: <title xml:lang="en">Limit Users SSH Access'</title>
8704: <description xml:lang="en">
8705: By default, the SSH configuration allows any user to access the
8706: system. In order to allow all users to login via SSH but deny only a few users, add or
8707: correct the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8708: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8709: DenyUsers USER1 USER2 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8710: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8711: Alternatively, if it is appropriate to allow only a few users access to the system via
8712: SSH, add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8713: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8714: AllowUsers USER1 USER2</description>
8715: </Group>
8716: <Group id="group-3.5.2.3" hidden="false">
8717: <title xml:lang="en">Set Idle Timeout Interval for User Logins</title>
8718: <description xml:lang="en">
8719: SSH allows administrators to set an idle timeout interval.
8720: After this interval has passed, the idle user will be automatically logged out. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8721: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8722: Find and edit the following lines in /etc/ssh/sshd config as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8723: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8724: ClientAliveInterval interval <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8725: ClientAliveCountMax 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8726: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8727: The timeout interval is given in seconds.
8728: To have a timeout of 5 minutes, set interval to 300. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8729: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8730: If a shorter timeout has already been set for
8731: the login shell, as in Section 2.3.5.5, that value will preempt any SSH setting made
8732: here. Keep in mind that some processes may stop SSH from correctly detecting that the
8733: user is idle.</description>
8734: <Value id="var-3.5.2.3.a" operator="equals" type="number">
8735: <title xml:lang="en">SSH session Idle time</title>
8736: <description xml:lang="en">Specify duration of allowed idle time.</description>
8737: <question xml:lang="en">Specify duration of allowed idle time (in seconds) for SSH session</question>
8738: <value>300</value>
8739: <value selector="5_minutes">300</value>
8740: <value selector="10_minutes">600</value>
8741: </Value>
8742: <Value id="var-3.5.2.3.b" operator="equals" type="number">
8743: <title xml:lang="en">SSH session ClientAliveCountMax</title>
8744: <description xml:lang="en">Sets the number of client alive messages which may be sent without sshd receiving any messages back from the client.</description>
8745: <question xml:lang="en">Specify the number of clients alive messages which may be sent without sshd receiving any messages back from the client</question>
8746: <value>3</value>
8747: <value selector="0">0</value>
8748: <value selector="3">3</value>
8749: </Value>
8750: <Rule id="rule-3.5.2.3.a" selected="false" weight="10.000000" severity="medium">
8751: <title xml:lang="en">Set Idle Timeout Interval for User Logins</title>
8752: <description xml:lang="en">The SSH idle timout interval should be set to an appropriate
8753: value</description>
8754: <ident system="http://cce.mitre.org">CCE-3845-5</ident>
8755: <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
8756: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8757: <check-export export-name="oval:org.fedoraproject.f14:var:20239" value-id="var-3.5.2.3.a"/>
8758: <check-content-ref name="oval:org.fedoraproject.f14:def:20239" href="scap-fedora14-oval.xml"/>
8759: </check>
8760: </Rule>
8761: <Rule id="rule-3.5.2.3.b" selected="false" weight="10.000000">
8762: <title xml:lang="en">Set ClientAliveCountMax for User Logins</title>
8763: <description xml:lang="en">The ClientAliveCountMax should be set to an appropriate value</description>
8764: <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
8765: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8766: <check-export export-name="oval:org.fedoraproject.f14:var:20240" value-id="var-3.5.2.3.b"/>
8767: <check-content-ref name="oval:org.fedoraproject.f14:def:20240" href="scap-fedora14-oval.xml"/>
8768: </check>
8769: </Rule>
8770: </Group>
8771: <Group id="group-3.5.2.4" hidden="false">
8772: <title xml:lang="en">Disable .rhosts Files</title>
8773: <description xml:lang="en">
8774: SSH can emulate the behavior of the obsolete rsh command in
8775: allowing users to enable insecure access to their accounts via .rhosts files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8776: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8777: To ensure that this behavior is disabled, add or correct the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8778: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8779: IgnoreRhosts yes</description>
8780: <Rule id="rule-3.5.2.4.a" selected="false" weight="10.000000" severity="high">
8781: <title xml:lang="en">Disable .rhosts Files</title>
8782: <description xml:lang="en">Emulation of the rsh command through the ssh server should be disabled</description>
8783: <ident system="http://cce.mitre.org">CCE-4475-0</ident>
8784: <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
8785: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8786: <check-content-ref name="oval:org.fedoraproject.f14:def:20241" href="scap-fedora14-oval.xml"/>
8787: </check>
8788: </Rule>
8789: </Group>
8790: <Group id="group-3.5.2.5" hidden="false">
8791: <title xml:lang="en">Disable Host-Based Authentication</title>
8792: <description xml:lang="en">
8793: SSH's cryptographic host-based authentication is slightly more
8794: secure than .rhosts authentication, since hosts are cryptographically authenticated.
8795: However, it is not recommended that hosts unilaterally trust one another, even within an
8796: organization. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8797: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8798: To disable host-based authentication, add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8799: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8800: HostbasedAuthentication no</description>
8801: <Rule id="rule-3.5.2.5.a" selected="false" weight="10.000000">
8802: <title xml:lang="en">Disable Host-Based Authentication</title>
8803: <description xml:lang="en">SSH host-based authentication should be disabled</description>
8804: <ident system="http://cce.mitre.org">CCE-4370-3</ident>
8805: <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
8806: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8807: <check-content-ref name="oval:org.fedoraproject.f14:def:20242" href="scap-fedora14-oval.xml"/>
8808: </check>
8809: </Rule>
8810: </Group>
8811: <Group id="group-3.5.2.6" hidden="false">
8812: <title xml:lang="en">Disable root Login via SSH</title>
8813: <description xml:lang="en">
8814: The root user should never be allowed to login directly over a
8815: network, as this both reduces auditable information about who ran privileged commands on
8816: the system and allows direct attack attempts on root's password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8817: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8818: To disable root login via SSH, add or correct the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8819: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8820: PermitRootLogin no</description>
8821: <Rule id="rule-3.5.2.6.a" selected="false" weight="10.000000" severity="medium">
8822: <title xml:lang="en">Disable root Login via SSH</title>
8823: <description xml:lang="en">Root login via SSH should be disabled</description>
8824: <ident system="http://cce.mitre.org">CCE-4387-7</ident>
8825: <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
8826: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8827: <check-content-ref name="oval:org.fedoraproject.f14:def:20243" href="scap-fedora14-oval.xml"/>
8828: </check>
8829: </Rule>
8830: </Group>
8831: <Group id="group-3.5.2.7" hidden="false">
8832: <title xml:lang="en">Disable Empty Passwords</title>
8833: <description xml:lang="en">
8834: To explicitly disallow remote login from accounts with empty
8835: passwords, add or correct the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8836: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8837: PermitEmptyPasswords no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8838: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8839: Measures should also be taken to disable accounts with empty passwords system-wide,
8840: as described in Section 2.3.1.5.</description>
8841: <Rule id="rule-3.5.2.7.a" selected="false" weight="10.000000">
8842: <title xml:lang="en">Disable Empty Passwords</title>
8843: <description xml:lang="en">Remote connections from accounts with empty passwords should be disabled</description>
8844: <ident system="http://cce.mitre.org">CCE-3660-8</ident>
8845: <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
8846: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8847: <check-content-ref name="oval:org.fedoraproject.f14:def:20244" href="scap-fedora14-oval.xml"/>
8848: </check>
8849: </Rule>
8850: </Group>
8851: <Group id="group-3.5.2.8" hidden="false">
8852: <title xml:lang="en">Enable a Warning Banner</title>
8853: <description xml:lang="en">
8854: Section 2.3.7 contains information on how to create an
8855: appropriate warning banner. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8856: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8857: To enable a warning banner, add or correct the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8858: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8859: Banner /etc/issue</description>
8860: <Rule id="rule-3.5.2.8.a" selected="false" weight="10.000000" severity="medium">
8861: <title xml:lang="en">Enable a Warning Banner</title>
8862: <description xml:lang="en">SSH warning banner should be enabled</description>
8863: <ident system="http://cce.mitre.org">CCE-4431-3</ident>
8864: <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
8865: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8866: <check-content-ref name="oval:org.fedoraproject.f14:def:20245" href="scap-fedora14-oval.xml"/>
8867: </check>
8868: </Rule>
8869: </Group>
8870: <Group id="group-3.5.2.9" hidden="false">
8871: <title xml:lang="en">Do Not Allow Users to Set Environment Options</title>
8872: <description xml:lang="en">
8873: To prevent users from being able to present environment options to the SSH daemon and potentially bypass
8874: some access restrictions, add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8875: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8876: PermitUserEnvironment no
8877: </description>
8878: <Rule id="rule-3.5.2.9.a" selected="false" weight="10.000000">
8879: <title xml:lang="en">Do Not Allow Users to Set Environment Options</title>
8880: <description xml:lang="en">PermitUserEnvironment should be disabled</description>
8881: <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
8882: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8883: <check-content-ref name="oval:org.fedoraproject.f14:def:202455" href="scap-fedora14-oval.xml"/>
8884: </check>
8885: </Rule>
8886: </Group>
8887: <Group id="group-3.5.2.10" hidden="false">
8888: <title xml:lang="en">Use Only Approved Ciphers</title>
8889: <description xml:lang="en">
8890: Limit the ciphers to those which are FIPS-approved and only use ciphers in counter (CTR) mode. The
8891: following line demonstrates use of FIPS-approved ciphers in CTR mode:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8892: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8893: Ciphers aes128-ctr,aes192-ctr,aes256-ctr<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8894: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8895: The man page sshd_config(5) contains a list of the ciphers supported for the current release of the SSH daemon.</description>
8896: <Rule id="rule-3.5.2.10.a" selected="false" weight="10.000000">
8897: <title xml:lang="en">Use Only Approved Ciphers</title>
8898: <description xml:lang="en">Use only FIPS approved ciphers not in CBC mode</description>
8899: <fixtext xml:lang="en">(1) via /etc/ssh/sshd_config</fixtext>
8900: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8901: <check-content-ref name="oval:org.fedoraproject.f14:def:202456" href="scap-fedora14-oval.xml"/>
8902: </check>
8903: </Rule>
8904: </Group>
8905: <Group id="group-3.5.2.11" hidden="false">
8906: <title xml:lang="en">Strengthen Firewall Configuration if Possible</title>
8907: <description xml:lang="en">
8908: If the SSH server must only accept connections from the local
8909: network, then strengthen the default firewall rule for the SSH service. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8910: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8911: Determine an
8912: appropriate network block, netwk, and network mask, mask, representing the machines on
8913: your network which must be allowed to access this SSH server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8914: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8915: Edit the files
8916: /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). In each file,
8917: locate the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8918: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8919: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8920: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8921: and replace it with: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8922: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8923: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 22 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8924: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8925: If your site uses IPv6, and you are editing ip6tables, use the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8926: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8927: -A RH-Firewall-1-INPUT -s ipv6netwk::/ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8928: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8929: instead because Netfilter does not yet reliably support stateful filtering for
8930: IPv6. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8931: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8932: See Section 2.5.5 for more information about Iptables configuration.</description>
8933: </Group>
8934: </Group>
8935: </Group>
8936: <Group id="group-3.6" hidden="false">
8937: <title xml:lang="en">X Window System</title>
8938: <description xml:lang="en">The X Window System implementation included with the system is called X.org.</description>
8939: <Group id="group-3.6.1" hidden="false">
8940: <title xml:lang="en">Disable X Windows if Possible</title>
8941: <description xml:lang="en">
8942: Unless there is a mission-critical reason for the machine to run
8943: a GUI login screen, prevent X from starting automatically at boot. There is usually no
8944: reason to run X Windows on a dedicated server machine, since administrators can login via
8945: SSH or on the text console.</description>
8946: <Group id="group-3.6.1.1" hidden="false">
8947: <title xml:lang="en">Disable X Windows at System Boot</title>
8948: <description xml:lang="en">
8949: Edit the file /etc/inittab, and correct the line
8950: id:5:initdefault: to: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8951: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8952: id:3:initdefault: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8953: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8954: This action changes the default boot runlevel of
8955: the system from 5 to 3. These two runlevels should be identical except that runlevel 5
8956: starts X on boot, while runlevel 3 does not.</description>
8957: <Value id="var-3.6.1.1.a" operator="equals" type="number">
8958: <title xml:lang="en">default boot level</title>
8959: <description xml:lang="en">Specify whether to start in single user mode, text UI or graphical UI.</description>
8960: <question xml:lang="en">Specify whether to start in single user mode, text UI or graphical UI</question>
8961: <value>5</value>
8962: <value selector="multi-user-graphical">5</value>
8963: <value selector="multi-user-text">3</value>
8964: <value selector="single-user-text">1</value>
8965: </Value>
8966: <Rule id="rule-3.6.1.1.a" selected="false" weight="10.000000" severity="medium">
8967: <title xml:lang="en">Disable X Windows at System Boot</title>
8968: <description xml:lang="en">X Windows should be disabled at system boot</description>
8969: <ident system="http://cce.mitre.org">CCE-4462-8</ident>
8970: <fixtext xml:lang="en">(1) via /etc/inittab</fixtext>
8971: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8972: <check-export export-name="oval:org.fedoraproject.f14:var:20246" value-id="var-3.6.1.1.a"/>
8973: <check-content-ref name="oval:org.fedoraproject.f14:def:20246" href="scap-fedora14-oval.xml"/>
8974: </check>
8975: </Rule>
8976: </Group>
8977: <Group id="group-3.6.1.2" hidden="false">
8978: <title xml:lang="en">Remove X Windows from the System if Possible</title>
8979: <description xml:lang="en">
8980: Remove the X11 RPMs from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8981: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8982: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum groupremove "X Window System" <xhtml:br/></xhtml:code>
8983: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8984: As long as X.org remains installed on the system, users can still run X
8985: Windows by typing startx at the shell prompt. This may run X Windows using configuration
8986: settings which are less secure than the system defaults. Therefore, if the machine is a
8987: dedicated server which does not need to provide graphical logins at all, it is safest to
8988: remove the X.org software entirely. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8989: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
8990: The command given here will remove over 100
8991: packages. It should safely and effectively remove X from machines which do not need it.</description>
8992: <Rule id="rule-3.6.1.2.a" selected="false" weight="10.000000">
8993: <title xml:lang="en">Remove X Windows from the System if Possible</title>
8994: <description xml:lang="en">X Windows should be removed</description>
8995: <ident system="http://cce.mitre.org">CCE-4422-2</ident>
8996: <fixtext xml:lang="en">(1) via yum</fixtext>
8997: <fix># yum groupremove "X Window System"</fix>
8998: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
8999: <check-content-ref name="oval:org.fedoraproject.f14:def:20247" href="scap-fedora14-oval.xml"/>
9000: </check>
9001: </Rule>
9002: </Group>
9003: <Group id="group-3.6.1.3" hidden="false">
9004: <title xml:lang="en">Lock Down X Windows startx Configuration if Necessary</title>
9005: <description xml:lang="en">
9006: If X is not to be started at boot time but the software must
9007: remain installed, users will be able to run X manually using the startx command. In some
9008: cases, this runs X with a configuration which is less safe than the default. Follow
9009: these instructions to mitigate risk from this configuration.</description>
9010: <Group id="group-3.6.1.3.1" hidden="false">
9011: <title xml:lang="en">Disable X Font Server</title>
9012: <description xml:lang="en">
9013: Disable the xfs helper service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9014: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9015: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig xfs off <xhtml:br/></xhtml:code>
9016: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9017: The
9018: system's X.org requires the X Font Server service (xfs) to function. The xfs service
9019: will be started automatically if X.org is activated via startx. Therefore, it is safe
9020: to prevent xfs from starting at boot when X is disabled, even if users are allowed to
9021: run X manually.</description>
9022: </Group>
9023: <Group id="group-3.6.1.3.2" hidden="false">
9024: <title xml:lang="en">Disable X Window System Listening</title>
9025: <description xml:lang="en">
9026: To prevent X.org from listening for remote connections,
9027: create the file /etc/X11/xinit/xserverrc and fill it with the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9028: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9029: exec X :0 -nolisten tcp $@ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9030: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9031: One of X.org's features is the ability to provide remote graphical
9032: display. This feature should be disabled unless it is required. If the system uses
9033: runlevel 5, which is the default, the GDM display manager starts X safely, with remote
9034: listening disabled. However, if X is started from the command line with the startx
9035: command, then the server will listen for new connections on X's default port, 6000.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9036: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9037: See the xinit(1), startx(1), and Xserver(1) man pages for more information.</description>
9038: <Rule id="rule-3.6.1.3.2.a" selected="false" weight="10.000000" severity="medium">
9039: <title xml:lang="en">Disable X Window System Listening</title>
9040: <description xml:lang="en">Disable the ability to provide remote graphical display</description>
9041: <ident system="http://cce.mitre.org">CCE-4074-1</ident>
9042: <fixtext xml:lang="en">(1) via /etc/X11/xinit/xserverrc</fixtext>
9043: <fix>echo "exec X :0 -nolisten tcp $@" > /etc/X11/xinit/xserverrc</fix>
9044: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9045: <check-content-ref name="oval:org.fedoraproject.f14:def:20248" href="scap-fedora14-oval.xml"/>
9046: </check>
9047: </Rule>
9048: </Group>
9049: </Group>
9050: </Group>
9051: <Group id="group-3.6.2" hidden="false">
9052: <title xml:lang="en">Configure X Windows if Necessary</title>
9053: <description xml:lang="en">
9054: If there is a mission-critical reason for this machine to run a
9055: GUI, improve the security of the default X configuration by following the guidance in this
9056: section.</description>
9057: <Group id="group-3.6.2.1" hidden="false">
9058: <title xml:lang="en">Create Warning Banners for GUI Login Users</title>
9059: <description xml:lang="en">
9060: Edit the file /etc/gdm/custom.conf. Locate the [greeter]
9061: section, and correct that section to contain the lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9062: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9063: [greeter] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9064: InfoMsgFile=/etc/issue<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9065: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9066: See Section 2.3.7 for an explanation of banner file use. This setting will cause the
9067: system greeting banner to be displayed in a box prior to GUI login. If the default
9068: banner font is inappropriate, it can be changed by specifying the InfoMsgFont directive
9069: as well, for instance: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9070: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9071: InfoMsgFont=Sans 12</description>
9072: <Rule id="rule-3.6.2.1.a" selected="false" weight="10.000000" severity="medium">
9073: <title xml:lang="en">Create Warning Banners for GUI Login Users</title>
9074: <description xml:lang="en">Enable warning banner for GUI login</description>
9075: <ident system="http://cce.mitre.org">CCE-3717-6</ident>
9076: <fixtext xml:lang="en">(1) via /etc/gdm/custom.conf</fixtext>
9077: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9078: <check-content-ref name="oval:org.fedoraproject.f14:def:20249" href="scap-fedora14-oval.xml"/>
9079: </check>
9080: </Rule>
9081: </Group>
9082: </Group>
9083: </Group>
9084: <Group id="group-3.7" hidden="false">
9085: <title xml:lang="en">Avahi Server</title>
9086: <description xml:lang="en">
9087: The Avahi daemon implements the DNS Service Discovery and Multicast
9088: DNS protocols, which provide service and host discovery on a network. It allows a system to
9089: automatically identify resources on the network, such as printers or web servers. This
9090: capability is also known as mDNSresponder and is a major part of Zeroconf networking. By
9091: default, it is enabled.</description>
9092: <Group id="group-3.7.1" hidden="false">
9093: <title xml:lang="en">Disable Avahi Server if Possible</title>
9094: <description xml:lang="en">
9095: Because the Avahi daemon service keeps an open network port, it
9096: is subject to network attacks. Disabling it is particularly important to reduce the
9097: system's vulnerability to such attacks.</description>
9098: <Group id="group-3.7.1.1" hidden="false">
9099: <title xml:lang="en">Disable Avahi Server Software</title>
9100: <description xml:lang="en">
9101: Issue the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9102: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9103: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig avahi-daemon off</xhtml:code></description>
9104: <Rule id="rule-3.7.1.1.a" selected="false" weight="10.000000" severity="low">
9105: <title xml:lang="en">Disable Avahi Server Software</title>
9106: <description xml:lang="en">The avahi-daemon service should be disabled.</description>
9107: <ident system="http://cce.mitre.org">CCE-4365-3</ident>
9108: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
9109: <fix># chkconfig avahi-daemon off</fix>
9110: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9111: <check-content-ref name="oval:org.fedoraproject.f14:def:20250" href="scap-fedora14-oval.xml"/>
9112: </check>
9113: </Rule>
9114: </Group>
9115: <Group id="group-3.7.1.2" hidden="false">
9116: <title xml:lang="en">Remove Avahi Server iptables Firewall Exception</title>
9117: <description xml:lang="en">
9118: Edit the files /etc/sysconfig/iptables and
9119: /etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate and delete the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9120: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9121: -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9122: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9123: By default, inbound
9124: connections to Avahi's port are allowed. If the Avahi server is not being used, this
9125: exception should be removed from the firewall configuration. See Section 2.5.5 for more
9126: information about the Iptables firewall.</description>
9127: </Group>
9128: </Group>
9129: <Group id="group-3.7.2" hidden="false">
9130: <title xml:lang="en">Configure Avahi if Necessary</title>
9131: <description xml:lang="en">
9132: If your system requires the Avahi daemon, its configuration can
9133: be restricted to improve security. The Avahi daemon configuration file is
9134: /etc/avahi/avahi-daemon.conf. The following security recommendations should be applied to
9135: this file. See the avahi-daemon.conf(5) man page or documentation at http://www.avahi.org
9136: for more detailed information about the configuration options.</description>
9137: <Group id="group-3.7.2.1" hidden="false">
9138: <title xml:lang="en">Serve Only via Required Protocol</title>
9139: <description xml:lang="en">
9140: The default setting in the configuration file allows Avahi to
9141: use both IPv4 and IPv6 sockets. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9142: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9143: If you are using only IPv4, edit
9144: /etc/avahi/avahi-daemon.conf and ensure the following line exists in the [server]
9145: section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9146: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9147: use-ipv6=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9148: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9149: Similarly, if you are using only IPv6, disable IPv4 sockets with the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9150: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9151: use-ipv4=no</description>
9152: <Rule id="rule-3.7.2.1.a" selected="false" weight="10.000000" severity="medium">
9153: <title xml:lang="en">Serve Only via Required Protocol</title>
9154: <description xml:lang="en">The Avahi daemon should be configured not to serve via Ipv6</description>
9155: <ident system="http://cce.mitre.org">CCE-4136-8</ident>
9156: <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
9157: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9158: <check-content-ref name="oval:org.fedoraproject.f14:def:20251" href="scap-fedora14-oval.xml"/>
9159: </check>
9160: </Rule>
9161: <Rule id="rule-3.7.2.1.b" selected="false" weight="10.000000" severity="medium">
9162: <title xml:lang="en">Serve Only via Required Protocol</title>
9163: <description xml:lang="en">The Avahi daemon should be configured not to serve via Ipv4</description>
9164: <ident system="http://cce.mitre.org">CCE-4409-9</ident>
9165: <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
9166: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9167: <check-content-ref name="oval:org.fedoraproject.f14:def:20252" href="scap-fedora14-oval.xml"/>
9168: </check>
9169: </Rule>
9170: </Group>
9171: <Group id="group-3.7.2.2" hidden="false">
9172: <title xml:lang="en">Check Responses TTL Field '</title>
9173: <description xml:lang="en">
9174: Avahi can be set to ignore IP packets unless their TTL field is
9175: 255. To make Avahi ignore packets unless the TTL field is 255, edit
9176: /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [server]
9177: section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9178: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9179: check-response-ttl=yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9180: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9181: This helps to ensure that only mDNS responses from the
9182: local network are processed, because the TTL field in a packet is decremented from its
9183: initial value of 255 whenever it is routed from one network to another. Although a
9184: properly-configured router or firewall should not allow mDNS packets into the local
9185: network at all, this option provides another check to ensure they are not trusted.</description>
9186: <Rule id="rule-3.7.2.2.a" selected="false" weight="10.000000">
9187: <title xml:lang="en">Check Responses' TTL Field</title>
9188: <description xml:lang="en">Avahi should be configured to reject packets with a TTL field not equal to 255</description>
9189: <ident system="http://cce.mitre.org">CCE-4426-3</ident>
9190: <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
9191: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9192: <check-content-ref name="oval:org.fedoraproject.f14:def:20253" href="scap-fedora14-oval.xml"/>
9193: </check>
9194: </Rule>
9195: </Group>
9196: <Group id="group-3.7.2.3" hidden="false">
9197: <title xml:lang="en">Prevent Other Programs from Using Avahis Port '</title>
9198: <description xml:lang="en">
9199: Avahi can stop other mDNS stacks from running on the host by
9200: preventing other processes from binding to port 5353. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9201: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9202: To prevent other mDNS stacks from
9203: running, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the
9204: [server] section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9205: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9206: disallow-other-stacks=yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9207: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9208: This is designed to help ensure that only
9209: Avahi is responsible for mDNS traffic coming from that port on the system.</description>
9210: <Rule id="rule-3.7.2.3.a" selected="false" weight="10.000000">
9211: <title xml:lang="en">Prevent Other Programs from Using Avahi's Port</title>
9212: <description xml:lang="en">Avahi should be configured to not allow other stacks from binding to port 5353</description>
9213: <ident system="http://cce.mitre.org">CCE-4193-9</ident>
9214: <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
9215: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9216: <check-content-ref name="oval:org.fedoraproject.f14:def:20254" href="scap-fedora14-oval.xml"/>
9217: </check>
9218: </Rule>
9219: </Group>
9220: <Group id="group-3.7.2.4" hidden="false">
9221: <title xml:lang="en">Disable Publishing if Possible</title>
9222: <description xml:lang="en">
9223: The default setting in the configuration file allows the
9224: avahi-daemon to send information about the local host, such as its address records and
9225: the services it offers, to the local network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9226: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9227: To stop sending this information but still
9228: allow Avahi to query the network for services, ensure the configuration file includes
9229: the following line in the [publish] section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9230: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9231: disable-publishing=yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9232: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9233: This line may be
9234: particularly useful if Avahi is needed for printer discovery, but not to advertise
9235: services. This configuration is highly recommended for client systems that should not
9236: advertise their services (or existence).</description>
9237: <Rule id="rule-3.7.2.4.a" selected="false" weight="10.000000">
9238: <title xml:lang="en">Disable Publishing if Possible</title>
9239: <description xml:lang="en">Avahi publishing of local information should be disabled</description>
9240: <ident system="http://cce.mitre.org">CCE-4444-6</ident>
9241: <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
9242: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9243: <check-content-ref name="oval:org.fedoraproject.f14:def:20255" href="scap-fedora14-oval.xml"/>
9244: </check>
9245: </Rule>
9246: </Group>
9247: <Group id="group-3.7.2.5" hidden="false">
9248: <title xml:lang="en">Restrict Published Information</title>
9249: <description xml:lang="en">
9250: If it is necessary to publish some information to the network,
9251: it should not be joined by any extraneous information, or by information supplied by a
9252: non-trusted source on the system. Prevent user applications from using Avahi to publish
9253: services by adding or correcting the following line in the [publish] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9254: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9255: disable-user-service-publishing=yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9256: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9257: Implement as many of the following lines as
9258: possible, to restrict the information published by Avahi: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9259: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9260: publish-addresses=no<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9261: publish-hinfo=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9262: publish-workstation=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9263: publish-domain=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9264: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9265: Inspect the files in the
9266: directory /etc/avahi/services/. Unless there is an operational need to publish
9267: information about each of these services, delete the corresponding file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9268: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9269: These options
9270: should be used even if publishing is disabled entirely via disable-publishing, since
9271: that option prevents publishing attempts from succeeding, while these options prevent
9272: the attempts from being made in the first place. Using both approaches is recommended
9273: for completeness.</description>
9274: <Rule id="rule-3.7.2.5.a" selected="false" weight="10.000000">
9275: <title xml:lang="en">Restrict disable-user-service-publishing</title>
9276: <description xml:lang="en">Avahi publishing of local information by user applications should be disabled</description>
9277: <ident system="http://cce.mitre.org">CCE-4352-1</ident>
9278: <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
9279: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9280: <check-content-ref name="oval:org.fedoraproject.f14:def:20256" href="scap-fedora14-oval.xml"/>
9281: </check>
9282: </Rule>
9283: <Rule id="rule-3.7.2.5.b" selected="false" weight="10.000000">
9284: <title xml:lang="en">Restrict publish-addresses</title>
9285: <description xml:lang="en">Avahi publishing of hardware information should be disabled</description>
9286: <ident system="http://cce.mitre.org">CCE-4433-9</ident>
9287: <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
9288: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9289: <check-content-ref name="oval:org.fedoraproject.f14:def:20257" href="scap-fedora14-oval.xml"/>
9290: </check>
9291: </Rule>
9292: <Rule id="rule-3.7.2.5.c" selected="false" weight="10.000000">
9293: <title xml:lang="en">Restrict publish-hinfo</title>
9294: <description xml:lang="en">Avahi publishing of workstation name should be disabled</description>
9295: <ident system="http://cce.mitre.org">CCE-4451-1</ident>
9296: <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
9297: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9298: <check-content-ref name="oval:org.fedoraproject.f14:def:20258" href="scap-fedora14-oval.xml"/>
9299: </check>
9300: </Rule>
9301: <Rule id="rule-3.7.2.5.d" selected="false" weight="10.000000">
9302: <title xml:lang="en">Restrict publish-workstation</title>
9303: <description xml:lang="en">Avahi publishing of IP addresses should be disabled</description>
9304: <ident system="http://cce.mitre.org">CCE-4341-4</ident>
9305: <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
9306: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9307: <check-content-ref name="oval:org.fedoraproject.f14:def:20259" href="scap-fedora14-oval.xml"/>
9308: </check>
9309: </Rule>
9310: <Rule id="rule-3.7.2.5.e" selected="false" weight="10.000000">
9311: <title xml:lang="en">Restrict publish-domain</title>
9312: <description xml:lang="en">Avahi publishing of domain name should be disabled</description>
9313: <ident system="http://cce.mitre.org">CCE-4358-8</ident>
9314: <fixtext xml:lang="en">(1) via /etc/avahi/avahi-daemon.conf</fixtext>
9315: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9316: <check-content-ref name="oval:org.fedoraproject.f14:def:20260" href="scap-fedora14-oval.xml"/>
9317: </check>
9318: </Rule>
9319: </Group>
9320: </Group>
9321: </Group>
9322: <Group id="group-3.8" hidden="false">
9323: <title xml:lang="en">Print Support</title>
9324: <description xml:lang="en">
9325: The Common Unix Printing System (CUPS) service provides both local
9326: and network printing support. A system running the CUPS service can accept print jobs from
9327: other systems, process them, and send them to the appropriate printer. It also provides an
9328: interface for remote administration through a web browser. The CUPS service is installed and
9329: activated by default. The project homepage and more detailed documentation are available at
9330: http://www.cups.org. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9331: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9332: The HP Linux Imaging and Printing service (HPLIP) is a separate package
9333: that provides support for some of the additional features that HP printers provide that CUPS
9334: may not necessarily support. It relies upon the CUPS service.</description>
9335: <Group id="group-3.8.1" hidden="false">
9336: <title xml:lang="en">Disable the CUPS Service if Possible</title>
9337: <description xml:lang="en">
9338: Do you need the ability to print from this machine or to allow
9339: others to print to it? If not: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9340: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9341: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig cups off</xhtml:code></description>
9342: <Rule id="rule-3.8.1.a" selected="false" weight="10.000000" severity="medium">
9343: <title xml:lang="en">Disable the CUPS Service if Possible</title>
9344: <description xml:lang="en">The cups service should be disabled.</description>
9345: <ident system="http://cce.mitre.org">CCE-4112-9</ident>
9346: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
9347: <fix># chkconfig cups off</fix>
9348: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9349: <check-content-ref name="oval:org.fedoraproject.f14:def:20261" href="scap-fedora14-oval.xml"/>
9350: </check>
9351: </Rule>
9352: </Group>
9353: <Group id="group-3.8.2" hidden="false">
9354: <title xml:lang="en">Disable Firewall Access to Printing Service if Possible</title>
9355: <description xml:lang="en">
9356: Does this system need to operate as a network print server? If
9357: not, edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in
9358: use). In each file, locate and delete the lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9359: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9360: -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9361: -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9362: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9363: By
9364: default, inbound connections to the Internet Printing Protocol port are allowed. If the
9365: print server does not need to be accessed, either because the machine is not running the
9366: print service at all or because the machine is not providing a remote network printer to
9367: other machines, this exception should be removed from the firewall configuration. See
9368: Section 2.5.5 for more information about the Iptables firewall.</description>
9369: <Value id="var-3.8.2.a" operator="equals" type="string">
9370: <title xml:lang="en">accept udp over IPv4</title>
9371: <description xml:lang="en">Open firewall to allow udp over IPv4.</description>
9372: <question xml:lang="en">Enable/Disable UDP over IPv4</question>
9373: <value>disabled</value>
9374: <value selector="enabled">enabled</value>
9375: <value selector="disabled">disabled</value>
9376: <match>enabled|disabled</match>
9377: <choices mustMatch="true">
9378: <choice>enabled</choice>
9379: <choice>disabled</choice>
9380: </choices>
9381: </Value>
9382: <Value id="var-3.8.2.b" operator="equals" type="string">
9383: <title xml:lang="en">accept udp over IPv6</title>
9384: <description xml:lang="en">Open firewall to allow udp over IPv6.</description>
9385: <question xml:lang="en">Enable/Disable UDP over IPv6</question>
9386: <value>disabled</value>
9387: <value selector="enabled">enabled</value>
9388: <value selector="disabled">disabled</value>
9389: <match>enabled|disabled</match>
9390: <choices mustMatch="true">
9391: <choice>enabled</choice>
9392: <choice>disabled</choice>
9393: </choices>
9394: </Value>
9395: <Rule id="rule-3.8.2.a" selected="false" weight="10.000000" severity="high">
9396: <title xml:lang="en">Disable Firewall Access to Printing Service over IPv4 if Possible</title>
9397: <description xml:lang="en">Firewall access to printing service should be disabled</description>
9398: <ident system="http://cce.mitre.org">CCE-3649-1</ident>
9399: <fixtext xml:lang="en">(1) via /etc/sysconfig/iptables</fixtext>
9400: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9401: <check-export export-name="oval:org.fedoraproject.f14:var:20262" value-id="var-3.8.2.a"/>
9402: <check-content-ref name="oval:org.fedoraproject.f14:def:20262" href="scap-fedora14-oval.xml"/>
9403: </check>
9404: </Rule>
9405: <Rule id="rule-3.8.2.b" selected="false" weight="10.000000" severity="high">
9406: <title xml:lang="en">Disable Firewall Access to Printing Service over IPv6 if Possible</title>
9407: <description xml:lang="en">Firewall access to printing service should be disabled</description>
9408: <fixtext xml:lang="en">(1) via /etc/sysconfig/ip6tables</fixtext>
9409: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9410: <check-export export-name="oval:org.fedoraproject.f14:var:20263" value-id="var-3.8.2.b"/>
9411: <check-content-ref name="oval:org.fedoraproject.f14:def:20263" href="scap-fedora14-oval.xml"/>
9412: </check>
9413: </Rule>
9414: </Group>
9415: <Group id="group-3.8.3" hidden="false">
9416: <title xml:lang="en">Configure the CUPS Service if Necessary</title>
9417: <description xml:lang="en">
9418: CUPS provides the ability to easily share local printers with
9419: other machines over the network. It does this by allowing machines to share lists of
9420: available printers. Additionally, each machine that runs the CUPS service can potentially
9421: act as a print server. Whenever possible, the printer sharing and print server
9422: capabilities of CUPS should be limited or disabled. The following recommendations should
9423: demonstrate how to do just that.</description>
9424: <Group id="group-3.8.3.1" hidden="false">
9425: <title xml:lang="en">Limit Printer Browsing</title>
9426: <description xml:lang="en">By default, CUPS listens on the network for printer list broadcasts on UDP port 631. This functionality is called printer browsing.</description>
9427: <Group id="group-3.8.3.1.1" hidden="false">
9428: <title xml:lang="en">Disable Printer Browsing Entirely if Possible</title>
9429: <description xml:lang="en">
9430: To disable printer browsing entirely, edit the CUPS
9431: configuration file, located at /etc/cups/cupsd.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9432: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9433: Browsing Off<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9434: BrowseAllow none <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9435: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9436: The
9437: CUPS print service can be configured to broadcast a list of available printers to the
9438: network. Other machines on the network, also running the CUPS print service, can be
9439: configured to listen to these broadcasts and add and configure these printers for
9440: immediate use. By disabling this browsing capability, the machine will no longer
9441: generate or receive such broadcasts.</description>
9442: <Rule id="rule-3.8.3.1.1.a" selected="false" weight="10.000000">
9443: <title xml:lang="en">Disable Printer Browsing Entirely if Possible</title>
9444: <description xml:lang="en">Remote print browsing should be disabled</description>
9445: <ident system="http://cce.mitre.org">CCE-4420-6</ident>
9446: <fixtext xml:lang="en">(1) via /etc/cups/cupsd.conf</fixtext>
9447: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9448: <check-content-ref name="oval:org.fedoraproject.f14:def:20264" href="scap-fedora14-oval.xml"/>
9449: </check>
9450: </Rule>
9451: <Rule id="rule-3.8.3.1.1.b" selected="false" weight="10.000000">
9452: <title xml:lang="en">Deny CUPS ability to listen for Incoming printer information</title>
9453: <description xml:lang="en">CUPS should be denied the ability to listen for Incoming printer information</description>
9454: <ident system="http://cce.mitre.org">CCE-4407-3</ident>
9455: <fixtext xml:lang="en">(1) via /etc/cups/cupsd.conf</fixtext>
9456: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9457: <check-content-ref name="oval:org.fedoraproject.f14:def:20265" href="scap-fedora14-oval.xml"/>
9458: </check>
9459: </Rule>
9460: </Group>
9461: <Group id="group-3.8.3.1.2" hidden="false">
9462: <title xml:lang="en">Limit Printer Browsing to a Particular Subnet if Necessary</title>
9463: <description xml:lang="en">
9464: It is possible to disable outgoing printer list broadcasts
9465: without affecting incoming broadcasts from other machines. To do so, open the CUPS
9466: configuration file, located at /etc/cups/cupsd.conf. Look for the line that begins
9467: with BrowseAddress and remove it. The line will look like the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9468: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9469: BrowseAddress @LOCAL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9470: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9471: If the intent is not to block printer sharing, but to limit it to a particular
9472: set of machines, you can limit the UDP printer broadcasts to trusted network
9473: addresses. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9474: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9475: BrowseAddress ip-address :631 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9476: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9477: Likewise, to ignore incoming UDP printer list
9478: broadcasts, or to limit the set of machines to listen to, use the BrowseAllow and
9479: BrowseDeny directives. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9480: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9481: BrowseDeny all <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9482: BrowseAllow ip-address <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9483: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9484: This combination will
9485: deny incoming broadcasts from any machine except those that are explicitly allowed
9486: with BrowseAllow. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9487: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9488: By default, when printer sharing is enabled, CUPS will broadcast to
9489: every network that its host machine is connected to through all available network
9490: interfaces on port 631. It will also listen to incoming broadcasts from other machines
9491: on the network. Either list one BrowseAddress line for each client machine and one
9492: BrowseAllow line for each print server or use one of the supported shorthand notations
9493: that the CUPS service recognizes. Please see the cupsd.conf(5) man page or the
9494: documentation provided at http://www.cups.org for more information on other ways to
9495: format these directives.</description>
9496: </Group>
9497: </Group>
9498: <Group id="group-3.8.3.2" hidden="false">
9499: <title xml:lang="en">Disable Print Server Capabilities if Possible</title>
9500: <description xml:lang="en">
9501: To prevent remote users from potentially
9502: connecting to and using locally configured printers, disable the CUPS print server
9503: sharing capabilities. To do so, limit how the server will listen for print jobs by
9504: removing the more generic port directive from /etc/cups/cupsd.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9505: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9506: Port 631 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9507: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9508: and replacing it with the Listen directive: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9509: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9510: Listen localhost:631 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9511: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9512: This will prevent remote
9513: users from printing to locally configured printers while still allowing local users on
9514: the machine to print normally. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9515: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9516: By default, locally configured printers will not be
9517: shared over the network, but if this functionality has somehow been enabled, these
9518: recommendations will disable it again. Be sure to disable outgoing printer list
9519: broadcasts, or remote users will still be able to see the locally configured printers,
9520: even if they cannot actually print to them. To limit print serving to a particular set
9521: of users, use the Policy directive.</description>
9522: <warning xml:lang="en">Disabling the print server capabilities in this manner will
9523: also disable the Web Administration interface. </warning>
9524: </Group>
9525: <Group id="group-3.8.3.3" hidden="false">
9526: <title xml:lang="en">Limit Access to the Web Administration Interface</title>
9527: <description xml:lang="en">
9528: By default, access to the CUPS web administration interface is
9529: limited to the local machine. It is recommended that this not be changed, especially
9530: since the authentication mechanisms that CUPS provides are limited in their
9531: effectiveness. If it is absolutely necessary to allow remote users to administer locally
9532: installed printers, be sure to limit that access as much as possible by taking advantage
9533: of the Location and Policy directive blocks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9534: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9535: For example, to enable
9536: remote access for ip-address for user username, modify each of the Location and Policy
9537: directive blocks as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9538: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9539: <Location /> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9540: AuthType Basic <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9541: Require user username <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9542: Order allow,deny <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9543: Allow localhost <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9544: Allow ip-address <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9545: </Location> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9546: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9547: As with the
9548: BrowseAllow directive, use one Allow directive for each machine that needs access or use
9549: one of the available CUPS directive definition shortcuts to enable access from a class
9550: of machines at once. The Require user directive can take a list of individual users, a
9551: group of users (prefixed with @), or the shorthand valid-user. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9552: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9553: Host-based authentication has known limitations,
9554: especially since IP addresses are easy to spoof. Requiring users to authenticate
9555: themselves can alleviate this problem, but it cannot eliminate it. Do not use the root
9556: account to manage and administer printers. Create a separate account for this purpose
9557: and limit access to valid users with Require valid-user or Require user printeradmin .
9558: </description>
9559: </Group>
9560: <Group id="group-3.8.3.4" hidden="false">
9561: <title xml:lang="en">Take Further Security Measures When Appropriate</title>
9562: <description xml:lang="en">
9563: Whenever possible, limit outside networks' access to port 631.
9564: Consider using CUPS directives that limit the number of incoming clients, such as
9565: MaxClients or MaxClientsPerHost. Additionally, there are a series of Policy and Location
9566: directives intended to limit which users can perform different printing tasks. When used
9567: together, these may help to mitigate the possibility of a denial of service attack. See
9568: cupsd.conf(5) for a full list of possible directives.</description>
9569: </Group>
9570: </Group>
9571: <Group id="group-3.8.4" hidden="false">
9572: <title xml:lang="en">The HP Linux Imaging and Printing (HPLIP) Toolkit</title>
9573: <description xml:lang="en">
9574: The HPLIP package is an HP printing support utility that is
9575: installed and enabled in a default installation. The HPLIP package is comprised of two
9576: separate components. The first is the main HPLIP service and the second is a smaller
9577: subcomponent called HPIJS. HPLIP is a feature-oriented network service that provides
9578: higher level printing support (such as bi-directional I/O, scanning, photo card, and
9579: toolbox functionality). HPIJS is a lower level basic printing driver that provides basic
9580: support for non-PostScript HP printers.</description>
9581: <Group id="group-3.8.4.1" hidden="false">
9582: <title xml:lang="en">Disable HPLIP Service if Possible</title>
9583: <description xml:lang="en">
9584: Since the HPIJS driver will still function without the added
9585: HPLIP service, HPLIP should be disabled unless the specific higher level functions that
9586: HPLIP provides are needed by a non-PostScript HP printer on the system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9587: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9588: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig hplip off <xhtml:br/></xhtml:code>
9589: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9590: Note: If installing the HPLIP package from scratch, it should be noted that
9591: HPIJS can be installed directly without HPLIP. Please see the FAQ at the HPLIP web site
9592: at http://hplip.sourceforge.net/faqs.html for more information on how to do this.</description>
9593: <Rule id="rule-3.8.4.1.a" selected="false" weight="10.000000" severity="low">
9594: <title xml:lang="en">Disable HPLIP Service if Possible</title>
9595: <description xml:lang="en">The hplip service should be disabled.</description>
9596: <ident system="http://cce.mitre.org">CCE-4425-5</ident>
9597: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
9598: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9599: <check-content-ref name="oval:org.fedoraproject.f14:def:20266" href="scap-fedora14-oval.xml"/>
9600: </check>
9601: </Rule>
9602: </Group>
9603: </Group>
9604: </Group>
9605: <Group id="group-3.9" hidden="false">
9606: <title xml:lang="en">DHCP</title>
9607: <description xml:lang="en">
9608: The Dynamic Host Configuration Protocol (DHCP) allows systems to
9609: request and obtain an IP address and many other parameters from a server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9610: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9611: In general, sites
9612: use DHCP either to allow a large pool of mobile or unknown machines to share a limited
9613: number of IP addresses, or to standardize installations by avoiding static, individual IP
9614: address configuration on hosts. It is recommended that sites avoid DHCP as much as possible.
9615: Since DHCP authentication is not well-supported, DHCP clients are open to attacks from rogue
9616: DHCP servers. Such servers can give clients incorrect information (e.g. malicious DNS server
9617: addresses) which could lead to their compromise. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9618: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9619: If a machine must act as a DHCP client or
9620: server, configure it defensively using the guidance in this section. This guide recommends
9621: configuring networking on clients by manually editing the appropriate files under
9622: /etc/sysconfig. It is also possible to use the graphical front-end programs
9623: system-config-network and system-config-network-tui, but these programs rewrite
9624: configuration files from scratch based on their defaults – destroying any manual changes –
9625: and should therefore be used with caution.</description>
9626: <Group id="group-3.9.1" hidden="false">
9627: <title xml:lang="en">Disable DHCP Client if Possible</title>
9628: <description xml:lang="en">
9629: For each interface IFACE on the system (e.g. eth0), edit
9630: /etc/sysconfig/network-scripts/ifcfg-IFACE and make the following changes: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9631: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9632: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
9633: <xhtml:li>Correct the BOOTPROTO line to read: <xhtml:br/>
9634: <xhtml:br/>
9635: BOOTPROTO=static
9636: </xhtml:li>
9637: <xhtml:li>Add or correct the following lines,
9638: substituting the appropriate values based on your site's addressing scheme:<xhtml:br/>
9639: <xhtml:br/>
9640: NETMASK=255.255.255.0<xhtml:br/>
9641: IPADDR=192.168.1.2<xhtml:br/>
9642: GATEWAY=192.168.1.1 <xhtml:br/>
9643: </xhtml:li>
9644: </xhtml:ol>
9645: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9646: DHCP is the default network
9647: configuration method provided by the system installer, so it may be enabled on many
9648: systems.</description>
9649: <Value id="var-3.9.1.a" operator="equals" type="string">
9650: <title xml:lang="en">DHCP BOOTPROTO</title>
9651: <description xml:lang="en">If BOOTPROTO is not "static", then the only other item that must be set is the DEVICE item; all the rest will be determined by the boot protocol. No "dummy" entries need to be created.</description>
9652: <question xml:lang="en">Choose DHCP BOOTPROTO</question>
9653: <value>static</value>
9654: <value selector="bootp">bootp</value>
9655: <value selector="dhcp">dhcp</value>
9656: <value selector="static">static</value>
9657: <choices>
9658: <choice>bootp</choice>
9659: <choice>dhcp</choice>
9660: <choice>static</choice>
9661: </choices>
9662: </Value>
9663: <Rule id="rule-3.9.1.a" selected="false" weight="10.000000" severity="low">
9664: <title xml:lang="en">Disable DHCP Client if Possible</title>
9665: <description xml:lang="en">The dhcp client service should be disabled for each interface.</description>
9666: <ident system="http://cce.mitre.org">CCE-4191-3</ident>
9667: <fixtext xml:lang="en">(1) via /etc/sysconfig/network-scripts/ifcfg-eth*</fixtext>
9668: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9669: <check-export export-name="oval:org.fedoraproject.f14:var:20267" value-id="var-3.9.1.a"/>
9670: <check-content-ref name="oval:org.fedoraproject.f14:def:20267" href="scap-fedora14-oval.xml"/>
9671: </check>
9672: </Rule>
9673: </Group>
9674: <Group id="group-3.9.2" hidden="false">
9675: <title xml:lang="en">Configure DHCP Client if necessary</title>
9676: <description xml:lang="en">
9677: If DHCP must be used, then certain configuration changes can
9678: minimize the amount of information it receives and applies from the network, and thus the
9679: amount of incorrect information a rogue DHCP server could successfully distribute. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9680: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9681: For more information on configuring dhclient, see the dhclient(8) and dhclient.conf(5)
9682: man pages.</description>
9683: <Group id="group-3.9.2.1" hidden="false">
9684: <title xml:lang="en">Minimize the DHCP-Configured Options</title>
9685: <description xml:lang="en">
9686: Create the file /etc/dhclient.conf, and add an appropriate
9687: setting for each of the ten configuration settings which can be obtained via DHCP. For
9688: each setting, setting , do one of the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9689: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
9690: <xhtml:li>If the setting should not be
9691: configured remotely by the DHCP server, select an appropriate static value, and add the
9692: line: <xhtml:br/>
9693: <xhtml:br/>
9694: supersede setting value ; </xhtml:li>
9695: <xhtml:li>If the setting should be configured remotely by the
9696: DHCP server, add the lines: <xhtml:br/>
9697: <xhtml:br/>
9698: request setting ; <xhtml:br/>
9699: require setting ; </xhtml:li>
9700: </xhtml:ul>
9701: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9702: For example, suppose the
9703: DHCP server should provide only the IP address itself and the subnet mask. Then the
9704: entire file should look like: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9705: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9706: supersede domain-name "example.com "; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9707: supersede domain-name-servers 192.168.1.2 ; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9708: supersede nis-domain ""; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9709: supersede nis-servers "";<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9710: supersede ntp-servers "ntp.example.com "; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9711: supersede routers 192.168.1.1 ; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9712: supersede time-offset -18000 ; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9713: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9714: request subnet-mask; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9715: require subnet-mask; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9716: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9717: By default, the DHCP
9718: client program, dhclient, requests and applies ten configuration options (in addition to
9719: the IP address) from the DHCP server: subnet-mask, broadcast-address, time-offset,
9720: routers, domain-name, domain-name-servers, host-name, nis-domain, nis-servers, and
9721: ntp-servers. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9722: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9723: Many of the options requested and applied by dhclient may be the same for
9724: every system on a network. It is recommended that almost all configuration options be
9725: assigned statically, and only options which must vary on a host-by-host basis be
9726: assigned via DHCP. This limits the damage which can be done by a rogue DHCP server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9727: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9728: If
9729: appropriate for your site, it is also possible to supersede the host-name directive in
9730: /etc/dhclient.conf, establishing a static hostname for the machine. However, dhclient
9731: does not use the host name option provided by the DHCP server (instead using the value
9732: provided by a reverse DNS lookup). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9733: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9734: Note: In this example, the options nis-servers and
9735: nis-domain are set to empty strings, on the assumption that the deprecated NIS protocol
9736: is not in use. (See Section 3.2.4.) It is necessary to supersede settings for unused
9737: services so that they cannot be set by a hostile DHCP server. If an option is set to an
9738: empty string, dhclient will typically not attempt to configure the service.</description>
9739: </Group>
9740: </Group>
9741: <Group id="group-3.9.3" hidden="false">
9742: <title xml:lang="en">Disable DHCP Server if possible</title>
9743: <description xml:lang="en">
9744: If the dhcp package has been installed on a machine which does
9745: not need to operate as a DHCP server, disable the daemon: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9746: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9747: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig dhcpd off <xhtml:br/></xhtml:code>
9748: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9749: If possible, remove the software as well: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9750: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9751: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase dhcp <xhtml:br/></xhtml:code>
9752: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9753: The DHCP server dhcpd is not
9754: installed or activated by default. If the software was installed and activated, but the
9755: system does not need to act as a DHCP server, it should be disabled and removed. Unmanaged
9756: DHCP servers will provide faulty information to clients, interfering with the operation of
9757: a legitimate site DHCP server if there is one, or causing misconfigured machines to
9758: exhibit unpredictable behavior if there is not.</description>
9759: <Rule id="rule-3.9.3.a" selected="false" weight="10.000000" severity="low">
9760: <title xml:lang="en">Disable DHCP Server if possible</title>
9761: <description xml:lang="en">The dhcpd service should be disabled.</description>
9762: <ident system="http://cce.mitre.org">CCE-4336-4</ident>
9763: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
9764: <fix># chkconfig dhcpd off</fix>
9765: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9766: <check-content-ref name="oval:org.fedoraproject.f14:def:20268" href="scap-fedora14-oval.xml"/>
9767: </check>
9768: </Rule>
9769: <Rule id="rule-3.9.3.b" selected="false" weight="10.000000">
9770: <title xml:lang="en">Uninstall DHCP Server if possible</title>
9771: <description xml:lang="en">The dhcp package should be uninstalled.</description>
9772: <ident system="http://cce.mitre.org">CCE-4464-4</ident>
9773: <fixtext xml:lang="en">(1) via yum</fixtext>
9774: <fix># yum erase dhcp</fix>
9775: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9776: <check-content-ref name="oval:org.fedoraproject.f14:def:20269" href="scap-fedora14-oval.xml"/>
9777: </check>
9778: </Rule>
9779: </Group>
9780: <Group id="group-3.9.4" hidden="false">
9781: <title xml:lang="en">Configure the DHCP Server if necessary</title>
9782: <description xml:lang="en">
9783: If the system must act as a DHCP server, the configuration
9784: information it serves should be minimized. Also, support for other protocols and
9785: DNS-updating schemes should be explicitly disabled unless needed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9786: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9787: The configuration file
9788: for dhcpd is called /etc/dhcpd.conf. The file begins with a number of global configuration
9789: options. The remainder of the file is divided into sections, one for each block of
9790: addresses offered by dhcpd, each of which contains configuration options specific to that
9791: address block.</description>
9792: <Group id="group-3.9.4.1" hidden="false">
9793: <title xml:lang="en">Do Not Use Dynamic DNS</title>
9794: <description xml:lang="en">
9795: To prevent the DHCP server from receiving DNS information from
9796: clients, edit /etc/dhcpd.conf, and add or correct the following global option:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9797: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9798: ddns-update-style none; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9799: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9800: The Dynamic DNS protocol is used to remotely update the data
9801: served by a DNS server. DHCP servers can use Dynamic DNS to publish information about
9802: their clients. This setup carries security risks, and its use is not recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9803: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9804: If Dynamic DNS must be used despite the risks it poses, it is critical that Dynamic DNS
9805: transactions be protected using TSIG or some other cryptographic authentication
9806: mechanism. See Section 3.14 for more information about DNS servers, including further
9807: information about TSIG and Dynamic DNS. Also see dhcpd.conf(5) for more information
9808: about protecting the DHCP server from passing along malicious DNS data from its clients.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9809: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9810: Note: The ddns-update-style option controls only whether the DHCP server will attempt to
9811: act as a Dynamic DNS client. As long as the DNS server itself is correctly configured to
9812: reject DDNS attempts, an incorrect ddns-update-style setting on the client is harmless
9813: (but should be fixed as a best practice).</description>
9814: <Rule id="rule-3.9.4.1.a" selected="false" weight="10.000000">
9815: <title xml:lang="en">Do Not Use Dynamic DNS</title>
9816: <description xml:lang="en">The dynamic DNS feature of the DHCP server should be disabled</description>
9817: <ident system="http://cce.mitre.org">CCE-4257-2</ident>
9818: <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
9819: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9820: <check-content-ref name="oval:org.fedoraproject.f14:def:20270" href="scap-fedora14-oval.xml"/>
9821: </check>
9822: </Rule>
9823: </Group>
9824: <Group id="group-3.9.4.2" hidden="false">
9825: <title xml:lang="en">Deny Decline Messages</title>
9826: <description xml:lang="en">
9827: Edit /etc/dhcpd.conf and add or correct the following global
9828: option to prevent the DHCP server from responding the DHCPDECLINE messages, if possible:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9829: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9830: deny declines; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9831: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9832: The DHCPDECLINE message can be sent by a DHCP client to indicate that it
9833: does not consider the lease offered by the server to be valid. By issuing many
9834: DHCPDECLINE messages, a malicious client can exhaust the DHCP server's pool of IP
9835: addresses, causing the DHCP server to forget old address allocations.</description>
9836: <Rule id="rule-3.9.4.2.a" selected="false" weight="10.000000">
9837: <title xml:lang="en">Deny Decline Messages</title>
9838: <description xml:lang="en">DHCPDECLINE messages should be denied by the DHCP server</description>
9839: <ident system="http://cce.mitre.org">CCE-4403-2</ident>
9840: <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
9841: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9842: <check-content-ref name="oval:org.fedoraproject.f14:def:20271" href="scap-fedora14-oval.xml"/>
9843: </check>
9844: </Rule>
9845: </Group>
9846: <Group id="group-3.9.4.3" hidden="false">
9847: <title xml:lang="en">Deny BOOTP Queries</title>
9848: <description xml:lang="en">
9849: Unless your network needs to support older BOOTP clients,
9850: disable support for the bootp protocol by adding or correcting the global option: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9851: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9852: deny bootp; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9853: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9854: The bootp option tells dhcpd to respond to BOOTP queries. If support for this
9855: simpler protocol is not needed, it should be disabled to remove attack vectors against
9856: the DHCP server.</description>
9857: <Rule id="rule-3.9.4.3.a" selected="false" weight="10.000000">
9858: <title xml:lang="en">Deny BOOTP Queries</title>
9859: <description xml:lang="en">BOOTP queries should be denied by the DHCP server</description>
9860: <ident system="http://cce.mitre.org">CCE-4345-5</ident>
9861: <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
9862: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9863: <check-content-ref name="oval:org.fedoraproject.f14:def:20272" href="scap-fedora14-oval.xml"/>
9864: </check>
9865: </Rule>
9866: </Group>
9867: <Group id="group-3.9.4.4" hidden="false">
9868: <title xml:lang="en">Minimize Served Information</title>
9869: <description xml:lang="en">
9870: Edit /etc/dhcpd.conf. Examine each address range section within
9871: the file, and ensure that the following options are not defined unless there is an
9872: operational need to provide this information via DHCP: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9873: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9874: option domain-name <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9875: option domain-name-servers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9876: option nis-domain <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9877: option nis-servers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9878: option ntp-servers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9879: option routers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9880: option time-offset <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9881: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9882: Because the configuration information provided by the DHCP
9883: server could be maliciously provided to clients by a rogue DHCP server, the amount of
9884: information provided via DHCP should be minimized. Remove these definitions from the
9885: DHCP server configuration to ensure that legitimate clients do not unnecessarily rely on
9886: DHCP for this information. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9887: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9888: Note: By default, the RHEL5 client installation uses DHCP to
9889: request much of the above information from the DHCP server. In particular, domain-name,
9890: domain-name-servers, and routers are configured via DHCP. These settings are typically
9891: necessary for proper network functionality, but are also usually static across machines
9892: at a given site. See Section 3.9.2.1 for a description of how to configure static site
9893: information within the DHCP client configuration.</description>
9894: <Rule id="rule-3.9.4.4.a" selected="false" weight="10.000000">
9895: <title xml:lang="en">DHCP should not send domain-name</title>
9896: <description xml:lang="en">Domain name server information should not be sent by the DHCP server.</description>
9897: <ident system="http://cce.mitre.org">CCE-3724-2</ident>
9898: <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
9899: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9900: <check-content-ref name="oval:org.fedoraproject.f14:def:20273" href="scap-fedora14-oval.xml"/>
9901: </check>
9902: </Rule>
9903: <Rule id="rule-3.9.4.4.b" selected="false" weight="10.000000">
9904: <title xml:lang="en">DHCP should not send domain-name-servers</title>
9905: <description xml:lang="en">Default routers should not be sent by the DHCP server.</description>
9906: <ident system="http://cce.mitre.org">CCE-4243-2</ident>
9907: <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
9908: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9909: <check-content-ref name="oval:org.fedoraproject.f14:def:20274" href="scap-fedora14-oval.xml"/>
9910: </check>
9911: </Rule>
9912: <Rule id="rule-3.9.4.4.c" selected="false" weight="10.000000">
9913: <title xml:lang="en">DHCP should not send nis-domain</title>
9914: <description xml:lang="en">Domain name should not be sent by the DHCP server.</description>
9915: <ident system="http://cce.mitre.org">CCE-4389-3</ident>
9916: <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
9917: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9918: <check-content-ref name="oval:org.fedoraproject.f14:def:20275" href="scap-fedora14-oval.xml"/>
9919: </check>
9920: </Rule>
9921: <Rule id="rule-3.9.4.4.d" selected="false" weight="10.000000">
9922: <title xml:lang="en">DHCP should not send nis-servers</title>
9923: <description xml:lang="en">NIS domain should not be sent by the DHCP server.</description>
9924: <ident system="http://cce.mitre.org">CCE-3913-1</ident>
9925: <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
9926: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9927: <check-content-ref name="oval:org.fedoraproject.f14:def:20276" href="scap-fedora14-oval.xml"/>
9928: </check>
9929: </Rule>
9930: <Rule id="rule-3.9.4.4.e" selected="false" weight="10.000000">
9931: <title xml:lang="en">DHCP should not send ntp-servers</title>
9932: <description xml:lang="en">NIS servers should not be sent by the DHCP server.</description>
9933: <ident system="http://cce.mitre.org">CCE-4169-9</ident>
9934: <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
9935: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9936: <check-content-ref name="oval:org.fedoraproject.f14:def:20277" href="scap-fedora14-oval.xml"/>
9937: </check>
9938: </Rule>
9939: <Rule id="rule-3.9.4.4.f" selected="false" weight="10.000000">
9940: <title xml:lang="en">DHCP should not send routers</title>
9941: <description xml:lang="en">Time offset should not be sent by the DHCP server.</description>
9942: <ident system="http://cce.mitre.org">CCE-4318-2</ident>
9943: <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
9944: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9945: <check-content-ref name="oval:org.fedoraproject.f14:def:20278" href="scap-fedora14-oval.xml"/>
9946: </check>
9947: </Rule>
9948: <Rule id="rule-3.9.4.4.g" selected="false" weight="10.000000">
9949: <title xml:lang="en">DHCP should not send time-offset</title>
9950: <description xml:lang="en">NTP servers should not be sent by the DHCP server.</description>
9951: <ident system="http://cce.mitre.org">CCE-4319-0</ident>
9952: <fixtext xml:lang="en">(1) via /etc/dhcpd.conf</fixtext>
9953: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9954: <check-content-ref name="oval:org.fedoraproject.f14:def:20279" href="scap-fedora14-oval.xml"/>
9955: </check>
9956: </Rule>
9957: </Group>
9958: <Group id="group-3.9.4.5" hidden="false">
9959: <title xml:lang="en">Configure Logging</title>
9960: <description xml:lang="en">
9961: Ensure that the following line exists in /etc/syslog.conf:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9962: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9963: daemon.* /var/log/daemon.log <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9964: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9965: Configure logwatch or other log monitoring tools to
9966: summarize error conditions reported by the dhcpd process. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9967: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9968: By default, dhcpd logs notices
9969: to the daemon facility. Sending all daemon messages to a dedicated log file is part of
9970: the syslog configuration outlined in Section 2.6.1.1.</description>
9971: <Rule id="rule-3.9.4.5.a" selected="false" weight="10.000000">
9972: <title xml:lang="en">Configure DHCP Logging</title>
9973: <description xml:lang="en">dhcpd logging should be enabled.</description>
9974: <ident system="http://cce.mitre.org">CCE-3733-3</ident>
9975: <fixtext xml:lang="en">(1) via /etc/syslog.conf</fixtext>
9976: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
9977: <check-content-ref name="oval:org.fedoraproject.f14:def:20280" href="scap-fedora14-oval.xml"/>
9978: </check>
9979: </Rule>
9980: </Group>
9981: <Group id="group-3.9.4.6" hidden="false">
9982: <title xml:lang="en">Further Resources</title>
9983: <description xml:lang="en">* The man pages dhcpd.conf(5) and dhcpd(8) * ISC web page http://isc.org/products/DHCP</description>
9984: </Group>
9985: </Group>
9986: </Group>
9987: <Group id="group-3.10" hidden="false">
9988: <title xml:lang="en">Network Time Protocol</title>
9989: <description xml:lang="en">
9990: The Network Time Protocol is used to manage the system clock over a
9991: network. Computer clocks are not very accurate, so time will drift unpredictably on
9992: unmanaged systems. Central time protocols can be used both to ensure that time is consistent
9993: among a network of machines, and that their time is consistent with the outside world. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9994: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
9995: Local time synchronization is recommended for all networks. If every machine on your network
9996: reliably reports the same time as every other machine, then it is much easier to correlate
9997: log messages in case of an attack. In addition, a number of cryptographic protocols (such as
9998: Kerberos) use timestamps to prevent certain types of attacks. If your network does not have
9999: synchronized time, these protocols may be unreliable or even unusable. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10000: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10001: Depending on the specifics of the network, global time accuracy may be just as important as
10002: local synchronization, or not very important at all. If your network is connected to the
10003: Internet, it is recommended that you make use of a public timeserver, since globally
10004: accurate timestamps may be necessary if you need to investigate or respond to an attack
10005: which originated outside of your network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10006: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10007: Whether or not you use an outside timeserver, configure
10008: the network to have a small number of machines operating as NTP servers, and the remainder
10009: obtaining time information from those internal servers.</description>
10010: <Group id="group-3.10.1" hidden="false">
10011: <title xml:lang="en">Select NTP Software</title>
10012: <description xml:lang="en">
10013: The Network Time Protocol (RFC 1305) is designed to synchronize
10014: time with a very high degree of accuracy even on an unreliable network. NTP is therefore a
10015: complex protocol. The Simple Network Time Protocol (RFC 4330) implements a subset of NTP
10016: which is intended to be good enough to meet the time requirements of most networks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10017: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10018: The primary implementation of NTP comes from ntp.org, and is shipped with RHEL5 as the ntp
10019: RPM. An alternative is OpenNTPD, which is an implementation of SNTP, and which can be
10020: obtained as source code from http://www.openntpd.org. OpenNTPD may be simpler to configure
10021: than the reference NTP implementation, at the cost of the need to install and maintain
10022: third-party software. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10023: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10024: This guide does not recommend the use of a particular NTP/SNTP
10025: software package, but does recommend that some NTP software be selected and installed on
10026: all machines. The remainder of this section describes how to securely configure NTP
10027: clients and servers, and discusses both the reference NTP implementation and OpenNTPD.</description>
10028: </Group>
10029: <Group id="group-3.10.2" hidden="false">
10030: <title xml:lang="en">Configure Reference NTP if Appropriate</title>
10031: <description xml:lang="en">The ntp RPM implements the reference NTP server.</description>
10032: <Group id="group-3.10.2.1" hidden="false">
10033: <title xml:lang="en">Configure an NTP Client</title>
10034: <description xml:lang="en">
10035: There are a number of options for configuring clients to work with the reference NTP server. It is possible to run
10036: ntpd as a service (i.e., continuously) on each host, configuring clients so that the ntp protocol ignores all network
10037: access. This still introduces an additional network listener on client machines, and is therefore not recommended.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10038: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10039: This guide instead recommends running ntpd periodically via cron. It is also possible to run ntpdate via cron
10040: with the -u option, but it is being obsoleted in favor of ntpd.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10041: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10042: Alternately, even if the server is running the reference NTP implementation, it is possible for clients to access it
10043: using SNTP. See Section 3.10.3.2 for information about configuring SNTP clients.</description>
10044: <Group id="group-3.10.2.1.1" hidden="false">
10045: <title xml:lang="en">Set Up Client NTP Configuration File</title>
10046: <description xml:lang="en">
10047: A valid configuration file for the client system’s ntpd must exist at /etc/ntp.conf. Ensure that /etc/ntp.conf
10048: contains the following line, where ntp-server is the hostname or IP address of the site NTP server:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10049: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10050: server ntp-server<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10051: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10052: Note: The ntpd software also includes authentication and encryption support which allows for clients to verify the
10053: identity of the server, and thus guarantee the integrity of time data with high probability. See ntpd documentation
10054: at http://www.ntp.org for more details on implementing this recommended feature.
10055: </description>
10056: </Group>
10057: <Group id="group-3.10.2.1.2" hidden="false">
10058: <title xml:lang="en">Run ntpdate using Cron</title>
10059: <description xml:lang="en">
10060: Create a file /etc/cron.d/ntpd containing the following crontab:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10061: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10062: 15 * * * * root /usr/sbin/ntpd -q -u ntp:ntp<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10063: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10064: The -q option instructs ntpd to exit just after setting the clock, and the -u option instructs it to run as the
10065: specified user.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10066: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10067: Note: When setting the clock for the first time, execute the above command with the -g option, as ntpd
10068: will refuse to set the clock if it is significantly different from the source.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10069: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10070: This crontab will execute ntpd to synchronize the time to the NTP server at 15 minutes past every hour. (It is
10071: possible to choose a different minute, or to vary the minute between machines in order to avoid heavy traffic to
10072: the NTP server.) Hourly synchronization should be sufficiently frequent that clock drift will not be noticeable.</description>
10073: </Group>
10074: </Group>
10075: <Group id="group-3.10.2.2" hidden="false">
10076: <title xml:lang="en">Configure an NTP Server</title>
10077: <description xml:lang="en">
10078: The site’s NTP server contacts a central NTP server, probably either one provided by your ISP or a public time
10079: server, to obtain accurate time data. The server then allows other machines on your network to request the time
10080: data.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10081: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10082: The NTP server configuration file is located at /etc/ntp.conf.</description>
10083: <Group id="group-3.10.2.2.1" hidden="false">
10084: <title xml:lang="en">Enable the NTP Daemon</title>
10085: <description xml:lang="en">
10086: If this machine is an NTP server, ensure that ntpd is enabled
10087: at boot time: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10088: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10089: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig ntpd on</xhtml:code></description>
10090: <Rule id="rule-3.10.2.2.1.a" selected="false" weight="10.000000" severity="high">
10091: <title xml:lang="en">Enable the NTP Daemon</title>
10092: <description xml:lang="en">The ntpd service should be enabled.</description>
10093: <ident system="http://cce.mitre.org">CCE-4376-0</ident>
10094: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
10095: <fix># chkconfig ntpd on</fix>
10096: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
10097: <check-content-ref name="oval:org.fedoraproject.f14:def:20281" href="scap-fedora14-oval.xml"/>
10098: </check>
10099: </Rule>
10100: </Group>
10101: <Group id="group-3.10.2.2.2" hidden="false">
10102: <title xml:lang="en">Deny All Access to ntpd by Default</title>
10103: <description xml:lang="en">
10104: Edit the file /etc/ntp.conf. Prepend or correct the following
10105: line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10106: restrict default ignore <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10107: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10108: Since ntpd is a complex software package which listens
10109: for network connections and runs as root, it must be protected from network access by
10110: unauthorized machines. This setting uses ntpd's internal authorization to deny all
10111: access to any machine, server or client, which is not specifically authorized by other
10112: policy settings.</description>
10113: <Rule id="rule-3.10.2.2.2.a" selected="false" weight="10.000000">
10114: <title xml:lang="en">Deny All Access to ntpd by Default</title>
10115: <description xml:lang="en">Network access to ntpd should be denied</description>
10116: <ident system="http://cce.mitre.org">CCE-4134-3</ident>
10117: <fixtext xml:lang="en">(1) via /etc/ntp.conf</fixtext>
10118: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
10119: <check-content-ref name="oval:org.fedoraproject.f14:def:20282" href="scap-fedora14-oval.xml"/>
10120: </check>
10121: </Rule>
10122: </Group>
10123: <Group id="group-3.10.2.2.3" hidden="false">
10124: <title xml:lang="en">Specify a Remote NTP Server for Time Data</title>
10125: <description xml:lang="en">
10126: Find the IP address, server-ip , of an appropriate remote NTP
10127: server. Edit the file /etc/ntp.conf, and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10128: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10129: restrict server-ip mask 255.255.255.255 nomodify notrap noquery <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10130: server server-ip <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10131: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10132: If your site
10133: does not require time data to be accurate, but merely to be synchronized among local
10134: machines, this step can be omitted, and the NTP server will default to providing time
10135: data from the local clock. However, it is a good idea to periodically synchronize the
10136: clock to some source of accurate time, even if it is not appropriate to do so
10137: automatically. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10138: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10139: The previous step disabled all remote access to this NTP server's state
10140: data. This NTP server must contact a remote server to obtain accurate data, so NTP's
10141: configuration must allow that remote data to be used to modify the system clock. The
10142: restrict line changes the default access permissions for that remote server. The
10143: server line specifies the remote server as the preferred NTP server for time data. If
10144: you intend to synchronize to more than one server, specify restrict and server lines
10145: for each server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10146: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10147: Note: It would be possible to specify a hostname, rather than an IP
10148: address, for the server field. However, the restrict setting applies only to network
10149: blocks of IP addresses, so it is considered more maintainable to use the IP address in
10150: both fields.</description>
10151: <Rule id="rule-3.10.2.2.3.a" selected="false" weight="10.000000">
10152: <title xml:lang="en">Specify a Remote NTP Server for Time Data</title>
10153: <description xml:lang="en">A remote NTP Server for time synchronization should be specified</description>
10154: <ident system="http://cce.mitre.org">CCE-4385-1</ident>
10155: <fixtext xml:lang="en">(1) via /etc/ntp.conf</fixtext>
10156: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
10157: <check-content-ref name="oval:org.fedoraproject.f14:def:20283" href="scap-fedora14-oval.xml"/>
10158: </check>
10159: </Rule>
10160: </Group>
10161: <Group id="group-3.10.2.2.4" hidden="false">
10162: <title xml:lang="en">Allow Legitimate NTP Clients to Access the Server</title>
10163: <description xml:lang="en">
10164: Determine an appropriate network block, netwk , and network
10165: mask, mask , representing the machines on your network which will synchronize to this
10166: server. Edit /etc/ntp.conf and add the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10167: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10168: restrict netwk mask mask nomodify notrap<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10169: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10170: Edit /etc/sysconfig/iptables. Add the following line, ensuring that it appears before
10171: the final LOG and DROP lines for the RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10172: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10173: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport 123 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10174: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10175: If the clients are
10176: spread across more than one netblock, separate restrict and ACCEPT lines should be
10177: added for each netblock. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10178: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10179: The iptables configuration is needed because the default
10180: iptables configuration does not allow inbound access to any services. See Section
10181: 2.5.5 for more information about iptables. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10182: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10183: Note: The reference NTP implementation will
10184: refuse to serve time data to clients until enough time has elapsed that the server
10185: host's time can be assumed to have settled to an accurate value. While testing, wait
10186: ten minutes after starting ntpd before attempting to synchronize clients.</description>
10187: </Group>
10188: </Group>
10189: </Group>
10190: <Group id="group-3.10.3" hidden="false">
10191: <title xml:lang="en">Configure OpenNTPD if Appropriate</title>
10192: <description xml:lang="en">
10193: OpenNTPD is an implementation of the SNTP protocol which is
10194: provided as a simple alternative to the reference NTP server. Advantages of OpenNTPD
10195: include simplicity of configuration, built-in privilege separation and chroot jailing of
10196: the NTP protocol code, and a small codebase which lacks many of the management and other
10197: protocol features used by the reference NTP server. This simplicity comes at the cost of
10198: degraded time accuracy, but SNTP is probably accurate enough for most sites with typical
10199: monitoring requirements.</description>
10200: <Group id="group-3.10.3.1" hidden="false">
10201: <title xml:lang="en">Obtain NTP Software</title>
10202: <description xml:lang="en">
10203: If your site intends to use the OpenNTPD implementation, it is
10204: necessary to compile and install the software. (If your site intends to use the
10205: reference NTP implementation, no installation is necessary.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10206: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
10207: <xhtml:li>Obtain the software by
10208: downloading an appropriate source version, openntpd-version .tar.gz, from
10209: http://www.openntpd.org/portable.html. </xhtml:li>
10210: <xhtml:li>Unpack the source code: <xhtml:br/>
10211: <xhtml:br/>
10212: <xhtml:code>$ tar xzf openntpd-version .tar.gz</xhtml:code> </xhtml:li>
10213: <xhtml:li>Configure and compile the source. (By default, the code will
10214: be compiled for installation into /usr/ local): <xhtml:br/>
10215: <xhtml:br/>
10216: <xhtml:code>$ cd openntpd-version <xhtml:br/>
10217: $ ./configure --with-privsep-user=ntp <xhtml:br/>
10218: $ make </xhtml:code></xhtml:li>
10219: <xhtml:li>As root, install the resulting program into
10220: /usr/local: <xhtml:br/>
10221: <xhtml:br/>
10222: <xhtml:code># make install </xhtml:code></xhtml:li>
10223: </xhtml:ol>
10224: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10225: The configuration option --with-privsep-user=ntp tells
10226: OpenNTPD to use the existing system account ntp for the non-root portion of its
10227: operation.</description>
10228: <Rule id="rule-3.10.3.1.a" selected="false" weight="10.000000">
10229: <title xml:lang="en">Obtain NTP Software</title>
10230: <description xml:lang="en">OpenNTPD should be installed</description>
10231: <ident system="http://cce.mitre.org">CCE-4032-9</ident>
10232: <fixtext xml:lang="en">(1) via openntpd package</fixtext>
10233: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
10234: <check-content-ref name="oval:org.fedoraproject.f14:def:20284" href="scap-fedora14-oval.xml"/>
10235: </check>
10236: </Rule>
10237: </Group>
10238: <Group id="group-3.10.3.2" hidden="false">
10239: <title xml:lang="en">Configure an SNTP Client</title>
10240: <description xml:lang="en">
10241: OpenNTPD runs only in daemon mode — there is no command line
10242: suitable to be run from cron. However, this is considered reasonably safe for client use
10243: because the daemon does not listen on any network ports by default, and because OpenNTPD
10244: is a small codebase with no remote management interface or other complex features.
10245: However, it is possible to run a time-stepping program, such as rdate(1), from cron
10246: instead of configuring the daemon as outlined in this section.</description>
10247: <Group id="group-3.10.3.2.1" hidden="false">
10248: <title xml:lang="en">Enable the NTP Daemon</title>
10249: <description xml:lang="en">Edit the file /etc/rc.local. Add or correct the following line: /usr/local/sbin/ntpd -s</description>
10250: <Rule id="rule-3.10.3.2.1.a" selected="false" weight="10.000000" severity="high">
10251: <title xml:lang="en">Enable the NTP Daemon</title>
10252: <description xml:lang="en">The ntp daemon should be enabled</description>
10253: <ident system="http://cce.mitre.org">CCE-4424-8</ident>
10254: <fixtext xml:lang="en">(1) via /etc/rc.local</fixtext>
10255: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
10256: <check-content-ref name="oval:org.fedoraproject.f14:def:20285" href="scap-fedora14-oval.xml"/>
10257: </check>
10258: </Rule>
10259: </Group>
10260: <Group id="group-3.10.3.2.2" hidden="false">
10261: <title xml:lang="en">Configure the Client NTP Daemon to Use the Local Server</title>
10262: <description xml:lang="en">
10263: Edit the file /usr/local/etc/ntpd.conf. Add or correct the
10264: following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10265: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10266: server local-server.example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10267: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10268: where local-server.example.com is the
10269: hostname of the site's local NTP or SNTP server.</description>
10270: <Rule id="rule-3.10.3.2.2.a" selected="false" weight="10.000000" severity="high">
10271: <title xml:lang="en">Configure the Client NTP Daemon to Use the Local Server</title>
10272: <description xml:lang="en">The ntp daemon synchronization server should be set appropriately</description>
10273: <ident system="http://cce.mitre.org">CCE-3487-6</ident>
10274: <fixtext xml:lang="en">(1) via /usr/local/etc/ntpd.conf</fixtext>
10275: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
10276: <check-content-ref name="oval:org.fedoraproject.f14:def:20286" href="scap-fedora14-oval.xml"/>
10277: </check>
10278: </Rule>
10279: </Group>
10280: </Group>
10281: <Group id="group-3.10.3.3" hidden="false">
10282: <title xml:lang="en">Configure an SNTP Server</title>
10283: <description xml:lang="en">The SNTP server obtains time data from a remote server, and then listens on a network interface for time queries from local machines.</description>
10284: <Group id="group-3.10.3.3.1" hidden="false">
10285: <title xml:lang="en">Enable the NTP Daemon</title>
10286: <description xml:lang="en">
10287: Edit the file /etc/rc.local. Add or correct the following
10288: line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10289: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10290: /usr/local/sbin/ntpd -s <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10291: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10292: Since OpenNTPD is third-party software, it does not have
10293: a standard startup script, so the daemon is started at boot using the local facility.</description>
10294: </Group>
10295: <Group id="group-3.10.3.3.2" hidden="false">
10296: <title xml:lang="en">Listen for Client Connections</title>
10297: <description xml:lang="en">
10298: Edit the file /usr/local/etc/ntpd.conf. Add or correct the
10299: following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10300: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10301: listen on ipaddr <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10302: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10303: where ipaddr is the primary IP address of this server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10304: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10305: By default, ntpd does not listen for any connections over a network. Listening
10306: must be actively enabled on NTP servers so that clients may obtain time data.</description>
10307: </Group>
10308: <Group id="group-3.10.3.3.3" hidden="false">
10309: <title xml:lang="en">Allow Legitimate NTP Clients to Access the Server</title>
10310: <description xml:lang="en">
10311: Determine an appropriate network block, netwk , and network
10312: mask, mask , representing the machines on your network which will synchronize to this
10313: server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10314: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10315: Edit /etc/sysconfig/iptables. Add the following line, ensuring that it appears
10316: before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10317: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10318: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport 123 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10319: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10320: The iptables configuration is needed because the default iptables configuration does
10321: not allow inbound access to any services. See Section 2.5.5 for more information about
10322: iptables.</description>
10323: </Group>
10324: <Group id="group-3.10.3.3.4" hidden="false">
10325: <title xml:lang="en">Specify a Remote NTP Server for Time Data</title>
10326: <description xml:lang="en">
10327: Find the hostname, server-host , of an appropriate remote NTP
10328: server. Edit the file /usr/local/etc/ ntpd.conf, and add or correct the following
10329: line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10330: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10331: server server-host <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10332: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10333: This setting configures ntpd to obtain time data from the
10334: remote host. To use multiple time servers, add one line for each server.</description>
10335: </Group>
10336: </Group>
10337: </Group>
10338: </Group>
10339: <Group id="group-3.11" hidden="false">
10340: <title xml:lang="en">Mail Transfer Agent</title>
10341: <description xml:lang="en">
10342: Mail servers are used to send and receive mail over a network on
10343: behalf of site users. Mail is a very common service, and MTAs are frequent targets of
10344: network attack. Ensure that machines are not running MTAs unnecessarily, and configure
10345: needed MTAs as defensively as possible.</description>
10346: <Rule id="rule-3.11.a" selected="false" weight="10.000000" severity="low">
10347: <title xml:lang="en">Mail Transfer Agent</title>
10348: <description xml:lang="en">The sendmail service should be disabled.</description>
10349: <ident system="http://cce.mitre.org">CCE-4416-4</ident>
10350: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
10351: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
10352: <check-content-ref name="oval:org.fedoraproject.f14:def:20287" href="scap-fedora14-oval.xml"/>
10353: </check>
10354: </Rule>
10355: <Group id="group-3.11.1" hidden="false">
10356: <title xml:lang="en">Select Mail Server Software and Configuration</title>
10357: <description xml:lang="en">
10358: Select one of the following options for configuring e-mail on the
10359: machine: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10360: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
10361: <xhtml:li>If this machine does not need to operate as a mail server, follow the
10362: instructions in Section 3.11.2 to run sendmail in submission-only mode.</xhtml:li>
10363: <xhtml:li>If the machine
10364: must operate as a mail server, read the strategies for MTA configuration in Section 3.11.3
10365: for information about configuration options. Then apply both the MTA-independent operating
10366: system configuration guidance in Section 3.11.4, and the specific guidance for your MTA:
10367: <xhtml:ul>
10368: <xhtml:li>If the Sendmail MTA is preferred, see Section 3.11.5. </xhtml:li>
10369: <xhtml:li>If the Postfix MTA is preferred, see Section 3.11.6. </xhtml:li>
10370: <xhtml:li>If another MTA is preferred, use that MTA's documentation to
10371: implement the ideas in Section 3.11.3. </xhtml:li>
10372: </xhtml:ul>
10373: </xhtml:li>
10374: </xhtml:ul>
10375: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10376: It is recommended that very few machines at any
10377: site be configured to receive mail over a network. However, it may be necessary for most
10378: machines at a given site to send e-mail, for instance so that cron jobs can report output
10379: to an administrator. Sendmail supports a submission-only mode in which mail can be sent
10380: from the machine to a central site MTA, but the machine cannot receive mail over a
10381: network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10382: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10383: If a Mail Transfer Agent (MTA) is needed, the system default is Sendmail.
10384: Postfix, a popular alternative written with security in mind, is also available. Postfix
10385: can be more effectively contained by SELinux as its modular design has resulted in
10386: separate processes performing specific actions. More information on these MTAs is
10387: available from their respective websites, http://www.sendmail.org and
10388: http://www.postfix.org.</description>
10389: <reference href="">Hildebrandt, R., and Koetter, P. The Book of Postfix. No Starch Press, 2005</reference>
10390: </Group>
10391: <Group id="group-3.11.2" hidden="false">
10392: <title xml:lang="en">Configure SMTP For Mail Client</title>
10393: <description xml:lang="en">
10394: This guide discusses the use of Sendmail for submission-only
10395: e-mail configuration. It is also possible to use Postfix.</description>
10396: <reference href="">Hunt, C. Sendmail Cookbook. O’Reilly and Associates, 2003</reference>
10397: <Group id="group-3.11.2.1" hidden="false">
10398: <title xml:lang="en">Disable the Listening Sendmail Daemon</title>
10399: <description xml:lang="en">
10400: Edit the file /etc/sysconfig/sendmail. Add or modify the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10401: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10402: DAEMON=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10403: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10404: The MTA performs two functions: listening over a network for incoming SMTP
10405: e-mail requests, and sending mail from the local machine. Since outbound mail may be
10406: delayed due to network outages or other problems, the outbound MTA runs in a queue-only
10407: mode, in which it periodically attempts to resend any delayed mail. Setting DAEMON=no
10408: tells sendmail to execute only the queue runner on this machine, and never to receive
10409: SMTP mail requests.</description>
10410: <Rule id="rule-3.11.2.1.a" selected="false" weight="10.000000">
10411: <title xml:lang="en">Disable the Listening Sendmail Daemon</title>
10412: <description xml:lang="en">The listening sendmail daemon should be disabled.</description>
10413: <ident system="http://cce.mitre.org">CCE-4293-7</ident>
10414: <fixtext xml:lang="en">(1) via /etc/sysconfig/sendmail</fixtext>
10415: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
10416: <check-content-ref name="oval:org.fedoraproject.f14:def:20288" href="scap-fedora14-oval.xml"/>
10417: </check>
10418: </Rule>
10419: </Group>
10420: <Group id="group-3.11.2.2" hidden="false">
10421: <title xml:lang="en">Configure Mail Submission if Appropriate</title>
10422: <description xml:lang="en">
10423: If it is appropriate to configure mail submission with a
10424: central MTA, edit /etc/mail/submit.cf. Locate the line beginning with D{MTAHost}, and
10425: modify it to read: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10426: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10427: D{MTAHost}mailserver <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10428: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10429: where mailserver is the hostname of the server
10430: to which this machine should forward its outgoing mail. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10431: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10432: This suggestion is provided as a
10433: simple way to migrate away from a configuration in which each machine at a site runs its
10434: own MTA, to a configuration in which client machines do not run listening daemons. If
10435: this modification is made to /etc/mail/submit.cf, then, when a local process on a
10436: machine attempts to send mail, the message will be forwarded to the machine mailserver
10437: for processing. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10438: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10439: Modifying /etc/mail/submit.cf directly is only appropriate if your site
10440: does not perform any other mailserver customization on clients. If other customization
10441: is done, use your usual Sendmail change procedure to define the MTA host. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10442: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10443: Note: In
10444: addition to making this change on the client, it may also be necessary to reconfigure
10445: the MTA on mailserver so that it will relay mail on behalf of this host.</description>
10446: </Group>
10447: </Group>
10448: <Group id="group-3.11.3" hidden="false">
10449: <title xml:lang="en">Strategies for MTA Security</title>
10450: <description xml:lang="en">
10451: This section discusses several types of MTA configuration which
10452: should be performed in order to protect against attacks involving the mail system. Though
10453: configuration syntax will differ depending on which MTA is in use (see Section 3.11.5 for
10454: Sendmail configuration syntax and Section 3.11.6 for Postfix), these strategies are
10455: generally advisable for any MTA, including ones not covered by this guide.</description>
10456: <Group id="group-3.11.3.1" hidden="false">
10457: <title xml:lang="en">Use Resource Limits to Mitigate Denial of Service</title>
10458: <description xml:lang="en">
10459: It is often desirable to constrain an attacker's ability to
10460: consume a mail server's resources simply by sending otherwise valid mail at a high rate,
10461: whether maliciously or accidentally. Relevant resource limits include con106 CHAPTER 3.
10462: SERVICES straints on: the number of MTA daemons which may run at one time, the rate at
10463: which incoming messages may be received, the size and complexity of each message, or the
10464: amount of mail queue space which must remain free in order for mail to be delivered.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10465: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10466: That last parameter deserves additional explanation. Most MTAs require queue space for
10467: temporary files in order to process existing messages in their queues. Therefore, if the
10468: queue filesystem is allowed to fill completely in a denial of service, the MTA will not
10469: be able to clear its own queue even when the malicious traffic has stopped. This will
10470: delay recovery from an attack.</description>
10471: </Group>
10472: <Group id="group-3.11.3.2" hidden="false">
10473: <title xml:lang="en">Configure SMTP Greeting Banner</title>
10474: <description xml:lang="en">
10475: When remote mail senders connect to the MTA on port 25, they
10476: are greeted by an initial banner as part of the SMTP dialogue. This banner is necessary,
10477: but it frequently gives away too much information, including the MTA software which is
10478: in use, and sometimes also its version number. Remote mail senders do not need this
10479: information in order to send mail, so the banner should be changed to reveal only the
10480: hostname (which is already known and may be useful) and the word ESMTP, to indicate that
10481: the modern SMTP protocol variant is supported.</description>
10482: </Group>
10483: <Group id="group-3.11.3.3" hidden="false">
10484: <title xml:lang="en">Control Mail Relaying</title>
10485: <description xml:lang="en">
10486: The sending of Unsolicited Bulk E-mail, referred to variously
10487: as UBE, UCE, or spam, is a major problem on the Internet today. The security
10488: implications of spam are that it operates as a Denial of Service attack on legitimate
10489: e-mail use. Strategies for fighting spam receipt at your site are complex and quickly
10490: evolving, and thus far beyond the scope of this guide. The problem of relaying
10491: unauthorized e-mail, however, can and should be addressed by any network-connected site.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10492: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10493: Most MTAs perform two functions: to accept mail from remote sites on behalf of local
10494: users, and to allow local users to send mail to remote sites. The former function is
10495: relatively easy — mail whose recipient address is local can be assumed to be destined
10496: for a local user. The latter function is more complex. Since it is typically considered
10497: neither secure nor desirable for users to log in to the MTA host itself to send mail,
10498: the MTA must be able to remotely accept mail addressed to anyone from the user's
10499: workstation. If the MTA is running very old software or is configured poorly, it can be
10500: possible for attackers to take advantage of this feature, using your MTA to relay their
10501: spam from one remote site to another. This is undesirable for many reasons, not least
10502: that your site will quickly be blacklisted as a spam source, leaving you unable to send
10503: legitimate e-mail to your correspondents. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10504: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10505: The simplest solution described in this guide
10506: is to configure the MTA to relay mail only from the local site's address range, and some
10507: variant on this is the default for most modern MTAs. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10508: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10509: That solution may be insufficient
10510: for sites whose users need to send mail from remote machines, for instance while
10511: travelling, as well as for sites where mail submission must be accepted from network
10512: ranges which are not considered secure, either because authorized machines are unmanaged
10513: or because it is possible to connect unauthorized machines to the network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10514: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10515: If remote or
10516: mobile hosts are authorized to relay, or if local clients exist in insecure netblocks,
10517: the SMTP AUTH protocol should be used to require mail senders to authenticate before
10518: submitting messages. For better protection and to allow support for a wide range of
10519: authentication mechanisms without sending passwords over a network in clear text, SMTP
10520: AUTH transactions should be encrypted using SSL. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10521: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10522: Another approach is to require mail to
10523: be submitted on port 587, the designated Message Submission Port. Use of a separate port
10524: allows the mail relay function to be entirely separated from the mail delivery function.
10525: This may become a best practice in the future, but description of how to configure the
10526: Message Submission Port is currently beyond the scope of this guide. See RFC 2476 for
10527: information about this configuration.</description>
10528: </Group>
10529: </Group>
10530: <Group id="group-3.11.4" hidden="false">
10531: <title xml:lang="en">Configure Operating System to Protect Mail Server</title>
10532: <description xml:lang="en">
10533: The guidance in this section is appropriate for any host which is
10534: operating as a site MTA, whether the mail server runs using Sendmail, Postfix, or some
10535: other software.</description>
10536: <Group id="group-3.11.4.1" hidden="false">
10537: <title xml:lang="en">Use Separate Hosts for External and Internal Mail if Possible</title>
10538: <description xml:lang="en">
10539: The mail server is a frequent target of network attack from the
10540: outside. However, since all site users receive mail, the mail server must be open to
10541: some connection from each inside users. It is strongly recommended that these functions
10542: be separated, by having an externally visible mail server which processes all incoming
10543: and outgoing mail, then forwards internal mail to a separate machine from which users
10544: can access it.</description>
10545: </Group>
10546: <Group id="group-3.11.4.2" hidden="false">
10547: <title xml:lang="en">Protect the MTA Host from User Access</title>
10548: <description xml:lang="en">
10549: The mail server contains privileged data belonging to all users
10550: and performs a vital network function. Preventing users from logging into this server is
10551: a precaution against privilege escalation or denial of service attacks which might
10552: compromise the mail service. Take steps to ensure that only system administrators are
10553: allowed shell access to the MTA host.</description>
10554: </Group>
10555: <Group id="group-3.11.4.3" hidden="false">
10556: <title xml:lang="en">Restrict Remote Access to the Mail Spool</title>
10557: <description xml:lang="en">
10558: If users directly connect to this machine to receive mail,
10559: ensure that there is a single, well-secured mechanism for access to the directory
10560: /var/spool/mail (the directory /var/mail is a symlink to this). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10561: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10562: Allowing unrestricted
10563: access to /var/spool/mail can be dangerous, since this directory contains sensitive
10564: information belonging to all users. Protocols such as NFS, which have an insecure
10565: authorization mechanism by default, should be considered insufficient for these
10566: purposes. See Section 3.17 for details on secure configuration of POP3 or IMAP, which
10567: are the preferred ways to provide user access to mail.</description>
10568: </Group>
10569: <Group id="group-3.11.4.4" hidden="false">
10570: <title xml:lang="en">Configure iptables to Allow Access to the Mail Server</title>
10571: <description xml:lang="en">
10572: Edit /etc/sysconfig/iptables. Add the following line, ensuring
10573: that it appears before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10574: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10575: -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10576: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10577: The default
10578: Iptables configuration does not allow inbound access to the SMTP service. This
10579: modification allows that access, while keeping other ports on the server in their
10580: default protected state. See Section 2.5.5 for more information about Iptables.</description>
10581: </Group>
10582: <Group id="group-3.11.4.5" hidden="false">
10583: <title xml:lang="en">Verify System Logging and Log Permissions for Mail</title>
10584: <description xml:lang="en">
10585: Edit the file /etc/syslog.conf. Add or correct the following
10586: line if necessary (this is the default): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10587: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10588: mail.* -/var/log/maillog <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10589: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10590: Run the following commands to ensure correct permissions on the mail log: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10591: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10592: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root /var/log/maillog <xhtml:br/>
10593: # chmod 600 /var/log/maillog <xhtml:br/></xhtml:code>
10594: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10595: The mail server logs contain a record of
10596: every e-mail which is sent or received on the system, which is considered sensitive
10597: information by most sites. It is necessary that these logs be collected for purposes of
10598: debugging and statistics, but their contents should be protected from unauthorized
10599: access.</description>
10600: </Group>
10601: <Group id="group-3.11.4.6" hidden="false">
10602: <title xml:lang="en">Configure SSL Certificates for Use with SMTP AUTH</title>
10603: <description xml:lang="en">
10604: If SMTP AUTH is to be used (see Section 3.11.3.3 for a
10605: description of possible anti-relaying mechanisms), the use of SSL to protect credentials
10606: in transit is strongly recommended. There are also configurations for which it may be
10607: desirable to encrypt all mail in transit from one MTA to another, though such
10608: configurations are beyond the scope of this guide. In either event, the steps for
10609: creating and installing an SSL certificate are independent of the MTA in use, and are
10610: described here.</description>
10611: <Group id="group-3.11.4.6.1" hidden="false">
10612: <title xml:lang="en">Create an SSL Certificate</title>
10613: <description xml:lang="en">
10614: Note: This step must be performed on your CA system, not on
10615: the MTA host itself. If you will have a commercial CA sign certificates, then this
10616: step should be performed on a separate, physically secure system devoted to that
10617: purpose. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10618: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10619: Change into the CA certificate directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10620: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10621: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/certs <xhtml:br/></xhtml:code>
10622: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10623: Generate a key pair for the mail server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10624: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10625: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl genrsa -out mailserverkey.pem 2048 <xhtml:br/></xhtml:code>
10626: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10627: Next,
10628: generate a certificate signing request (CSR) for the CA to sign, making sure to supply
10629: your mail server's fully qualified domain name as the Common Name: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10630: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10631: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl req -new -key mailserverkey.pem -out mailserver.csr <xhtml:br/></xhtml:code>
10632: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10633: Next, the mail server CSR must be signed to
10634: create the mail server certificate. You can either send the CSR to an established CA
10635: or sign it with your CA. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10636: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10637: To sign mailserver.csr using your CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10638: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10639: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl ca -in mailserver.csr -out mailservercert.pem <xhtml:br/></xhtml:code>
10640: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10641: This step creates a private key,
10642: mailserverkey.pem, and a public certificate, mailservercert.pem. The mail server will
10643: use these to prove its identity by demonstrating that it has a certificate which has
10644: been signed by a CA. Mail clients at your site should be willing to send their mail
10645: only to a server they can authenticate.</description>
10646: </Group>
10647: <Group id="group-3.11.4.6.2" hidden="false">
10648: <title xml:lang="en">Install the SSL Certificate</title>
10649: <description xml:lang="en">
10650: Create the PKI directory for mail certificates, if it does
10651: not already exist: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10652: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10653: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># mkdir /etc/pki/tls/mail <xhtml:br/>
10654: # chown root:root /etc/pki/tls/mail <xhtml:br/>
10655: # chmod 755 /etc/pki/tls/mail <xhtml:br/></xhtml:code>
10656: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10657: Using removable media or some other secure transmission
10658: format, install the files generated in the previous step onto the mail server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10659: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10660: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
10661: <xhtml:li>/etc/pki/tls/mail/serverkey.pem: the private key mailserverkey.pem</xhtml:li>
10662: <xhtml:li>/etc/pki/tls/mail/servercert.pem: the certificate file mailservercert.pem</xhtml:li>
10663: </xhtml:ul>
10664: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10665: Verify the ownership and permissions of these files: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10666: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10667: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root /etc/pki/tls/mail/serverkey.pem <xhtml:br/>
10668: # chown root:root /etc/pki/tls/mail/servercert.pem <xhtml:br/>
10669: # chmod 600 /etc/pki/tls/mail/serverkey.pem <xhtml:br/>
10670: # chmod 644 /etc/pki/tls/mail/servercert.pem<xhtml:br/></xhtml:code>
10671: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10672: Verify that the CA's public certificate file has been installed as
10673: /etc/pki/tls/CA/cacert.pem, and has the correct permissions: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10674: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10675: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root /etc/pki/tls/CA/cacert.pem <xhtml:br/>
10676: # chmod 644 /etc/pki/tls/CA/cacert.pem</xhtml:code></description>
10677: </Group>
10678: </Group>
10679: </Group>
10680: <Group id="group-3.11.5" hidden="false">
10681: <title xml:lang="en">Configure Sendmail Server if Necessary</title>
10682: <description xml:lang="en">
10683: When sendmail is configured to act as a server for incoming mail,
10684: it listens on port 25 for connections, and responds to those connections using the
10685: configuration in /etc/mail/sendmail.cf. This file has a somewhat opaque format, and
10686: modifying it directly is generally not recommended. Instead, the following procedure
10687: should be used to modify the sendmail configuration: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10688: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10689: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
10690: <xhtml:li>Install the sendmail-cf RPM, which
10691: is required in order to compile a new configuration file: <xhtml:br/>
10692: <xhtml:br/>
10693: <xhtml:code># yum install sendmail-cf<xhtml:br/></xhtml:code></xhtml:li>
10694: <xhtml:li>Edit the M4 source file /etc/mail/sendmail.mc as directed by the configuration step you
10695: are applying. </xhtml:li>
10696: <xhtml:li>Inside the directory /etc/mail/, use make to build the configuration
10697: according to the Makefile provided by Sendmail: <xhtml:br/>
10698: <xhtml:br/>
10699: <xhtml:code># cd /etc/mail <xhtml:br/>
10700: # make sendmail.cf</xhtml:code></xhtml:li>
10701: </xhtml:ol></description>
10702: <Group id="group-3.11.5.1" hidden="false">
10703: <title xml:lang="en">Limit Denial of Service Attacks</title>
10704: <description xml:lang="en">
10705: Edit /etc/mail/sendmail.mc, and add or correct the following
10706: options: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10707: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10708: define(`confMAX_DAEMON_CHILDREN',`40')dnl
10709: define(`confCONNECTION_RATE_THROTTLE', `3 ')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10710: define(`confMIN_FREE_BLOCKS',`20971520')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10711: define(`confMAX_HEADERS_LENGTH',`51200')dnl<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10712: define(`confMAX_MESSAGE_SIZE',`10485760')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10713: define(`confMAX_RCPTS_PER_MESSAGE',`100')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10714: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10715: Note: The values given here are examples, and may need to be modified for any
10716: particular site, especially one with high e-mail volume. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10717: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10718: These configuration options
10719: serve to make it more difficult for attackers to consume resources on the MTA host. (See
10720: Section 3.11.3.1 for details on why this is done.) The MAX DAEMON CHILDREN option limits
10721: the number of sendmail processes which may be deployed to handle incoming connections at
10722: any one time, while CONNECTION RATE THROTTLE limits the number of connections per second
10723: which each listener may receive. The MIN FREE BLOCKS option stops e-mail receipt when
10724: the queue filesystem is close to full. The MAX HEADERS LENGTH (bytes), MAX MESSAGE SIZE
10725: (bytes), and MAX RCPTS PER MESSAGE (distinct recipients) options place bounds on the
10726: legal sizes of messages received via SMTP.</description>
10727: </Group>
10728: <Group id="group-3.11.5.2" hidden="false">
10729: <title xml:lang="en">Configure SMTP Greeting Banner</title>
10730: <description xml:lang="en">
10731: Edit /etc/mail/sendmail.mc, and add or correct the following
10732: line, substituting an appropriate greeting string for $j : <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10733: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10734: define(`confSMTP_LOGIN_MSG', `$j ')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10735: and recompile sendmail's configuration. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10736: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10737: The default greeting banner discloses
10738: that the listening mail process is Sendmail rather than some other MTA, and also
10739: provides the version number. See Section 2.3.7 for more about warning banners, and
10740: Section 3.11.3.2 for strategies regarding SMTP greeting banners in particular. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10741: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10742: The Sendmail variable $j contains the hostname of the mail server, which may be an
10743: appropriate greeting string for most environments.</description>
10744: </Group>
10745: <Group id="group-3.11.5.3" hidden="false">
10746: <title xml:lang="en">Control Mail Relaying</title>
10747: <description xml:lang="en">
10748: This guide will discuss two mechanisms for controlling mail
10749: relaying in Sendmail. The /etc/mail/relay-domains file contains a list of hostnames that
10750: are allowed to relay mail. Follow the guidance in Section 3.11.5.3.1 to configure
10751: relaying for trusted machines. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10752: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10753: If there are machines which must be allowed to relay
10754: mail, but which cannot be trusted to relay unconditionally, configure SMTP AUTH with TLS
10755: support using the guidance in Sections 3.11.5.3.2 and following.</description>
10756: <Group id="group-3.11.5.3.1" hidden="false">
10757: <title xml:lang="en">Configure Trusted Networks and Hosts</title>
10758: <description xml:lang="en">
10759: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
10760: <xhtml:li>If all machines which share a common domain or subdomain
10761: name may relay, then edit /etc/mail/ relay-domains, adding a line for each domain or
10762: subdomain, e.g.: <xhtml:br/>
10763: <xhtml:br/>
10764: example.com <xhtml:br/>
10765: trusted-subnet.school.edu <xhtml:br/>
10766: ... </xhtml:li>
10767: <xhtml:li>If the machines which are
10768: allowed to relay must be specified on a per-host basis, then edit /etc/mail/
10769: relay-domains, adding a line for each such host: <xhtml:br/>
10770: <xhtml:br/>
10771: host1.example.com<xhtml:br/>
10772: host5.subnet.example.com <xhtml:br/>
10773: smtp.trusted-subnet.school.edu <xhtml:br/>
10774: <xhtml:br/>
10775: Then edit /etc/mail/sendmail.mc, add or correct the line: <xhtml:br/>
10776: <xhtml:br/>
10777: FEATURE(`relay_hosts_only')dnl <xhtml:br/>
10778: <xhtml:br/>
10779: and recompile sendmail's configuration. </xhtml:li>
10780: </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10781: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10782: The file /etc/mail/relay-domains must contain only
10783: the set of machines for which this MTA should unconditionally relay mail. This
10784: configures both inbound and outbound relaying, that is, hosts mentioned in
10785: relay-domains may send mail through the MTA, and the MTA will also accept inbound mail
10786: addressed to such hosts. This is a trust relationship — if spammers gain access to
10787: these machines, your site will effectively become an open relay. It is recommended
10788: that only machines which are managed by you or by another trusted organization be
10789: placed in relay-domains, and that users of all other machines be required to use SMTP
10790: AUTH to send mail. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10791: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10792: Note: The relay-domains file must be configured to contain either a
10793: list of domains (in which case every host in each of those domains will be allowed to
10794: relay) or a list of hosts (in which case each individual relaying host must be listed
10795: and the sendmail.cf must be reconfigured to interpret the relay-domains file in the
10796: desired way).</description>
10797: </Group>
10798: <Group id="group-3.11.5.3.2" hidden="false">
10799: <title xml:lang="en">Require SMTP AUTH Before Relaying from Untrusted Clients</title>
10800: <description xml:lang="en">
10801: By default, Sendmail uses the Cyrus-SASL library to provide
10802: authentication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10803: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10804: To enable the use of SASL authentication for relaying, edit
10805: /etc/mail/sendmail.mc and add or correct the following settings:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10806: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10807: TRUST_AUTH_MECH(`LOGIN PLAIN') <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10808: define(`confAUTH_MECHANISMS', `LOGIN PLAIN') <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10809: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10810: and recompile sendmail.cf. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10811: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10812: Then edit /usr/lib/sasl2/Sendmail.conf and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10813: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10814: pwcheck_method: saslauthd <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10815: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10816: Enable the saslauthd daemon: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10817: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig saslauthd on <xhtml:br/></xhtml:code>
10818: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10819: The AUTH MECHANISMS configuration option tells sendmail to allow the
10820: specified authentication mechanisms to be used during the SMTP dialogue. The two
10821: listed mechanisms use SASL to test a password provided by the user. Since these
10822: mechanisms transmit plaintext passwords, they should be protected using TLS as
10823: described in the next section. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10824: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10825: The TRUST AUTH MECH command tells sendmail that senders
10826: who successfully authenticate using the specified mechanism may relay mail through
10827: this MTA even if their addresses are not in relay-domains. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10828: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10829: The file
10830: /usr/lib/sasl/Sendmail.conf is the Cyrus-SASL configuration file for Sendmail. The
10831: pwcheck method directive tells SASL how to find passwords. The simplest method,
10832: described here, is to run a separate authentication daemon, saslauthd, which is able
10833: to communicate with the system authentication service. On Red Hat, saslauthd uses PAM
10834: by default, which should work in most cases. If you have a centralized authentication
10835: system which does not work via PAM, look at the saslauthd(8) manpage to determine how
10836: to configure saslauthd for your environment.</description>
10837: </Group>
10838: <Group id="group-3.11.5.3.3" hidden="false">
10839: <title xml:lang="en">Require TLS for SMTP AUTH</title>
10840: <description xml:lang="en">
10841: Edit /etc/mail/sendmail.mc, add or correct the following
10842: lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10843: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10844: define(`confAUTH_OPTIONS', `A p')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10845: define(`confCACERT_PATH', `/etc/pki/tls/CA')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10846: define(`confCACERT', `/etc/pki/tls/CA/cacert.pem')dnl<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10847: define(`confSERVER_CERT', `/etc/pki/tls/mail/servercert.pem')dnl<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10848: define(`confSERVER_KEY', `/etc/pki/tls/mail/serverkey.pem')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10849: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10850: and recompile sendmail.cf. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10851: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10852: These options, combined with the previous settings, tell Sendmail to
10853: protect all SMTP AUTH transactions using TLS. The first four options describe the
10854: location of the necessary TLS certificate and key files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10855: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10856: The AUTH OPTIONS parameter
10857: configures the SMTP AUTH dialogue. The A option is enabled by default, and simply says
10858: that authentication is allowed if an appropriate mechanism can be found. The p option
10859: tells Sendmail to protect against passive attacks. The PLAIN and LOGIN authentication
10860: mechanisms, recommended by this guide for compatibility with PAM, send passwords in
10861: the clear. (Cleartext password transmissions are vulnerable to passive attack.)
10862: Therefore, if p is set, the SMTP daemon will not make the AUTH command available until
10863: after the client has used the STARTTLS command to encrypt the session. If other
10864: authentication mechanisms were enabled which did not send passwords in the clear, then
10865: TLS would not necessarily be required.</description>
10866: </Group>
10867: </Group>
10868: </Group>
10869: <Group id="group-3.11.6" hidden="false">
10870: <title xml:lang="en">Configure Postfix if Necessary</title>
10871: <description xml:lang="en">
10872: Postfix stores its configuration files in the directory
10873: /etc/postfix by default. The primary configuration file is /etc/postfix/main.cf. Other
10874: files will be introduced as needed.</description>
10875: <Group id="group-3.11.6.1" hidden="false">
10876: <title xml:lang="en">Limit Denial of Service Attacks</title>
10877: <description xml:lang="en">
10878: Edit /etc/postfix/main.cf. Add or correct the following lines:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10879: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10880: default_process_limit = 100 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10881: smtpd_client_connection_count_limit = 10<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10882: smtpd_client_connection_rate_limit = 30 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10883: queue_minfree = 20971520 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10884: header_size_limit = 51200 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10885: message_size_limit = 10485760 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10886: smtpd_recipient_limit = 100 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10887: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10888: Note: The values given
10889: here are examples, and may need to be modified for any particular site. By default, the
10890: Postfix anvil process gathers mail receipt statistics. To get information about about
10891: what connection rates are typical at your site, look in /var/log/maillog for lines with
10892: the daemon name postfix/anvil. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10893: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10894: These configuration options serve to make it more
10895: difficult for attackers to consume resources on the MTA host. (See Section 3.11.3.1 for
10896: details on why this is done.) The default process limit parameter controls how many
10897: smtpd processes can exist at a time, while smtpd_client_connection_count_limit controls
10898: the number of those which can be occupied by any one remote sender, and
10899: smtpd_client_connection_rate_limit controls the number of connections any one client
10900: can make per minute. By default, local hosts (those in mynetworks) are exempted from
10901: per-client rate limiting. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10902: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10903: The queue_minfree parameter establishes a free space threshold, in order to
10904: stop e-mail receipt before the queue filesystem is entirely full. The header_size_limit,
10905: message_size_limit, and smtpd recipient limit parameters place bounds on the legal sizes
10906: of messages received via SMTP.</description>
10907: </Group>
10908: <Group id="group-3.11.6.2" hidden="false">
10909: <title xml:lang="en">Configure SMTP Greeting Banner</title>
10910: <description xml:lang="en">
10911: Edit /etc/postfix/main.cf, and add or correct the following
10912: line, substituting some other wording for the banner information if you prefer:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10913: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10914: smtpd_banner = $myhostname ESMTP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10915: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10916: The default greeting banner discloses that the
10917: listening mail process is Postfix. See Section 2.3.7 for more about warning banners, and
10918: Section 3.11.3.2 for strategies regarding SMTP greeting banners in particular.</description>
10919: </Group>
10920: <Group id="group-3.11.6.3" hidden="false">
10921: <title xml:lang="en">Control Mail Relaying</title>
10922: <description xml:lang="en">
10923: Postfix's mail relay controls are implemented with the help of
10924: the smtpd recipient restrictions option, which controls the restrictions placed on the
10925: SMTP dialogue once the sender and recipient envelope addresses are known. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10926: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10927: The guidance
10928: in Sections 3.11.6.3.1–3.11.6.3.2 should be applied to all machines. If there are
10929: machines which must be allowed to relay mail, but which cannot be trusted to relay
10930: unconditionally, configure SMTP AUTH with SSL support using the guidance in Sections
10931: 3.11.6.3.3 and following.</description>
10932: <Group id="group-3.11.6.3.1" hidden="false">
10933: <title xml:lang="en">Configure Trusted Networks and Hosts</title>
10934: <description xml:lang="en">
10935: Edit /etc/postfix/main.cf, and configure the contents of the
10936: mynetworks variable in one of the following ways: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10937: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10938: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
10939: <xhtml:li>If any machine in the subnet
10940: containing the MTA may be trusted to relay messages, add or correct the line:<xhtml:br/>
10941: <xhtml:br/>
10942: mynetworks_style = subnet </xhtml:li>
10943: <xhtml:li>If only the MTA host itself is trusted to relay messages,
10944: add or correct: <xhtml:br/>
10945: <xhtml:br/>
10946: mynetworks_style = host </xhtml:li>
10947: <xhtml:li>If the set of machines which can relay is
10948: more complicated, manually specify an entry for each netblock or IP address which is
10949: trusted to relay by setting the mynetworks variable directly: <xhtml:br/>
10950: <xhtml:br/>
10951: mynetworks = 10.0.0.0/16 , 192.168.1.0/24 , 127.0.0.1 </xhtml:li>
10952: </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10953: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10954: The mynetworks variable must contain only the set of
10955: machines for which this MTA should unconditionally relay mail. This is a trust
10956: relationship — if spammers gain access to these machines, your site will effectively
10957: become an open relay. It is recommended that only machines which are managed by you or
10958: by another trusted organization be placed in mynetworks, and users of all other
10959: machines be required to use SMTP AUTH to send mail.</description>
10960: </Group>
10961: <Group id="group-3.11.6.3.2" hidden="false">
10962: <title xml:lang="en">Allow Unlimited Relaying for Trusted Networks Only</title>
10963: <description xml:lang="en">
10964: Edit /etc/postfix/main.cf, and add or correct the smtpd
10965: recipient restrictions definition so that it contains at least:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10966: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10967: smtpd_recipient_restrictions = <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10968: ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10969: permit_mynetworks, <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10970: reject_unauth_destination, <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10971: ...<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10972: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10973: The full contents of smtpd recipient restrictions will vary by site, since this is a
10974: common place to put spam restrictions and other site-specific options. The permit
10975: mynetworks option allows all mail to be relayed from the machines in mynetworks. Then,
10976: the reject unauth destination option denies all mail whose destination address is not
10977: local, preventing any other machines from relaying. These two options should always
10978: appear in this order, and should usually follow one another immediately unless SMTP
10979: AUTH is used.</description>
10980: </Group>
10981: <Group id="group-3.11.6.3.3" hidden="false">
10982: <title xml:lang="en">Require SMTP AUTH Before Relaying from Untrusted Clients</title>
10983: <description xml:lang="en">
10984: SMTP authentication allows remote clients to relay mail
10985: safely by requiring them to authenticate before submitting mail. Postfix's SMTP AUTH
10986: uses an authentication library called SASL, which is not part of Postfix itself. This
10987: section describes how to configure authentication using the Cyrus-SASL implementation.
10988: See below for a discussion of other options. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10989: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10990: To enable the use of SASL authentication,
10991: edit /etc/postfix/main.cf and add or correct the following settings:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10992: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10993: smtpd_sasl_auth_enable = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10994: smtpd_recipient_restrictions = <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10995: ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10996: permit_mynetworks,<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10997: permit_sasl_authenticated, <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10998: reject_unauth_destination, <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
10999: ...<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11000: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11001: Then edit
11002: /usr/lib/sasl/smtpd.conf and add or correct the following line with the correct
11003: authentication mechanism for SASL to use: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11004: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11005: pwcheck_method: saslauthd <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11006: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11007: Enable the saslauthd daemon: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11008: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11009: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig saslauthd on <xhtml:br/></xhtml:code>
11010: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11011: Postfix can use either the Cyrus library or
11012: Dovecot as a source for SASL authentication. If this host is running Dovecot for some
11013: other reason, it is recommended that Dovecot's SASL support be used instead of running
11014: the Cyrus code as well. See http://www.postfix.org/SASL README.html for instructions
11015: on implementing that configuration, which is not described in this guide. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11016: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11017: In Postfix's
11018: configuration, the directive smtpd sasl auth enable tells smtpd to allow the use of
11019: the SMTP AUTH command during the SMTP dialogue, and to support that command by getting
11020: authentication information from SASL. The smtpd recipient restrictions directive is
11021: changed so that, if the client is not connecting from a trusted address, it is allowed
11022: to attempt authentication (permit sasl authenticated) in order to relay mail. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11023: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11024: The file
11025: /usr/lib/sasl/smtpd.conf is the Cyrus-SASL configuration file. The pwcheck method
11026: directive tells SASL how to find passwords. The simplest method, described above, is
11027: to run a separate authentication daemon, saslauthd, which is able to communicate with
11028: the system authentication system. On RHEL5, saslauthd uses PAM by default, which
11029: should work in most cases. If you have a centralized authentication system which does
11030: not work via PAM, look at the saslauthd(8) manpage to find out how to configure
11031: saslauthd for your environment.</description>
11032: </Group>
11033: </Group>
11034: <Group id="group-3.11.6.4" hidden="false">
11035: <title xml:lang="en">Require TLS for SMTP AUTH</title>
11036: <description xml:lang="en">
11037: Edit /etc/postfix/main.cf, and add or correct the following
11038: lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11039: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11040: smtpd_tls_CApath = /etc/pki/tls/CA <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11041: smtpd_tls_CAfile = /etc/pki/tls/CA/cacert.pem<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11042: smtpd_tls_cert_file = /etc/pki/tls/mail/servercert.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11043: smtpd_tls_key_file = /etc/pki/tls/mail/serverkey.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11044: smtpd_tls_security_level = may <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11045: smtpd_tls_auth_only = yes<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11046: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11047: These options tell Postfix to protect all SMTP AUTH transactions using TLS. The first
11048: four options describe the locations of the necessary TLS key files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11049: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11050: The smtpd_tls_security_level directive tells smtpd to allow the STARTTLS command during the SMTP
11051: protocol exchange, but not to require it for mail senders. (Unless your site receives
11052: mail only from other trusted sites whose sysadmins can be asked to maintain a copy of
11053: your site certificate, you do not want to require TLS for all SMTP exchanges.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11054: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11055: The smtpd_tls_auth_only directive tells smtpd to require the STARTTLS command before allowing the
11056: client to attempt to authenticate for relaying using SMTP AUTH. It may not be possible
11057: to use this directive if you must allow relaying from non-TLS-capable client software.
11058: If this is the case, simply omit that line.</description>
11059: </Group>
11060: </Group>
11061: </Group>
11062: <Group id="group-3.12" hidden="false">
11063: <title xml:lang="en">LDAP</title>
11064: <description xml:lang="en">
11065: LDAP is a popular directory service, that is, a standardized way of
11066: looking up information from a central database. It is relatively simple to configure a RHEL5
11067: machine to obtain authentication information from an LDAP server. If your network uses LDAP
11068: for authentication, be sure to configure both clients and servers securely.</description>
11069: <Group id="group-3.12.1" hidden="false">
11070: <title xml:lang="en">Use OpenLDAP to Provide LDAP Service if Possible</title>
11071: <description xml:lang="en">
11072: The system's default LDAP client/server program is called
11073: OpenLDAP. Its documentation is available at the project web page: http://www.openldap.org.</description>
11074: </Group>
11075: <Group id="group-3.12.2" hidden="false">
11076: <title xml:lang="en">Configure OpenLDAP Clients</title>
11077: <description xml:lang="en">
11078: This guide recommends configuring OpenLDAP clients by manually
11079: editing the appropriate configuration files. RHEL5 provides an automated configuration
11080: tool called authconfig and a graphical wrapper for authconfig called
11081: system-config-authentication. However, these tools do not give sufficient flexibility over
11082: configuration. The authconfig tools do not allow you to specify locations of SSL
11083: certificate files, which is useful when trying to use SSL cleanly across several
11084: protocols. They are also overly aggressive in placing services such as netgroups and
11085: automounter maps under LDAP control, where it is safer to use LDAP only for services to
11086: which it is relevant in your environment.</description>
11087: <warning xml:lang="en">Before configuring any machine to be an LDAP client, ensure that
11088: a working LDAP server is present on the network. See Section 3.12.3 for instructions on
11089: configuring an LDAP server. </warning>
11090: <Group id="group-3.12.2.1" hidden="false">
11091: <title xml:lang="en">Configure the Appropriate LDAP Parameters for the Domain</title>
11092: <description xml:lang="en">
11093: Assume the fully qualified host name of your LDAP server is
11094: ldap.example.com and the base DN of your domain is dc=example,dc=com (it is conventional
11095: to use the domain name as a base DN). Edit /etc/ldap. conf, and add or correct the
11096: following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11097: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11098: base dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11099: uri ldap://ldap.example.com/ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11100: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11101: Then edit /etc/openldap/ldap.conf, and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11102: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11103: BASE dc=example,dc=com<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11104: URI ldap://ldap.example.com/ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11105: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11106: The machine whose hostname is given here must be
11107: configured as an LDAP server, serving data identified by the base DN used here. See
11108: Section 3.12.3 for details on configuring an LDAP server.</description>
11109: </Group>
11110: <Group id="group-3.12.2.2" hidden="false">
11111: <title xml:lang="en">Configure LDAP to Use TLS for All Transactions</title>
11112: <description xml:lang="en">
11113: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
11114: <xhtml:li>Ensure a copy of the site's CA certificate has been placed
11115: in the file /etc/pki/tls/CA/cacert.pem. </xhtml:li>
11116: <xhtml:li>Configure LDAP to enforce TLS use and to
11117: trust certificates signed by the site's CA. First, edit the file /etc/ldap.conf, and add
11118: or correct the following lines: <xhtml:br/>
11119: <xhtml:br/>
11120: ssl start_tls <xhtml:br/>
11121: tls_checkpeer yes <xhtml:br/>
11122: tls_cacertdir /etc/pki/tls/CA <xhtml:br/>
11123: tls_cacertfile /etc/pki/tls/CA/cacert.pem <xhtml:br/>
11124: <xhtml:br/>
11125: Then edit /etc/openldap/ldap.conf, and add or correct the following lines: <xhtml:br/>
11126: <xhtml:br/>
11127: TLS_CACERTDIR /etc/pki/tls/CA <xhtml:br/>
11128: TLS_CACERT /etc/pki/tls/CA/cacert.pem </xhtml:li>
11129: </xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11130: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11131: Section 2.5.6 describes the
11132: system-wide configuration of SSL for your enterprise. It is possible to place your
11133: certificate information under some directory other than /etc/pki/tls, but using a
11134: consistent directory structure across all SSL services at your site is recommended. The
11135: LDAP server must be configured with a certificate signed by the CA certificate named
11136: here.</description>
11137: <Rule id="rule-3.12.2.2.a" selected="false" weight="10.000000">
11138: <title xml:lang="en">Configure LDAP to Use TLS for All Transactions</title>
11139: <description xml:lang="en">Clients require LDAP servers to provide valid certificates for SSL communications.</description>
11140: <fixtext xml:lang="en">(1) via /etc/ldap.conf</fixtext>
11141: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11142: <check-content-ref name="oval:org.fedoraproject.f14:def:202885" href="scap-fedora14-oval.xml"/>
11143: </check>
11144: </Rule>
11145: </Group>
11146: <Group id="group-3.12.2.3" hidden="false">
11147: <title xml:lang="en">Configure Authentication Services to Use OpenLDAP</title>
11148: <description xml:lang="en">
11149: Edit the file /etc/ldap.conf, and add or correct the following
11150: lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11151: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11152: pam_password md5 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11153: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11154: Edit the file /etc/nsswitch.conf, and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11155: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11156: passwd: files ldap <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11157: shadow: files ldap <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11158: group: files ldap <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11159: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11160: Edit the file
11161: /etc/pam.d/system-auth-ac. Make the following changes, which will add references to LDAP
11162: in each of the four sections of the file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11163: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11164: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
11165: <xhtml:li>Immediately before the last line in the auth
11166: section (the one containing pam_deny.so), insert the line: <xhtml:br/>
11167: <xhtml:br/>
11168: auth sufficient pam_ldap.so use_first_pass </xhtml:li>
11169: <xhtml:li>Modify the first line in the account section by adding the option
11170: broken shadow. The line should then read: <xhtml:br/>
11171: <xhtml:br/>
11172: account required pam_unix.so broken_shadow </xhtml:li>
11173: <xhtml:li>Immediately before the last line in the account section (the one containing pam
11174: permit.so), insert the line: <xhtml:br/>
11175: <xhtml:br/>
11176: account [default=bad success=ok user_unknown=ignore] pam_ldap.so </xhtml:li>
11177: <xhtml:li>Immediately before the last line in the password section (the one
11178: containing pam_deny.so), insert the line: <xhtml:br/>
11179: <xhtml:br/>
11180: password sufficient pam_ldap.so use_authtok</xhtml:li>
11181: <xhtml:li>At the end of the file (after the last line in the session section), append the line:<xhtml:br/>
11182: <xhtml:br/>
11183: session optional pam_ldap.so </xhtml:li>
11184: </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11185: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11186: The first modification tells LDAP to expect passwords in
11187: MD5 hash format, rather than clear text. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11188: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11189: Red Hat systems use the file /etc/nsswitch.conf
11190: to determine the appropriate sources to search for certain kinds of data, such as
11191: usernames, groups, hostnames, netgroups, or protocols. It is possible to manage many
11192: other types of data using LDAP, but this guide recommends that only usernames (passwd
11193: data), passwords (shadow data), and groups (group data) be managed using LDAP. If your
11194: site uses netgroups, it may be appropriate to manage these via LDAP as well. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11195: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11196: However,
11197: data which almost never changes, such as the contents of the /etc/services file, is a
11198: poor choice for central administration, since it introduces risk with little benefit. It
11199: is recommended that the automounter not be used at all, so LDAP control of automounter
11200: maps is unlikely to be appropriate. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11201: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11202: The file /etc/pam.d/system-auth-ac is used by PAM to
11203: control access to most authenticated services. The syntax of the PAM configuration file
11204: is somewhat cryptic. The lines recommended here have the combined effect of using LDAP
11205: to find authentication data for users who cannot be found in the local /etc/passwd file.
11206: This means that, for instance, it is still possible to use a local root password. The
11207: details of options such as broken_shadow, use_authtok, and use_first_pass may be looked
11208: up in the man pages for the various PAM modules. Their basic effect is to attempt to
11209: authenticate given a password against both the local /etc/shadow and the central LDAP
11210: server, without forcing the user to type the password more than once. PAM configuration
11211: is discussed further in Section 2.3.3.</description>
11212: </Group>
11213: </Group>
11214: <Group id="group-3.12.3" hidden="false">
11215: <title xml:lang="en">Configure OpenLDAP Server</title>
11216: <description xml:lang="en">
11217: This section contains guidance on how to configure an OpenLDAP
11218: server to securely provide information for use in a centralized authentication service.
11219: This is not a comprehensive guide to maintaining an OpenLDAP server, but may be helpful in
11220: transitioning to an OpenLDAP infrastructure nonetheless.</description>
11221: <Group id="group-3.12.3.1" hidden="false">
11222: <title xml:lang="en">Install OpenLDAP Server RPM</title>
11223: <description xml:lang="en">
11224: Is this machine the OpenLDAP server? If so: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11225: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11226: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install openldap-servers <xhtml:br/>
11227: # chkconfig ldap on <xhtml:br/></xhtml:code>
11228: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11229: The openldap-servers RPM is not installed by
11230: default on RHEL5 machines. It is needed only by the OpenLDAP server, not by the clients
11231: which use LDAP for authentication.</description>
11232: <Rule id="rule-3.12.3.1.a" selected="false" weight="10.000000" severity="low">
11233: <title xml:lang="en">Disable OpenLDAP service</title>
11234: <description xml:lang="en">The ldap service should be disabled.</description>
11235: <ident system="http://cce.mitre.org">CCE-3501-4</ident>
11236: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
11237: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11238: <check-content-ref name="oval:org.fedoraproject.f14:def:20289" href="scap-fedora14-oval.xml"/>
11239: </check>
11240: </Rule>
11241: </Group>
11242: <Group id="group-3.12.3.2" hidden="false">
11243: <title xml:lang="en">Configure Domain-Specific Parameters</title>
11244: <description xml:lang="en">
11245: Edit the file /etc/openldap/slapd.conf. Add or correct the
11246: following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11247: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11248: suffix "dc=example,dc=com " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11249: rootdn "cn=Manager,dc=example,dc=com "<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11250: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11251: where dc=example,dc=com is the same root you will use on the LDAP clients. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11252: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11253: These are
11254: basic LDAP configuration directives. The suffix parameter gives the root name of all
11255: information served by this LDAP server, and should be some name related to your domain.
11256: The rootdn parameter names LDAP's privileged user, who is allowed to read or write all
11257: data managed by this LDAP server.</description>
11258: </Group>
11259: <Group id="group-3.12.3.3" hidden="false">
11260: <title xml:lang="en">Configure an LDAP Root Password</title>
11261: <description xml:lang="en">
11262: Ensure that the configuration file has reasonable permissions
11263: before putting the hashed root password in that file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11264: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11265: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:ldap /etc/openldap/slapd.conf <xhtml:br/>
11266: # chmod 640 /etc/openldap/slapd.conf <xhtml:br/></xhtml:code>
11267: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11268: Generate a hashed password using the slappasswd utility: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11269: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11270: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># slappasswd <xhtml:br/></xhtml:code>
11271: New password: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11272: Re-enter new password: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11273: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11274: This
11275: will output a hashed password string. Edit the file /etc/openldap/slapd.conf, and add or
11276: correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11277: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11278: rootpw {SSHA}hashed-password-string <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11279: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11280: Be sure to select a secure
11281: password for the LDAP root user, since this user has permission to read and write all
11282: LDAP data, so a compromise of the LDAP root password will probably enable a full
11283: compromise of your site. Protect configuration files containing the hashed password the
11284: same way you would protect other files, such as /etc/shadow, which contain hashed
11285: authentication data. In addition, be sure to use a reasonably strong hash function, such
11286: as SHA-1, rather than an insecure scheme such as crypt.</description>
11287: <description xml:lang="en">If you are using SHA-1, the hashed password string will begin with “{SHA}” or “{SSHA}”</description>
11288: </Group>
11289: <Group id="group-3.12.3.4" hidden="false">
11290: <title xml:lang="en">Configure the LDAP Server to Require TLS for All Transactions</title>
11291: <description xml:lang="en">
11292: Because LDAP queries and responses, particularly those
11293: containing authentication information or other sensitive data, must be protected from
11294: disclosure or modification while in transit over the network, this guide recommends
11295: using SSL to protect all transactions. In order to do this, it is necessary to have a
11296: site-wide SSL infrastructure in which a CA certificate is used to verify that other
11297: certificates, such as that presented by the LDAP server to its clients, are authentic.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11298: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11299: Therefore, this procedure involves using the CA system to create a certificate for the
11300: LDAP server, then installing that certificate on the LDAP server and configuring slapd
11301: to require its use. See Section 2.5.6 for details about the process of creating SSL
11302: certificates for use by servers at your site.</description>
11303: <Group id="group-3.12.3.4.1" hidden="false">
11304: <title xml:lang="en">Create the Certificate for the LDAP Server</title>
11305: <description xml:lang="en">
11306: Note: This step must be performed on the CA system, not on
11307: the LDAP server itself. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11308: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11309: Change into the CA certificate directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11310: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11311: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/certs <xhtml:br/></xhtml:code>
11312: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11313: Generate a key pair for the LDAP server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11314: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11315: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl genrsa -out ldapserverkey.pem 2048 <xhtml:br/></xhtml:code>
11316: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11317: Next, generate a certificate signing request (CSR) for the CA to sign: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11318: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11319: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl req -new -key ldapserverkey.pem -out ldapserver.csr <xhtml:br/></xhtml:code>
11320: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11321: Sign the ldapserver.csr request: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11322: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11323: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl ca -in ldapserver.csr -out ldapservercert.pem <xhtml:br/></xhtml:code>
11324: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11325: This step creates a private key, ldapserverkey.pem, and a public certificate,
11326: ldapservercert.pem. The LDAP server will use these to prove its identity by
11327: demonstrating that it has a certificate which has been signed by the site CA. LDAP
11328: clients at your site should only be willing to accept authentication data from a
11329: verified LDAP server.</description>
11330: </Group>
11331: <Group id="group-3.12.3.4.2" hidden="false">
11332: <title xml:lang="en">Install the Certificate on the LDAP Server</title>
11333: <description xml:lang="en">
11334: Create the PKI directory for LDAP certificates if it does not
11335: already exist: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11336: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11337: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># mkdir /etc/pki/tls/ldap <xhtml:br/>
11338: # chown root:root /etc/pki/tls/ldap <xhtml:br/>
11339: # chmod 755 /etc/pki/tls/ldap <xhtml:br/></xhtml:code>
11340: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11341: Using removable media or some other secure transmission format,
11342: install the files generated in the previous step onto the LDAP server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11343: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11344: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
11345: <xhtml:li>/etc/pki/tls/ldap/serverkey.pem: the private key ldapserverkey.pem</xhtml:li>
11346: <xhtml:li>/etc/pki/tls/ldap/servercert.pem: the certificate file ldapservercert.pem </xhtml:li>
11347: </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11348: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11349: Verify the ownership and permissions of these files: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11350: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11351: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:ldap /etc/pki/tls/ldap/serverkey.pem <xhtml:br/>
11352: # chown root:ldap /etc/pki/tls/ldap/servercert.pem <xhtml:br/>
11353: # chmod 640 /etc/pki/tls/ldap/serverkey.pem <xhtml:br/>
11354: # chmod 640 /etc/pki/tls/ldap/servercert.pem<xhtml:br/></xhtml:code>
11355: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11356: Verify that the CA's public certificate file has been installed as
11357: /etc/pki/tls/CA/cacert.pem, and has the correct permissions: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11358: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11359: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># mkdir /etc/pki/tls/CA <xhtml:br/>
11360: # chown root:root /etc/pki/tls/CA/cacert.pem <xhtml:br/>
11361: # chmod 644 /etc/pki/tls/CA/cacert.pem <xhtml:br/></xhtml:code>
11362: As a
11363: result of these steps, the LDAP server will have access to its own private certificate
11364: and the key with which that certificate is encrypted, and to the public certificate
11365: file belonging to the CA. Note that it would be possible for the key to be protected
11366: further, so that processes running as ldap could not read it. If this were done, the
11367: LDAP server process would need to be restarted manually whenever the server rebooted.</description>
11368: </Group>
11369: <Group id="group-3.12.3.4.3" hidden="false">
11370: <title xml:lang="en">Configure slapd to Use the Certificates</title>
11371: <description xml:lang="en">
11372: Edit the file /etc/openldap/slapd.conf. Add or correct the
11373: following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11374: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11375: TLSCACertificateFile /etc/pki/tls/CA/cacert.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11376: TLSCertificateFile /etc/pki/tls/ldap/servercert.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11377: TLSCertificateKeyFile /etc/pki/tls/ldap/serverkey.pem<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11378: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11379: security simple_bind=128 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11380: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11381: The first set of lines tell slapd where to find the
11382: appropriate SSL certificates to present to clients when they request an encrypted
11383: transaction. The last setting tells slapd never to allow clients to present
11384: credentials (i.e. passwords) in an unencrypted session. It is a good security
11385: principle never to allow unencrypted passwords to traverse a network, so ensure that
11386: LDAP mandates this.</description>
11387: </Group>
11388: </Group>
11389: <Group id="group-3.12.3.5" hidden="false">
11390: <title xml:lang="en">Install Account Information into the LDAP Database</title>
11391: <description xml:lang="en">
11392: There are many ways to maintain an OpenLDAP database. Methods
11393: include: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11394: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11395: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
11396: <xhtml:li>Input entries in ldif(5) format into a file /path/to/new entries , and use
11397: slapadd to import those entries while slapd is not running: <xhtml:br/>
11398: <xhtml:br/>
11399: <xhtml:code># slapadd -l /path/to/new_entries </xhtml:code></xhtml:li>
11400: <xhtml:li>Write a script to create and modify LDAP entries by connecting to the LDAP
11401: server normally. The Perl Net::LDAP module is appropriate for this, there is a Python
11402: API called python-ldap, and functionality is likely available for other scripting
11403: languages as well. </xhtml:li>
11404: <xhtml:li>Use an LDAP front-end program which provides an interface for
11405: editing the database. If the front-end program is web-based or otherwise accessible over
11406: a network, ensure that authentication information is protected via SSL between the
11407: administrator's client and the program, as well as between the program and the LDAP
11408: database. </xhtml:li>
11409: </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11410: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11411: Any of these methods or others may be appropriate for your site. This guide
11412: does not provide a recommendation, and there will be no further discussion of the syntax
11413: of entering LDAP data into the database.</description>
11414: <Group id="group-3.12.3.5.1" hidden="false">
11415: <title xml:lang="en">Create Top-level LDAP Structure for Domain</title>
11416: <description xml:lang="en">
11417: Create a structure for the domain itself with at least the
11418: following attributes: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11419: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11420: dn: dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11421: objectClass: dcObject <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11422: objectClass: organization <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11423: dc: example <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11424: o: Organization Description <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11425: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11426: This is a placeholder for the
11427: root of the domain's LDAP tree. Without this entry, LDAP will not be able to find any
11428: other entries for the domain.</description>
11429: </Group>
11430: <Group id="group-3.12.3.5.2" hidden="false">
11431: <title xml:lang="en">Create LDAP Structures for Users and Groups</title>
11432: <description xml:lang="en">
11433: Create LDAP structures for people (users) and for groups with
11434: at least the following attributes: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11435: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11436: dn: ou=people,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11437: ou: people<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11438: structuralObjectClass: organizationalUnit <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11439: objectClass: organizationalUnit <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11440: dn: ou=groups,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11441: ou: groups <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11442: structuralObjectClass: organizationalUnit<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11443: objectClass: organizationalUnit <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11444: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11445: Posix users and groups are the two top-level items
11446: which will be needed in order to use LDAP for authentication. These organizational
11447: units are used to identify the two categories within LDAP.</description>
11448: </Group>
11449: <Group id="group-3.12.3.5.3" hidden="false">
11450: <title xml:lang="en">Create Unix Accounts</title>
11451: <description xml:lang="en">
11452: For each Unix user, create an LDAP entry with at least the
11453: following attributes (others may be appropriate for your site as well), using variable
11454: values appropriate to that user. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11455: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11456: dn: uid=username ,ou=people,dc=example,dc=com<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11457: structuralObjectClass: inetOrgPerson <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11458: objectClass: inetOrgPerson <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11459: objectClass: posixAccount <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11460: objectClass: shadowAccount <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11461: cn: fullname <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11462: sn: surname <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11463: gecos: fullname<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11464: gidNumber: primary-group-id <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11465: homeDirectory: /home/username <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11466: loginShell: /path/to/shell<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11467: uid: username <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11468: uidNumber: uid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11469: userPassword: {MD5}md5-hashed-password <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11470: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11471: If your site
11472: implements password expiration in which passwords must be changed every N days (see
11473: Section 2.3.1.7), then each entry should also have the attribute: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11474: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11475: shadowMax: N <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11476: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11477: In general, the LDAP schemas for users use uid to refer to the text username, and
11478: uidNumber for the numeric UID. This usage may be slightly confusing when compared to
11479: the standard Unix usage. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11480: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11481: You should not create entries for the root account or for
11482: system accounts which are unique to individual systems, but only for user accounts
11483: which are to be shared across machines, and which have authentication information
11484: (such as a password) associated with them.</description>
11485: </Group>
11486: <Group id="group-3.12.3.5.4" hidden="false">
11487: <title xml:lang="en">Create Unix Groups</title>
11488: <description xml:lang="en">
11489: For each Unix group, create an LDAP entry with at least the
11490: following attributes: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11491: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11492: dn: cn=groupname ,ou=groups,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11493: cn: groupname<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11494: structuralObjectClass: posixGroup <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11495: objectClass: posixGroup <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11496: gidNumber: gid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11497: memberUid: username1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11498: memberUid: username2 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11499: ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11500: memberUid: usernameN <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11501: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11502: Note that each user has a
11503: primary group, identified by the gidNumber field in the user's account entry. That
11504: group must be created, but it is not necessary to list the user as a memberUid of the
11505: group. This behavior should be familiar to administrators, since it is identical to
11506: the handling of the /etc/passwd and /etc/group files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11507: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11508: Do not create entries for the
11509: root group or for system groups, but only for groups which contain human users or
11510: which are shared across systems.</description>
11511: </Group>
11512: <Group id="group-3.12.3.5.5" hidden="false">
11513: <title xml:lang="en">Create Groups to Administer LDAP</title>
11514: <description xml:lang="en">
11515: If a group of LDAP administrators, admins , is desired, that
11516: group must be created somewhat differently. The specification should have these
11517: attributes: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11518: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11519: dn: cn=admins ,ou=groups,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11520: cn: admins<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11521: structuralObjectClass: groupOfUniqueNames <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11522: objectClass: groupOfUniqueNames<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11523: uniqueMember: cn=Manager,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11524: uniqueMember: uid=admin1-username ,ou=people,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11525: uniqueMember: uid=admin2-username ,ou=people,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11526: ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11527: uniqueMember: uid=adminN-username ,ou=people,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11528: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11529: LDAP cannot use Posix groups for its own internal
11530: authentication — it needs to compare the username specified in an authenticated bind
11531: to some internal groupOfUniqueNames. If you do not specify an LDAP administrators'
11532: group, then all LDAP management will need to be done using the LDAP root user
11533: (Manager). For reasons of auditing and error detection, it is recommended that LDAP
11534: administrators have unique identities. (See Section 2.3.1.3 for similar reasoning
11535: applied to the use of sudo for privileged system commands.)</description>
11536: </Group>
11537: </Group>
11538: <Group id="group-3.12.3.6" hidden="false">
11539: <title xml:lang="en">Configure slapd to Protect Authentication Information</title>
11540: <description xml:lang="en">
11541: Edit the file /etc/openldap/slapd.conf. Add or correct the
11542: following access specifications: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11543: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11544: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
11545: <xhtml:li>Protect the user's password by allowing the user
11546: himself or the LDAP administrators to change it, allowing the anonymous user to
11547: authenticate against it, and allowing no other access: <xhtml:br/>
11548: <xhtml:br/>
11549: access to attrs=userPassword <xhtml:br/>
11550: by self write <xhtml:br/>
11551: by group/groupOfUniqueNames/uniqueMember="cn=admins ,ou=groups,dc=example,dc=com " write <xhtml:br/>
11552: by anonymous auth <xhtml:br/>
11553: by * none <xhtml:br/>
11554: access to attrs=shadowLastChange <xhtml:br/>
11555: by self write <xhtml:br/>
11556: by group/groupOfUniqueNames/uniqueMember="cn=admins ,ou=groups,dc=example,dc=com " write <xhtml:br/>
11557: by * read</xhtml:li>
11558: <xhtml:li>Allow anyone to read other
11559: information, and allow the administrators to change it: <xhtml:br/>
11560: <xhtml:br/>
11561: access to * by<xhtml:br/>
11562: group/groupOfUniqueNames/uniqueMember="cn=admins ,ou=groups,dc=example,dc=com " write <xhtml:br/>
11563: by * read </xhtml:li>
11564: </xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11565: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11566: Access rules are applied in the order encountered, so more specific rules should
11567: appear first. In particular, the rule restricting access to userPassword must appear
11568: before the rule allowing access to all data. The shadowLastChange attribute is a
11569: timestamp, and is only critical if your site implements password expiration. If your
11570: site does not have an LDAP administrators group, the LDAP root user (called Manager in
11571: this guide) will be able to change data without an explicit access statement.</description>
11572: </Group>
11573: <Group id="group-3.12.3.7" hidden="false">
11574: <title xml:lang="en">Correct Permissions on LDAP Server Files</title>
11575: <description xml:lang="en">
11576: Correct the permissions on the ldap server's files: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11577: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11578: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown ldap:root /var/lib/ldap/* <xhtml:br/></xhtml:code>
11579: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11580: Some manual methods of inserting information into the LDAP
11581: database may leave these files with incorrect permissions. This will prevent slapd from
11582: starting correctly.</description>
11583: <Value id="var-3.12.3.7.a" operator="equals" type="string">
11584: <title xml:lang="en">group owner of ldap files</title>
11585: <description xml:lang="en">Specify group owner of /var/lib/ldap/*.</description>
11586: <question xml:lang="en">Specify group owner of /var/lib/ldap/*</question>
11587: <value>root</value>
11588: <value selector="root">root</value>
11589: </Value>
11590: <Value id="var-3.12.3.7.b" operator="equals" type="string">
11591: <title xml:lang="en">user owner of ldap files</title>
11592: <description xml:lang="en">Specify user owner of /var/lib/ldap/*.</description>
11593: <question xml:lang="en">Specify user owner of /var/lib/ldap/*</question>
11594: <value>ldap</value>
11595: <value selector="ldap">ldap</value>
11596: </Value>
11597: <Rule id="rule-3.12.3.7.a" selected="false" weight="10.000000">
11598: <title xml:lang="en">Correct Permissions on LDAP Server Files</title>
11599: <description xml:lang="en">The /var/lib/ldap/* files should be owned by the appropriate group.</description>
11600: <ident system="http://cce.mitre.org">CCE-4484-2</ident>
11601: <fixtext xml:lang="en">(1) via chown</fixtext>
11602: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11603: <check-export export-name="oval:org.fedoraproject.f14:var:20290" value-id="var-3.12.3.7.a"/>
11604: <check-content-ref name="oval:org.fedoraproject.f14:def:20290" href="scap-fedora14-oval.xml"/>
11605: </check>
11606: </Rule>
11607: <Rule id="rule-3.12.3.7.b" selected="false" weight="10.000000">
11608: <title xml:lang="en">Correct Permissions on LDAP Server Files</title>
11609: <description xml:lang="en">The /var/lib/ldap/* files should be owned by the appropriate user.</description>
11610: <ident system="http://cce.mitre.org">CCE-4502-1</ident>
11611: <fixtext xml:lang="en">(1) via chown</fixtext>
11612: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11613: <check-export export-name="oval:org.fedoraproject.f14:var:20291" value-id="var-3.12.3.7.b"/>
11614: <check-content-ref name="oval:org.fedoraproject.f14:def:20291" href="scap-fedora14-oval.xml"/>
11615: </check>
11616: </Rule>
11617: </Group>
11618: <Group id="group-3.12.3.8" hidden="false">
11619: <title xml:lang="en">Configure iptables to Allow Access to the LDAP Server</title>
11620: <description xml:lang="en">
11621: Determine an appropriate network block, netwk , and network
11622: mask, mask , representing the machines on your network which will synchronize to this
11623: server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11624: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11625: Edit /etc/sysconfig/iptables. Add the following lines, ensuring that they appear
11626: before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11627: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11628: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 389 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11629: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 636 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11630: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11631: The default Iptables configuration does not allow inbound access to any services. These
11632: modifications allow access to the LDAP primary (389) and encrypted-only (636) ports,
11633: while keeping all other ports on the server in their default protected state. See
11634: Section 2.5.5 for more information about Iptables. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11635: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11636: Note: Even if the LDAP server
11637: restricts connections so that only encrypted queries are allowed, it will probably be
11638: necessary to allow traffic to the default port 389. This is true because many LDAP
11639: clients implement encryption by connecting to the primary port and issuing the STARTTLS
11640: command.</description>
11641: </Group>
11642: <Group id="group-3.12.3.9" hidden="false">
11643: <title xml:lang="en">Configure Logging for LDAP</title>
11644: <description xml:lang="en">
11645: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
11646: <xhtml:li>Edit the file /etc/syslog.conf. Add or correct the following line: <xhtml:br/>
11647: <xhtml:br/>
11648: local4.* /var/log/ldap.log </xhtml:li>
11649: <xhtml:li>Create the log file with safe permissions: <xhtml:br/>
11650: <xhtml:br/>
11651: <xhtml:code># touch /var/log/ldap.log <xhtml:br/>
11652: # chown root:root /var/log/ldap.log <xhtml:br/>
11653: # chmod 0600 /var/log/ldap.log </xhtml:code></xhtml:li>
11654: <xhtml:li>Edit the file /etc/logrotate.d/syslog and add the pathname <xhtml:br/>
11655: <xhtml:br/>
11656: /var/log/ldap.log <xhtml:br/>
11657: <xhtml:br/>
11658: to the space-separated list in the first line. </xhtml:li>
11659: <xhtml:li>Edit the LDAP configuration file
11660: /etc/openldap/slapd.conf and set a reasonable set of default log parameters, such as:<xhtml:br/>
11661: <xhtml:br/>
11662: loglevel stats2 </xhtml:li>
11663: </xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11664: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11665: OpenLDAP sends its log data to the syslog facility local4 at priority
11666: debug. By default, RHEL5 does not store this facility at all. The syslog configuration
11667: suggested here will store any output logged by slapd in the file /var/log/ldap.log, and
11668: will include that file in the standard log rotation for syslog files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11669: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11670: By default, LDAP's
11671: logging is quite verbose. The loglevel parameter is a space-separated list of items to
11672: be logged. Specifying stats2 will reduce the log output somewhat, but this level will
11673: still produce some logging every time an LDAP query is made. (This may be appropriate,
11674: depending on your site's auditing requirements.) In order to capture only slapd startup
11675: messages, specify loglevel none. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11676: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11677: See slapd.conf(5) for detailed information about the
11678: loglevel parameter. See Section 2.6.1 for more information about syslog.</description>
11679: </Group>
11680: </Group>
11681: </Group>
11682: <Group id="group-3.13" hidden="false">
11683: <title xml:lang="en">NFS and RPC</title>
11684: <description xml:lang="en">
11685: The Network File System is the most popular distributed filesystem
11686: for the Unix environment, and is very widely deployed. Unfortunately, NFS was not designed
11687: with security in mind, and has a number of weaknesses, both in terms of the protocol itself
11688: and because any NFS installation must expose several daemons, running on both servers and
11689: clients, to network attack. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11690: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11691: This section discusses the circumstances under which it is
11692: possible to disable NFS and its dependencies, and then details steps which should be taken
11693: to secure, as much as possible, NFS's configuration. This section is relevant to machines
11694: operating as NFS clients, as well as to those operating as NFS servers.</description>
11695: <Group id="group-3.13.1" hidden="false">
11696: <title xml:lang="en">Disable All NFS Services if Possible</title>
11697: <description xml:lang="en">
11698: Is there a mission-critical reason for this machine to operate as
11699: either an NFS client or an NFS server? <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11700: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11701: If not, follow all instructions in the remainder of
11702: Section 3.13.1 to disable subsystems required by NFS. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11703: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11704: NFS is a commonly used mechanism for
11705: sharing data between machines in an organization. However, its use opens many potential
11706: security holes. If NFS is not universally needed in your organization, improve the
11707: security posture of any machine which does not require NFS by disabling it entirely.</description>
11708: <warning xml:lang="en">The steps in Section 3.13.1 will prevent a machine from operating
11709: as either an NFS client or an NFS server. Only perform these steps on machines which do
11710: not need NFS at all. </warning>
11711: <Group id="group-3.13.1.1" hidden="false">
11712: <title xml:lang="en">Disable Services Used Only by NFS</title>
11713: <description xml:lang="en">
11714: If NFS is not needed, perform the following steps to disable
11715: NFS client daemons: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11716: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig nfslock off <xhtml:br/>
11717: # chkconfig rpcgssd off <xhtml:br/>
11718: # chkconfig rpcidmapd off <xhtml:br/></xhtml:code>
11719: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11720: The nfslock, rpcgssd, and rpcidmapd daemons all perform NFS client functions. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11721: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11722: All of these daemons run with elevated privileges, and many listen for
11723: network connections. If they are not needed, they should be disabled to improve system
11724: security posture.</description>
11725: <Rule id="rule-3.13.1.1.a" selected="false" weight="10.000000" severity="low">
11726: <title xml:lang="en">Disable nfslock</title>
11727: <description xml:lang="en">The nfslock service should be disabled.</description>
11728: <ident system="http://cce.mitre.org">CCE-4396-8</ident>
11729: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
11730: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11731: <check-content-ref name="oval:org.fedoraproject.f14:def:20292" href="scap-fedora14-oval.xml"/>
11732: </check>
11733: </Rule>
11734: <Rule id="rule-3.13.1.1.b" selected="false" weight="10.000000" severity="low">
11735: <title xml:lang="en">Disable rpcgssd</title>
11736: <description xml:lang="en">The rpcgssd service should be disabled.</description>
11737: <ident system="http://cce.mitre.org">CCE-3535-2</ident>
11738: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
11739: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11740: <check-content-ref name="oval:org.fedoraproject.f14:def:20293" href="scap-fedora14-oval.xml"/>
11741: </check>
11742: </Rule>
11743: <Rule id="rule-3.13.1.1.c" selected="false" weight="10.000000" severity="low">
11744: <title xml:lang="en">Disable rpcidmapd</title>
11745: <description xml:lang="en">The rpcidmapd service should be disabled.</description>
11746: <ident system="http://cce.mitre.org">CCE-3568-3</ident>
11747: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
11748: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11749: <check-content-ref name="oval:org.fedoraproject.f14:def:20294" href="scap-fedora14-oval.xml"/>
11750: </check>
11751: </Rule>
11752: </Group>
11753: <Group id="group-3.13.1.2" hidden="false">
11754: <title xml:lang="en">Disable netfs if Possible</title>
11755: <description xml:lang="en">
11756: Determine whether any network filesystems handled by netfs are
11757: mounted on this system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11758: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11759: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># mount -t nfs,nfs4,smbfs,cifs,ncpfs <xhtml:br/></xhtml:code>
11760: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11761: If this command returns no output, disable netfs to improve system security: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11762: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11763: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig netfs off <xhtml:br/></xhtml:code>
11764: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11765: The netfs script
11766: manages the boot-time mounting of several types of networked filesystems, of which NFS
11767: and Samba (see Section 3.18) are the most common. If these filesystem types are not in
11768: use, the script can be disabled, protecting the system somewhat against accidental or
11769: malicious changes to /etc/fstab and against flaws in the netfs script itself.</description>
11770: <Rule id="rule-3.13.1.2.a" selected="false" weight="10.000000" severity="low">
11771: <title xml:lang="en">Disable netfs if Possible</title>
11772: <description xml:lang="en">The netfs service should be disabled.</description>
11773: <ident system="http://cce.mitre.org">CCE-4533-6</ident>
11774: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
11775: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11776: <check-content-ref name="oval:org.fedoraproject.f14:def:20295" href="scap-fedora14-oval.xml"/>
11777: </check>
11778: </Rule>
11779: </Group>
11780: <Group id="group-3.13.1.3" hidden="false">
11781: <title xml:lang="en">Disable RPC Portmapper if Possible</title>
11782: <description xml:lang="en">
11783: If: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11784: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11785: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
11786: <xhtml:li>NFS is not needed </xhtml:li>
11787: <xhtml:li>The site does not rely on NIS for authentication information, and </xhtml:li>
11788: <xhtml:li>The machine does not run any other RPC-based service</xhtml:li>
11789: </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11790: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11791: then disable the RPC portmapper service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11792: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11793: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig portmap off <xhtml:br/></xhtml:code>
11794: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11795: By design, the RPC
11796: model does not require particular services to listen on fixed ports, but instead uses a
11797: daemon, portmap, to tell prospective clients which ports to use to contact the services
11798: they are trying to reach. This model weakens system security by introducing another
11799: privileged daemon which may be directly attacked, and is unnecessary because RPC was
11800: never adopted by enough services to risk using up all the ports on a system.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11801: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11802: Unfortunately, the portmapper is central to RPC design, so it cannot be disabled if your
11803: site is using any RPCbased services, including NFS, NIS (see Section 3.2.4 for
11804: information about NIS, which is not recommended), or any third-party or custom RPC-based
11805: program. If none of these programs are in use, however, portmap should be disabled to
11806: improve system security. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11807: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11808: In order to get more information about whether portmap may be
11809: disabled on a given host, query the local portmapper using the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11810: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11811: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpcinfo -p <xhtml:br/></xhtml:code>
11812: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11813: If the only services listed are portmapper and status, it is safe to disable the
11814: portmapper. If other services are listed and your site is not running NFS or NIS,
11815: investigate these services and disable them if possible.</description>
11816: <Rule id="rule-3.13.1.3.a" selected="false" weight="10.000000" severity="low">
11817: <title xml:lang="en">Disable RPC Portmapper if Possible</title>
11818: <description xml:lang="en">The portmap service should be disabled.</description>
11819: <ident system="http://cce.mitre.org">CCE-4550-0</ident>
11820: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
11821: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11822: <check-content-ref name="oval:org.fedoraproject.f14:def:20296" href="scap-fedora14-oval.xml"/>
11823: </check>
11824: </Rule>
11825: </Group>
11826: </Group>
11827: <Group id="group-3.13.2" hidden="false">
11828: <title xml:lang="en">Configure All Machines which Use NFS</title>
11829: <description xml:lang="en">The steps in this section are appropriate for all machines which run NFS, whether they operate as clients or as servers.</description>
11830: <Group id="group-3.13.2.1" hidden="false">
11831: <title xml:lang="en">Make Each Machine a Client or a Server, not Both</title>
11832: <description xml:lang="en">
11833: If NFS must be used, it should be deployed in the simplest
11834: configuration possible to avoid maintainability problems which may lead to unnecessary
11835: security exposure. Due to the reliability and security problems caused by NFS, it is not
11836: a good idea for machines which act as NFS servers to also mount filesystems via NFS. At
11837: the least, crossed mounts (the situation in which each of two servers mounts a
11838: filesystem from the other) should never be used.</description>
11839: </Group>
11840: <Group id="group-3.13.2.2" hidden="false">
11841: <title xml:lang="en">Restrict Access to the Portmapper</title>
11842: <description xml:lang="en">
11843: Edit the file /etc/hosts.deny. Add or correct the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11844: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11845: portmap: ALL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11846: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11847: Edit the file /etc/hosts.allow. Add or correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11848: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11849: portmap: IPADDR1 , IPADDR2 , ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11850: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11851: where each IPADDR is the IP address of a server or client with which this
11852: machine shares NFS filesystems. If the machine is an NFS server, it may be simpler to
11853: use an IP netblock specification, such as 10.3.2. (this is the TCP Wrappers syntax
11854: representing the netblock 10.3.2.0/24), or a hostname specification, such as
11855: .subdomain.example.com. The use of hostnames is not recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11856: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11857: The /etc/hosts.allow
11858: and /etc/hosts.deny files are used by TCP Wrappers to determine whether specified remote
11859: hosts are allowed to access certain services. The default portmapper shipped with RHEL5
11860: has TCP Wrappers support built in, so this specification can be used to provide some
11861: protection against network attacks on the portmapper. (See Section 2.5.4 for more
11862: information about TCP Wrappers.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11863: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11864: Note: This step protects only the portmap service
11865: itself. It is still possible for attackers to guess the port numbers of NFS services and
11866: attack those services directly, even if they are denied access to the portmapper.</description>
11867: </Group>
11868: <Group id="group-3.13.2.3" hidden="false">
11869: <title xml:lang="en">Configure NFS Services to Use Fixed Ports</title>
11870: <description xml:lang="en">
11871: Edit the file /etc/sysconfig/nfs. Add or correct the following
11872: lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11873: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11874: LOCKD_TCPPORT=lockd-port <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11875: LOCKD_UDPPORT=lockd-port <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11876: MOUNTD_PORT=mountd-port<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11877: RQUOTAD_PORT=rquotad-port <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11878: STATD_PORT=statd-port <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11879: STATD_OUTGOING_PORT=statd-outgoing-port<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11880: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11881: where each X-port is a port which is not used by any other service on your network.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11882: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11883: Firewalling should be done at each host and at the border firewalls to protect the NFS
11884: daemons from remote access, since NFS servers should never be accessible from outside
11885: the organization. However, by default, the portmapper assigns each NFS service to a port
11886: dynamically at service startup time. Dynamic ports cannot be protected by port filtering
11887: firewalls such as iptables (Section 2.5.5). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11888: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11889: Therefore, restrict each service to always
11890: use a given port, so that firewalling can be done effectively. Note that, because of the
11891: way RPC is implemented, it is not possible to disable the portmapper even if ports are
11892: assigned statically to all RPC services.</description>
11893: <Rule id="rule-3.13.2.3.a" selected="false" weight="10.000000">
11894: <title xml:lang="en">Configure lockd to Use Fixed Ports for TCP</title>
11895: <description xml:lang="en">The lockd service should be configured to use a static port for TCP</description>
11896: <ident system="http://cce.mitre.org">CCE-4559-1</ident>
11897: <fixtext xml:lang="en">(1) via /etc/sysconfig/nfs</fixtext>
11898: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11899: <check-content-ref name="oval:org.fedoraproject.f14:def:20297" href="scap-fedora14-oval.xml"/>
11900: </check>
11901: </Rule>
11902: <Rule id="rule-3.13.2.3.b" selected="false" weight="10.000000">
11903: <title xml:lang="en">Configure statd to Use an outgoing static port</title>
11904: <description xml:lang="en">The statd service should be configured to use an outgoing static port</description>
11905: <ident system="http://cce.mitre.org">CCE-4015-4</ident>
11906: <fixtext xml:lang="en">(1) via /etc/sysconfig/nfs</fixtext>
11907: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11908: <check-content-ref name="oval:org.fedoraproject.f14:def:20298" href="scap-fedora14-oval.xml"/>
11909: </check>
11910: </Rule>
11911: <Rule id="rule-3.13.2.3.c" selected="false" weight="10.000000">
11912: <title xml:lang="en">Configure statd to Use a static port</title>
11913: <description xml:lang="en">The statd service should be configured to use a static port</description>
11914: <ident system="http://cce.mitre.org">CCE-3667-3</ident>
11915: <fixtext xml:lang="en">(1) via /etc/sysconfig/nfs</fixtext>
11916: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11917: <check-content-ref name="oval:org.fedoraproject.f14:def:20299" href="scap-fedora14-oval.xml"/>
11918: </check>
11919: </Rule>
11920: <Rule id="rule-3.13.2.3.d" selected="false" weight="10.000000">
11921: <title xml:lang="en">Configure lockd to Use a static port for UDP</title>
11922: <description xml:lang="en">The lockd service should be configured to use a static port for UDP</description>
11923: <ident system="http://cce.mitre.org">CCE-4310-9</ident>
11924: <fixtext xml:lang="en">(1) via /etc/sysconfig/nfs</fixtext>
11925: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11926: <check-content-ref name="oval:org.fedoraproject.f14:def:20300" href="scap-fedora14-oval.xml"/>
11927: </check>
11928: </Rule>
11929: <Rule id="rule-3.13.2.3.e" selected="false" weight="10.000000">
11930: <title xml:lang="en">Configure mountd to Use a static port</title>
11931: <description xml:lang="en">The mountd service should be configured to use a static port</description>
11932: <ident system="http://cce.mitre.org">CCE-4438-8</ident>
11933: <fixtext xml:lang="en">(1) via /etc/sysconfig/nfs</fixtext>
11934: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11935: <check-content-ref name="oval:org.fedoraproject.f14:def:20301" href="scap-fedora14-oval.xml"/>
11936: </check>
11937: </Rule>
11938: <Rule id="rule-3.13.2.3.f" selected="false" weight="10.000000">
11939: <title xml:lang="en">Configure rquotad to Use Fixed Ports</title>
11940: <description xml:lang="en">The rquotad service should be configured to use a static port</description>
11941: <ident system="http://cce.mitre.org">CCE-3579-0</ident>
11942: <fixtext xml:lang="en">(1) via /etc/sysconfig/nfs</fixtext>
11943: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11944: <check-content-ref name="oval:org.fedoraproject.f14:def:20302" href="scap-fedora14-oval.xml"/>
11945: </check>
11946: </Rule>
11947: </Group>
11948: </Group>
11949: <Group id="group-3.13.3" hidden="false">
11950: <title xml:lang="en">Configure NFS Clients</title>
11951: <description xml:lang="en">The steps in this section are appropriate for machines which operate as NFS clients.</description>
11952: <Group id="group-3.13.3.1" hidden="false">
11953: <title xml:lang="en">Disable NFS Server Daemons</title>
11954: <description xml:lang="en">
11955: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig nfs off <xhtml:br/>
11956: # chkconfig rpcsvcgssd off <xhtml:br/></xhtml:code>
11957: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11958: There is no need
11959: to run the NFS server daemons except on a small number of properly secured machines
11960: designated as NFS servers. Ensure that these daemons are turned off on clients.</description>
11961: <Rule id="rule-3.13.3.1.a" selected="false" weight="10.000000" severity="low">
11962: <title xml:lang="en">Disable nfs service</title>
11963: <description xml:lang="en">The nfs service should be disabled</description>
11964: <ident system="http://cce.mitre.org">CCE-4473-5</ident>
11965: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
11966: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11967: <check-content-ref name="oval:org.fedoraproject.f14:def:20303" href="scap-fedora14-oval.xml"/>
11968: </check>
11969: </Rule>
11970: <Rule id="rule-3.13.3.1.b" selected="false" weight="10.000000" severity="low">
11971: <title xml:lang="en">Disable rpcsvcgssd service</title>
11972: <description xml:lang="en">The rpcsvcgssd service should be disabled</description>
11973: <ident system="http://cce.mitre.org">CCE-4491-7</ident>
11974: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
11975: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11976: <check-content-ref name="oval:org.fedoraproject.f14:def:20304" href="scap-fedora14-oval.xml"/>
11977: </check>
11978: </Rule>
11979: </Group>
11980: <Group id="group-3.13.3.2" hidden="false">
11981: <title xml:lang="en">Mount Remote Filesystems with Restrictive Options</title>
11982: <description xml:lang="en">
11983: Edit the file /etc/fstab. For each filesystem whose type
11984: (column 3) is nfs or nfs4, add the text ,nodev,nosuid to the list of mount options in
11985: column 4. If appropriate, also add ,noexec. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11986: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
11987: See Section 2.2.1.2 for a description of the
11988: effects of these options. In general, execution of files mounted via NFS should be
11989: considered risky because of the possibility that an adversary could intercept the
11990: request and substitute a malicious file. Allowing setuid files to be executed from
11991: remote servers is particularly risky, both for this reason and because it requires the
11992: clients to extend root-level trust to the NFS server.</description>
11993: <Rule id="rule-3.13.3.2.a" selected="false" weight="10.000000">
11994: <title xml:lang="en">Mount Remote Filesystems with nodev</title>
11995: <description xml:lang="en">The nodev option should be enabled for all NFS mounts</description>
11996: <ident system="http://cce.mitre.org">CCE-4368-7</ident>
11997: <fixtext xml:lang="en">(1) via /etc/fstab</fixtext>
11998: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
11999: <check-content-ref name="oval:org.fedoraproject.f14:def:20305" href="scap-fedora14-oval.xml"/>
12000: </check>
12001: </Rule>
12002: <Rule id="rule-3.13.3.2.b" selected="false" weight="10.000000" severity="medium">
12003: <title xml:lang="en">Mount Remote Filesystems with nosuid</title>
12004: <description xml:lang="en">The nosuid option should be enabled for all NFS mounts</description>
12005: <ident system="http://cce.mitre.org">CCE-4024-6</ident>
12006: <fixtext xml:lang="en">(1) via /etc/fstab</fixtext>
12007: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12008: <check-content-ref name="oval:org.fedoraproject.f14:def:20306" href="scap-fedora14-oval.xml"/>
12009: </check>
12010: </Rule>
12011: <Rule id="rule-3.13.3.2.c" selected="false" weight="10.000000" severity="medium">
12012: <title xml:lang="en">Mount Remote Filesystems with noexec</title>
12013: <description xml:lang="en">The noexec option should be enabled for all NFS mounts</description>
12014: <ident system="http://cce.mitre.org">CCE-4526-0</ident>
12015: <fixtext xml:lang="en">(1) via /etc/fstab</fixtext>
12016: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12017: <check-content-ref name="oval:org.fedoraproject.f14:def:20307" href="scap-fedora14-oval.xml"/>
12018: </check>
12019: </Rule>
12020: </Group>
12021: </Group>
12022: <Group id="group-3.13.4" hidden="false">
12023: <title xml:lang="en">Configure NFS Servers</title>
12024: <description xml:lang="en">The steps in this section are appropriate for machines which operate as NFS servers.</description>
12025: <Group id="group-3.13.4.1" hidden="false">
12026: <title xml:lang="en">Configure the Exports File Restrictively</title>
12027: <description xml:lang="en">
12028: Linux's NFS implementation uses the file /etc/exports to
12029: control what filesystems and directories may be accessed via NFS. (See the exports(5)
12030: manpage for more information about the format of this file.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12031: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12032: The syntax of the exports
12033: file is not necessarily checked fully on reload, and syntax errors can leave your NFS
12034: configuration more open than intended. Therefore, exercise caution when modifying the
12035: file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12036: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12037: The syntax of each line in /etc/exports is <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12038: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12039: /DIR ipaddr1 (opt1 ,opt2 ) ipaddr2 (opt3 ) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12040: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12041: where /DIR is a directory or filesystem to export, ipaddrN is an IP address,
12042: netblock, hostname, domain, or netgroup to which to export, and optN is an option.</description>
12043: <Group id="group-3.13.4.1.1" hidden="false">
12044: <title xml:lang="en">Use Access Lists to Enforce Authorization Restrictions on Mounts</title>
12045: <description xml:lang="en">
12046: Edit /etc/exports. Ensure that each export line contains a
12047: set of IP addresses or hosts which are allowed to access that export. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12048: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12049: If no IP
12050: addresses or hostnames are specified on an export line, then that export is available
12051: to any remote host which requests it. All lines of the exports file should specify the
12052: hosts (or subnets, if needed) which are allowed to access the exported directory, so
12053: that unknown or remote hosts will be denied.</description>
12054: </Group>
12055: <Group id="group-3.13.4.1.2" hidden="false">
12056: <title xml:lang="en">Use Root-Squashing on All Exports</title>
12057: <description xml:lang="en">
12058: Edit /etc/exports. Ensure that no line contains the option no_root_squash. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12059: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12060: If a filesystem is exported using root squashing, requests from root on
12061: the client are considered to be unprivileged (mapped to a user such as nobody). This
12062: provides some mild protection against remote abuse of an NFS server. Root squashing is
12063: enabled by default, and should not be disabled.</description>
12064: <Rule id="rule-3.13.4.1.2.a" selected="false" weight="10.000000">
12065: <title xml:lang="en">Use Root-Squashing on All Exports</title>
12066: <description xml:lang="en">Root squashing should be enabled for all NFS shares</description>
12067: <ident system="http://cce.mitre.org">CCE-4544-3</ident>
12068: <fixtext xml:lang="en">(1) via /etc/exports</fixtext>
12069: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12070: <check-content-ref name="oval:org.fedoraproject.f14:def:20308" href="scap-fedora14-oval.xml"/>
12071: </check>
12072: </Rule>
12073: </Group>
12074: <Group id="group-3.13.4.1.3" hidden="false">
12075: <title xml:lang="en">Restrict NFS Clients to Privileged Ports</title>
12076: <description xml:lang="en">
12077: Edit /etc/exports. Ensure that no line contains the option insecure. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12078: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12079: By default, Linux's NFS implementation requires that all client requests be
12080: made from ports less than 1024. If your organization has control over machines
12081: connected to its network, and if NFS requests are prohibited at the border firewall,
12082: this offers some protection against malicious requests from unprivileged users.
12083: Therefore, the default should not be changed.</description>
12084: <Rule id="rule-3.13.4.1.3.a" selected="false" weight="10.000000">
12085: <title xml:lang="en">Restrict NFS Clients to Privileged Ports</title>
12086: <description xml:lang="en">Restriction of NFS clients to privileged ports should be enabled</description>
12087: <ident system="http://cce.mitre.org">CCE-4465-1</ident>
12088: <fixtext xml:lang="en">(1) via /etc/exports</fixtext>
12089: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12090: <check-content-ref name="oval:org.fedoraproject.f14:def:20309" href="scap-fedora14-oval.xml"/>
12091: </check>
12092: </Rule>
12093: </Group>
12094: <Group id="group-3.13.4.1.4" hidden="false">
12095: <title xml:lang="en">Export Filesystems Read-Only if Possible</title>
12096: <description xml:lang="en">
12097: Edit /etc/exports. Ensure that every line contains the option
12098: ro and does not contain the option rw, unless there is an operational need for remote
12099: clients to modify that filesystem. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12100: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12101: If a filesystem is being exported so that users can
12102: view the files in a convenient fashion, but there is no need for users to edit those
12103: files, exporting the filesystem read-only removes an attack vector against the server.
12104: The default filesystem export mode is ro, so do not specify rw without a good reason.</description>
12105: <Rule id="rule-3.13.4.1.4.a" selected="false" weight="10.000000">
12106: <title xml:lang="en">Export Filesystems Read-Only if Possible</title>
12107: <description xml:lang="en">Write access to NFS shares should be disabled</description>
12108: <ident system="http://cce.mitre.org">CCE-4350-5</ident>
12109: <fixtext xml:lang="en">(1) via /etc/exports</fixtext>
12110: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12111: <check-content-ref name="oval:org.fedoraproject.f14:def:20310" href="scap-fedora14-oval.xml"/>
12112: </check>
12113: </Rule>
12114: </Group>
12115: </Group>
12116: <Group id="group-3.13.4.2" hidden="false">
12117: <title xml:lang="en">Allow Legitimate NFS Clients to Access the Server</title>
12118: <description xml:lang="en">
12119: Determine an appropriate network block, netwk , and network
12120: mask, mask , representing the machines on your network which must mount NFS filesystems
12121: from this server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12122: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12123: Edit /etc/sysconfig/iptables. Add the following lines, ensuring that
12124: they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12125: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12126: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport 111 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12127: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 111 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12128: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 2049 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12129: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12130: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport lockd-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12131: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport lockd-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12132: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport mountd-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12133: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport mountd-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12134: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport rquotad-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12135: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport rquotad-port -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12136: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport statd-port -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12137: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport statd-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12138: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12139: where the variable port numbers match those selected in Section 3.13.2.3 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12140: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12141: The default iptables configuration does not allow inbound access to any services. This
12142: modification will allow the specified block of remote hosts to initiate connections to
12143: the set of NFS daemons, while keeping all other ports on the server in their default
12144: protected state. See Section 2.5.5 for more information about iptables.</description>
12145: </Group>
12146: </Group>
12147: </Group>
12148: <Group id="group-3.14" hidden="false">
12149: <title xml:lang="en">DNS Server</title>
12150: <description xml:lang="en">Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS, be configured defensively.</description>
12151: <reference href="">Liu, C. DNS & BIND Cookbook. O’Reilly and Associates, Oct 2002</reference>
12152: <Group id="group-3.14.1" hidden="false">
12153: <title xml:lang="en">Disable DNS Server if Possible</title>
12154: <description xml:lang="en">
12155: Is there an operational need for this machine to act as a DNS
12156: server for this site? <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12157: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12158: If not, disable the software and remove it from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12159: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12160: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig named off <xhtml:br/>
12161: # yum erase bind <xhtml:br/></xhtml:code>
12162: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12163: DNS software should be disabled on any machine which
12164: does not need to be a nameserver. Note that the BIND DNS server software is not installed
12165: on RHEL5 by default. The remainder of this section discusses secure configuration of
12166: machines which must be nameservers.</description>
12167: <Rule id="rule-3.14.1.a" selected="false" weight="10.000000" severity="low">
12168: <title xml:lang="en">Disable DNS Server if Possible</title>
12169: <description xml:lang="en">The named service should be disabled.</description>
12170: <ident system="http://cce.mitre.org">CCE-3578-2</ident>
12171: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
12172: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12173: <check-content-ref name="oval:org.fedoraproject.f14:def:20311" href="scap-fedora14-oval.xml"/>
12174: </check>
12175: </Rule>
12176: <Rule id="rule-3.14.1.b" selected="false" weight="10.000000">
12177: <title xml:lang="en">Uninstall bind if Possible</title>
12178: <description xml:lang="en">The bind package should be uninstalled.</description>
12179: <ident system="http://cce.mitre.org">CCE-4219-2</ident>
12180: <fixtext xml:lang="en">(1) via yum</fixtext>
12181: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12182: <check-content-ref name="oval:org.fedoraproject.f14:def:20312" href="scap-fedora14-oval.xml"/>
12183: </check>
12184: </Rule>
12185: </Group>
12186: <Group id="group-3.14.2" hidden="false">
12187: <title xml:lang="en">Run the BIND9 Software if DNS Service is Needed</title>
12188: <description xml:lang="en">
12189: It is highly recommended that the BIND9 software be used to
12190: provide DNS service. BIND is the Internet standard Unix nameserver, and, while it has had
12191: security problems in the past, it is also well-maintained and Red Hat is likely to quickly
12192: issue updates in response to any problems discovered in the future. In addition, BIND
12193: version 9 has new security features and more secure default settings than earlier
12194: versions. In particular, BIND version 4 is no longer recommended for production use, and
12195: BIND4 servers should be upgraded to a newer version as soon as possible.</description>
12196: </Group>
12197: <Group id="group-3.14.3" hidden="false">
12198: <title xml:lang="en">Isolate DNS from Other Services</title>
12199: <description xml:lang="en">
12200: This section discusses mechanisms for preventing the DNS server
12201: from interfering with other services. This is done both to protect the remainder of the
12202: network should a nameserver be compromised, and to make direct attacks on nameservers more
12203: difficult.</description>
12204: <Group id="group-3.14.3.1" hidden="false">
12205: <title xml:lang="en">Run DNS Software on Dedicated Servers if Possible</title>
12206: <description xml:lang="en">
12207: Since DNS is a high-risk service which must frequently be made
12208: available to the entire Internet, it is strongly recommended that no other services be
12209: offered by machines which act as organizational DNS servers.</description>
12210: </Group>
12211: <Group id="group-3.14.3.2" hidden="false">
12212: <title xml:lang="en">Run DNS Software in a chroot Jail</title>
12213: <description xml:lang="en">
12214: Install the bind-chroot package: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12215: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12216: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install bind-chroot<xhtml:br/></xhtml:code>
12217: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12218: Place a valid named.conf file inside the chroot jail: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12219: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cp /etc/named.conf /var/named/chroot/etc/named.conf <xhtml:br/>
12220: # chown root:root /var/named/chroot/etc/named.conf <xhtml:br/>
12221: # chmod 644 /var/named/chroot/etc/named.conf <xhtml:br/></xhtml:code>
12222: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12223: Create and populate an appropriate zone
12224: directory within the jail, based on the options directive. If your named.conf includes:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12225: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12226: options { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12227: directory "/path/to/DIRNAME "; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12228: ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12229: } <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12230: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12231: then copy that directory and its contents from the original zone directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12232: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12233: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cp -r /path/to/DIRNAME /var/named/chroot/DIRNAME<xhtml:br/></xhtml:code>
12234: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12235: Edit the file /etc/sysconfig/named. Add or correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12236: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12237: ROOTDIR=/var/named/chroot<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12238: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12239: Chroot jails are not foolproof. However, they serve to make it more difficult for a
12240: compromised program to be used to attack the entire host. They do this by restricting a
12241: program's ability to traverse the directory upward, so that files outside the jail are
12242: not visible to the chrooted process. Since RHEL5 supports a standard mechanism for
12243: placing BIND in a chroot jail, you should take advantage of this feature. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12244: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12245: Note: If you
12246: are running BIND in a chroot jail, then you should use the jailed named.conf as the
12247: primary nameserver configuration file. That is, when this guide recommends editing
12248: /etc/named.conf, you should instead edit /var/named/chroot/etc/named.conf.</description>
12249: <Value id="var-3.14.3.2.a" operator="equals" type="string">
12250: <title xml:lang="en">group owner of jail</title>
12251: <description xml:lang="en">Specify group owner of /var/named/chroot/etc/named.conf</description>
12252: <question xml:lang="en">Specify group owner of /var/named/chroot/etc/named.conf</question>
12253: <value>root</value>
12254: <value selector="root">root</value>
12255: </Value>
12256: <Value id="var-3.14.3.2.b" operator="equals" type="string">
12257: <title xml:lang="en">user owner of jail</title>
12258: <description xml:lang="en">Specify user owner of /var/named/chroot/etc/named.conf</description>
12259: <question xml:lang="en">Specify user owner of /var/named/chroot/etc/named.conf</question>
12260: <value>root</value>
12261: <value selector="root">root</value>
12262: </Value>
12263: <Value id="var-3.14.3.2.c" operator="equals" type="string">
12264: <title xml:lang="en">permisison of jail</title>
12265: <description xml:lang="en">Specify file permissions on /var/named/chroot/etc/named.conf</description>
12266: <question xml:lang="en">Specify permissions of /var/named/chroot/etc/named.conf</question>
12267: <value>110100100</value>
12268: <value selector="400">100000000</value>
12269: <value selector="644">110100100</value>
12270: <value selector="700">111000000</value>
12271: <match>^[01]+$</match>
12272: </Value>
12273: <Rule id="rule-3.14.3.2.a" selected="false" weight="10.000000">
12274: <title xml:lang="en">Run DNS Software in a chroot Jail owned by root group</title>
12275: <description xml:lang="en">The /var/named/chroot/etc/named.conf file should be owned by the appropriate group.</description>
12276: <ident system="http://cce.mitre.org">CCE-3985-9</ident>
12277: <fixtext xml:lang="en">(1) via chown</fixtext>
12278: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12279: <check-export export-name="oval:org.fedoraproject.f14:var:20313" value-id="var-3.14.3.2.a"/>
12280: <check-content-ref name="oval:org.fedoraproject.f14:def:20313" href="scap-fedora14-oval.xml"/>
12281: </check>
12282: </Rule>
12283: <Rule id="rule-3.14.3.2.b" selected="false" weight="10.000000">
12284: <title xml:lang="en">Run DNS Software in a chroot Jail owned by root user</title>
12285: <description xml:lang="en">The /var/named/chroot/etc/named.conf file should be owned by the appropriate user.</description>
12286: <ident system="http://cce.mitre.org">CCE-4258-0</ident>
12287: <fixtext xml:lang="en">(1) via chown</fixtext>
12288: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12289: <check-export export-name="oval:org.fedoraproject.f14:var:20314" value-id="var-3.14.3.2.b"/>
12290: <check-content-ref name="oval:org.fedoraproject.f14:def:20314" href="scap-fedora14-oval.xml"/>
12291: </check>
12292: </Rule>
12293: <Rule id="rule-3.14.3.2.c" selected="false" weight="10.000000">
12294: <title xml:lang="en">Set permissions on chroot Jail for DNS</title>
12295: <description xml:lang="en">File permissions for /var/named/chroot/etc/named.conf should be set correctly.</description>
12296: <ident system="http://cce.mitre.org">CCE-4487-5</ident>
12297: <fixtext xml:lang="en">(1) via chmod</fixtext>
12298: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12299: <check-export export-name="oval:org.fedoraproject.f14:var:20315" value-id="var-3.14.3.2.c"/>
12300: <check-content-ref name="oval:org.fedoraproject.f14:def:20315" href="scap-fedora14-oval.xml"/>
12301: </check>
12302: </Rule>
12303: </Group>
12304: <Group id="group-3.14.3.3" hidden="false">
12305: <title xml:lang="en">Configure Firewalls to Protect the DNS Server</title>
12306: <description xml:lang="en">
12307: Edit the file /etc/sysconfig/iptables. Add the following lines,
12308: ensuring that they appear before the final LOG and DROP lines for the
12309: RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12310: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12311: -A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12312: -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12313: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12314: These
12315: lines are necessary in order to allow remote machines to contact the DNS server. If this
12316: server is only available to the local network, it may be appropriate to insert a -s flag
12317: into this rule to allow traffic only from packets on the local network. See Section
12318: 3.5.1.2 for an example of such a modification. See Section 2.5.5 for general information
12319: about iptables.</description>
12320: </Group>
12321: </Group>
12322: <Group id="group-3.14.4" hidden="false">
12323: <title xml:lang="en">Protect DNS Data from Tampering or Attack</title>
12324: <description xml:lang="en">This section discusses DNS configuration options which make it more difficult for attackers to gain access to private DNS data or to modify DNS data.</description>
12325: <Group id="group-3.14.4.1" hidden="false">
12326: <title xml:lang="en">Run Separate DNS Servers for External and Internal Queries if
12327: Possible</title>
12328: <description xml:lang="en">
12329: Is it possible to run external and internal nameservers on
12330: separate machines? If so, follow the configuration guidance in this section. If not, see
12331: Section 3.14.4.2 for an alternate approach using BIND9. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12332: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12333: On the external nameserver, edit /etc/named.conf. Add or correct the following
12334: directives: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12335: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12336: options { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12337: allow-query { any; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12338: recursion no; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12339: ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12340: }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12341: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12342: zone "example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12343: ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12344: }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12345: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12346: On the internal nameserver, edit
12347: /etc/named.conf. Add or correct the following directives, where SUBNET is the numerical
12348: IP representation of your organization in the form xxx.xxx.xxx.xxx/xx: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12349: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12350: acl internal {<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12351: SUBNET ; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12352: localhost; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12353: }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12354: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12355: options { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12356: allow-query { internal; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12357: ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12358: }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12359: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12360: zone "internal.example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12361: ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12362: }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12363: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12364: Enterprise nameservers generally serve two
12365: functions. One is to provide public information about the machines in a domain for the
12366: benefit of outside users who wish to contact those machines, for instance in order to
12367: send mail to users in the enterprise, or to visit the enterprise's external web page.
12368: The other is to provide nameservice to client machines within the enterprise. Client
12369: machines require both private information about enterprise machines (which may be
12370: different from the public information served to the rest of the world) and public
12371: information about machines outside the enterprise, which is used to send mail or visit
12372: websites outside of the organization. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12373: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12374: In order to provide the public nameservice
12375: function, it is necessary to share data with untrusted machines which request it —
12376: otherwise, the enterprise cannot be conveniently contacted by outside users. However,
12377: internal data should be protected from disclosure, and serving irrelevant public name
12378: queries for outside domains leaves the DNS server open to cache poisoning and other
12379: attacks. Therefore, local network nameservice functions should not be provided to
12380: untrusted machines. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12381: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12382: Separate machines should be used to fill these two functions whenever possible.</description>
12383: </Group>
12384: <Group id="group-3.14.4.2" hidden="false">
12385: <title xml:lang="en">Use Views to Partition External and Internal Information if Necessary</title>
12386: <description xml:lang="en">
12387: If it is not possible to run external and internal nameservers
12388: on separate physical machines, run BIND9 and simulate this feature using views. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12389: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12390: Edit
12391: /etc/named.conf. Add or correct the following directives (where SUBNET is the numerical
12392: IP representation of your organization in the form xxx.xxx.xxx.xxx/xx): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12393: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12394: acl internal {<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12395: SUBNET ; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12396: localhost; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12397: }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12398: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12399: view "internal-view" { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12400: match-clients { internal; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12401: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12402: zone "." IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12403: type hint; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12404: file "db.cache"; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12405: }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12406: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12407: zone "internal.example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12408: ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12409: }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12410: }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12411: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12412: view "external-view" { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12413: match-clients { any; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12414: recursion no; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12415: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12416: zone "example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12417: ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12418: };<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12419: }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12420: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12421: The view feature is provided by BIND9 as a way to allow a single nameserver to make
12422: different sets of data available to different sets of clients. If possible, it is always
12423: better to run external and internal nameservers on separate machines, so that even
12424: complete compromise of the external server cannot be used to obtain internal data or
12425: confuse internal DNS clients. However, this is not always feasible, and use of a feature
12426: like views is preferable to leaving internal DNS data entirely unprotected. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12427: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12428: Note: As
12429: shown in the example, database files which are required for recursion, such as the root
12430: hints file, must be available to any clients which are allowed to make recursive
12431: queries. Under typical circumstances, this includes only the internal clients which are
12432: allowed to use this server as a general-purpose nameserver.</description>
12433: </Group>
12434: <Group id="group-3.14.4.3" hidden="false">
12435: <title xml:lang="en">Disable Zone Transfers from the Nameserver if Possible</title>
12436: <description xml:lang="en">
12437: Is it necessary for a secondary nameserver to receive zone data
12438: via zone transfer from the primary server? If not, follow the instructions in this
12439: section. If so, see the next section for instructions on protecting zone transfers. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12440: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12441: Edit /etc/named.conf. Add or correct the following directive: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12442: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12443: options { allow-transfer { none; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12444: ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12445: } <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12446: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12447: If both the primary and secondary nameserver are under your control, or
12448: if you have only one nameserver, it may be possible to use an external configuration
12449: management mechanism to distribute zone updates. In that case, it is not necessary to
12450: allow zone transfers within BIND itself, so they should be disabled to avoid the
12451: potential for abuse.</description>
12452: </Group>
12453: <Group id="group-3.14.4.4" hidden="false">
12454: <title xml:lang="en">Authenticate Zone Transfers if Necessary</title>
12455: <description xml:lang="en">
12456: If it is necessary for a secondary nameserver to receive zone
12457: data via zone transfer from the primary server, follow the instructions here. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12458: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12459: Use dnssec-keygen to create a symmetric key file in the current directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12460: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12461: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /tmp <xhtml:br/>
12462: # dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dns.example.com <xhtml:br/></xhtml:code>
12463: Kdns.example.com .+aaa +iiiii<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12464: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12465: This output is the name of a file containing the new key. Read the file to find the
12466: base64-encoded key string: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12467: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12468: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cat Kdns.example.com.+NNN+MMMMM.key <xhtml:br/></xhtml:code>
12469: dns.example.com IN KEY 512 3 157 base64-key-string <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12470: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12471: Edit /etc/named.conf on the primary nameserver. Add the directives: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12472: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12473: key zone-transfer-key { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12474: algorithm hmac-md5; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12475: secret "base64-key-string "; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12476: };<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12477: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12478: zone "example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12479: type master; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12480: allow-transfer { key zone-transfer-key; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12481: ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12482: }<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12483: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12484: Edit /etc/named.conf on the secondary nameserver. Add the directives: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12485: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12486: key zone-transfer-key { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12487: algorithm hmac-md5; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12488: secret "base64-key-string "; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12489: }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12490: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12491: server IP-OF-MASTER { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12492: keys { zone-transfer-key; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12493: }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12494: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12495: zone "example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12496: type slave;<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12497: masters { IP-OF-MASTER ; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12498: ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12499: }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12500: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12501: The BIND transaction signature (TSIG) functionality
12502: allows primary and secondary nameservers to use a shared secret to verify authorization
12503: to perform zone transfers. This method is more secure than using IP-based limiting to
12504: restrict nameserver access, since IP addresses can be easily spoofed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12505: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12506: However, if you
12507: cannot configure TSIG between your servers because, for instance, the secondary
12508: nameserver is not under your control and its administrators are unwilling to configure
12509: TSIG, you can configure an allow-transfer directive with numerical IP addresses or ACLs
12510: as a last resort. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12511: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12512: Note: The purpose of the dnssec-keygen command is to create the shared
12513: secret string base64-key-string . Once this secret has been obtained and inserted into
12514: named.conf on the primary and secondary servers, the key files
12515: Kdns.example.com.+NNN+MMMMM.key and Kdns.example.com.+NNN+MMMMM.private are no longer
12516: needed, and may safely be deleted.</description>
12517: </Group>
12518: <Group id="group-3.14.4.5" hidden="false">
12519: <title xml:lang="en">Disable Dynamic Updates if Possible</title>
12520: <description xml:lang="en">
12521: Is there a mission-critical reason to enable the risky dynamic
12522: update functionality? If not: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12523: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12524: Edit /etc/named.conf. For each zone specification, correct
12525: the following directive if necessary: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12526: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12527: zone "example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12528: allow-update { none; };<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12529: ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12530: } <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12531: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12532: Dynamic updates allow remote servers to add, delete, or modify any entries in your
12533: zone file. Therefore, they should be considered highly risky, and disabled unless there
12534: is a very good reason for their use. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12535: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12536: If dynamic updates must be allowed, IP-based ACLs
12537: are insufficient protection, since they are easily spoofed. Instead, use TSIG keys (see
12538: the previous section for an example), and consider using the update-policy directive to
12539: restrict changes to only the precise type of change needed.</description>
12540: <Rule id="rule-3.14.4.5.a" selected="false" weight="10.000000">
12541: <title xml:lang="en">Disable DNS Dynamic Updates if Possible</title>
12542: <description xml:lang="en">LDAP's dynamic updates feature should be disabled</description>
12543: <ident system="http://cce.mitre.org">CCE-4399-2</ident>
12544: <fixtext xml:lang="en">(1) via /etc/named.conf</fixtext>
12545: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12546: <check-content-ref name="oval:org.fedoraproject.f14:def:20316" href="scap-fedora14-oval.xml"/>
12547: </check>
12548: </Rule>
12549: </Group>
12550: </Group>
12551: </Group>
12552: <Group id="group-3.15" hidden="false">
12553: <title xml:lang="en">FTPServer</title>
12554: <description xml:lang="en">
12555: FTP is a common method for allowing remote access to files. Like
12556: telnet, the FTP protocol is unencrypted, which means that passwords and other data
12557: transmitted during the session can be captured and that the session is vulnerable to
12558: hijacking. Therefore, running the FTP server software is not recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12559: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12560: However, there are
12561: some FTP server configurations which may be appropriate for some environments, particularly
12562: those which allow only read-only anonymous access as a means of downloading data available
12563: to the public.</description>
12564: <Group id="group-3.15.1" hidden="false">
12565: <title xml:lang="en">Disable vsftpd if Possible</title>
12566: <description xml:lang="en">
12567: Is there a mission-critical reason for the machine to act as an
12568: FTP server? If not, disable vsftpd if it has been installed: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12569: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12570: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig vsftpd off</xhtml:code></description>
12571: <Rule id="rule-3.15.1.a" selected="false" weight="10.000000" severity="low">
12572: <title xml:lang="en">Disable vsftpd if Possible</title>
12573: <description xml:lang="en">The vsftpd service should be disabled.</description>
12574: <ident system="http://cce.mitre.org">CCE-3919-8</ident>
12575: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
12576: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12577: <check-content-ref name="oval:org.fedoraproject.f14:def:20317" href="scap-fedora14-oval.xml"/>
12578: </check>
12579: </Rule>
12580: <Rule id="rule-3.15.1.b" selected="false" weight="10.000000" severity="low">
12581: <title xml:lang="en">Uninstall vsftpd if Possible</title>
12582: <description xml:lang="en">The vsftpd service should be uninstalled.</description>
12583: <ident system="http://cce.mitre.org">CCE-3919-8</ident>
12584: <fixtext xml:lang="en">(1) via yum</fixtext>
12585: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12586: <check-content-ref name="oval:org.fedoraproject.f14:def:203175" href="scap-fedora14-oval.xml"/>
12587: </check>
12588: </Rule>
12589: </Group>
12590: <Group id="group-3.15.2" hidden="false">
12591: <title xml:lang="en">Use vsftpd to Provide FTP Service if Necessary</title>
12592: <description xml:lang="en">
12593: If this machine must operate as an FTP server, install the vsftpd
12594: package via the standard channels: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install vsftpd</xhtml:code> After RHEL 2.1, Red Hat switched
12595: from distributing wu-ftpd with RHEL to distributing vsftpd. For security and for
12596: consistency with future Red Hat releases, the use of vsftpd is recommended.</description>
12597: </Group>
12598: <Group id="group-3.15.3" hidden="false">
12599: <title xml:lang="en">Configure vsftpd Securely</title>
12600: <description xml:lang="en">
12601: The primary vsftpd configuration file is /etc/vsftpd.conf, if
12602: that file exists, or /etc/vsftpd/vsftpd.conf if it does not. For the remainder of this
12603: section, the phrase 'the configuration file' will refer to whichever of those files is
12604: appropriate for your environment.</description>
12605: <Group id="group-3.15.3.1" hidden="false">
12606: <title xml:lang="en">Enable Logging of All FTP Transactions</title>
12607: <description xml:lang="en">
12608: Edit the vsftpd configuration file. Add or correct the
12609: following configuration options: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12610: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12611: xferlog_std_format=NO <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12612: log_ftp_protocol=YES <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12613: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12614: The
12615: modifications above ensure that all commands sent to the ftp server are logged using the
12616: verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12617: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12618: Note: If
12619: verbose logging to vsftpd.log is done, sparse logging of downloads to /var/log/xferlog
12620: will not also occur. However, the information about what files were downloaded is
12621: included in the information logged to vsftpd.log.</description>
12622: <Rule id="rule-3.15.3.1.a" selected="false" weight="10.000000" severity="low">
12623: <title xml:lang="en">Enable Logging of All FTP Transactions</title>
12624: <description xml:lang="en">Logging of vsftpd transactions should be enabled</description>
12625: <ident system="http://cce.mitre.org">CCE-4549-2</ident>
12626: <fixtext xml:lang="en">(1) via /etc/vsftpd.conf</fixtext>
12627: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12628: <check-content-ref name="oval:org.fedoraproject.f14:def:20318" href="scap-fedora14-oval.xml"/>
12629: </check>
12630: </Rule>
12631: </Group>
12632: <Group id="group-3.15.3.2" hidden="false">
12633: <title xml:lang="en">Create Warning Banners for All FTP Users</title>
12634: <description xml:lang="en">
12635: Edit the vsftpd configuration file. Add or correct the
12636: following configuration options: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12637: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12638: banner_file=/etc/issue <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12639: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12640: See Section 2.3.7 for an
12641: explanation of banner file use. This setting will cause the system greeting banner to be
12642: used for FTP connections as well.</description>
12643: <Rule id="rule-3.15.3.2.a" selected="false" weight="10.000000">
12644: <title xml:lang="en">Create Warning Banners for All FTP Users</title>
12645: <description xml:lang="en">A warning banner for all FTP users should be enabled</description>
12646: <ident system="http://cce.mitre.org">CCE-4554-2</ident>
12647: <fixtext xml:lang="en">(1) via /etc/vsftpd.conf</fixtext>
12648: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12649: <check-content-ref name="oval:org.fedoraproject.f14:def:20319" href="scap-fedora14-oval.xml"/>
12650: </check>
12651: </Rule>
12652: </Group>
12653: <Group id="group-3.15.3.3" hidden="false">
12654: <title xml:lang="en">Restrict the Set of Users Allowed to Access FTP</title>
12655: <description xml:lang="en">
12656: This section describes how to disable non-anonymous
12657: (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy
12658: applications, how to restrict insecure FTP login to only those users who have an
12659: identified need for this access.</description>
12660: <Group id="group-3.15.3.3.1" hidden="false">
12661: <title xml:lang="en">Restrict Access to Anonymous Users if Possible</title>
12662: <description xml:lang="en">
12663: Is there a mission-critical reason for users to transfer
12664: files to/from their own accounts using FTP, rather than using a secure protocol like
12665: SCP/SFTP? If not: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12666: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12667: Edit the vsftpd configuration file. Add or correct the following
12668: configuration option: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12669: local_enable=NO <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12670: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12671: If non-anonymous FTP logins are necessary,
12672: follow the guidance in the remainder of this section to secure these logins as much as
12673: possible. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12674: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12675: The use of non-anonymous FTP logins is strongly discouraged. Since SSH
12676: clients and servers are widely available, and since SSH provides support for a
12677: transfer mode which resembles FTP in user interface, there is no good reason to allow
12678: password-based FTP access. See Section 3.5 for more information about SSH.</description>
12679: <Rule id="rule-3.15.3.3.1.a" selected="false" weight="10.000000" severity="high">
12680: <title xml:lang="en">Restrict Access to Anonymous Users if Possible</title>
12681: <description xml:lang="en">Local user login to the vsftpd service should be disabled</description>
12682: <ident system="http://cce.mitre.org">CCE-4443-8</ident>
12683: <fixtext xml:lang="en">(1) via /etc/vsftpd.conf</fixtext>
12684: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12685: <check-content-ref name="oval:org.fedoraproject.f14:def:20320" href="scap-fedora14-oval.xml"/>
12686: </check>
12687: </Rule>
12688: </Group>
12689: <Group id="group-3.15.3.3.2" hidden="false">
12690: <title xml:lang="en">Limit Users Allowed FTP Access if Necessary</title>
12691: <description xml:lang="en">
12692: If there is a mission-critical reason for users to access
12693: their accounts via the insecure FTP protocol, limit the set of users who are allowed
12694: this access. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12695: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12696: Edit the vsftpd configuration file. Add or correct the following
12697: configuration options: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12698: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12699: userlist_enable=YES <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12700: userlist_file=/etc/vsftp.ftpusers<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12701: userlist_deny=NO <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12702: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12703: Edit the file /etc/vsftp.ftpusers. For each user USERNAME who should
12704: be allowed to access the system via ftp, add a line containing that user's name.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12705: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12706: USERNAME <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12707: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12708: If anonymous access is also required, add the anonymous usernames to
12709: /etc/vsftp.ftpusers as well: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12710: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12711: anonymous <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12712: ftp <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12713: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12714: Historically, the file /etc/ftpusers
12715: contained a list of users who were not allowed to access the system via ftp. It was
12716: used to prevent system users such as the root user from logging in via the insecure
12717: ftp protocol. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12718: However, when the configuration option userlist_deny=NO is set, vsftpd
12719: interprets ftpusers as the set of users who are allowed to login via ftp. Since it
12720: should be possible for most users to access their accounts via secure protocols, it is
12721: recommended that this setting be used, so that non-anonymous ftp access can be limited
12722: to legacy users who have been explicitly identified.</description>
12723: </Group>
12724: </Group>
12725: <Group id="group-3.15.3.4" hidden="false">
12726: <title xml:lang="en">Disable FTP Uploads if Possible</title>
12727: <description xml:lang="en">
12728: Is there a mission-critical reason for users to upload files
12729: via FTP? If not: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12730: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12731: Edit the vsftpd configuration file. Add or correct the following
12732: configuration options: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12733: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12734: write_enable=NO <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12735: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12736: If FTP uploads are necessary, follow the guidance
12737: in the remainder of this section to secure these transactions as much as possible.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12738: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12739: Anonymous FTP can be a convenient way to make files available for universal download.
12740: However, it is less common to have a need to allow unauthenticated users to place files
12741: on the FTP server. If this must be done, it is necessary to ensure that files cannot be
12742: uploaded and downloaded from the same directory.</description>
12743: <Rule id="rule-3.15.3.4.a" selected="false" weight="10.000000" severity="medium">
12744: <title xml:lang="en">Disable FTP Uploads if Possible</title>
12745: <description xml:lang="en">File uploads via vsftpd should be disabled</description>
12746: <ident system="http://cce.mitre.org">CCE-4461-0</ident>
12747: <fixtext xml:lang="en">(1) via /etc/vsftpd.conf</fixtext>
12748: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12749: <check-content-ref name="oval:org.fedoraproject.f14:def:20321" href="scap-fedora14-oval.xml"/>
12750: </check>
12751: </Rule>
12752: </Group>
12753: <Group id="group-3.15.3.5" hidden="false">
12754: <title xml:lang="en">Place the FTP Home Directory on its Own Partition</title>
12755: <description xml:lang="en">
12756: By default, the anonymous FTP root is the home directory of the
12757: ftp user account. The df command can be used to verify that this directory is on its own
12758: partition. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12759: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12760: If there is a mission-critical reason for anonymous users to upload files,
12761: precautions must be taken to prevent these users from filling a disk used by other
12762: services.</description>
12763: </Group>
12764: <Group id="group-3.15.3.6" hidden="false">
12765: <title xml:lang="en">Configure Firewalls to Protect the FTP Server</title>
12766: <description xml:lang="en">
12767: Edit the file /etc/sysconfig/iptables. Add the following lines,
12768: ensuring that they appear before the final LOG and DROP lines for the
12769: RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12770: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12771: -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12772: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12773: Edit the file /etc/sysconfig/iptables-config. Ensure that the space-separated
12774: list of modules contains the FTP connection tracking module:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12775: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12776: IPTABLES_MODULES="ip_conntrack_ftp" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12777: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12778: These settings configure iptables to allow
12779: connections to an FTP server. The first line allows initial connections to the FTP
12780: server port. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12781: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12782: FTP is an older protocol which is not very compatible with firewalls.
12783: During the initial FTP dialogue, the client and server negotiate an arbitrary port to be
12784: used for data transfer. The ip conntrack ftp module is used by iptables to listen to
12785: that dialogue and allow connections to the data ports which FTP negotiates. This allows
12786: an FTP server to operate on a machine which is running a firewall.</description>
12787: </Group>
12788: </Group>
12789: </Group>
12790: <Group id="group-3.16" hidden="false">
12791: <title xml:lang="en">Web Server</title>
12792: <description xml:lang="en">
12793: The web server is responsible for providing access to content via
12794: the HTTP protocol. Web servers represent a significant security risk because: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12795: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12796: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
12797: <xhtml:li>The HTTP port is commonly probed by malicious sources </xhtml:li>
12798: <xhtml:li>Web server software is very complex, and includes a long history of vulnerabilities </xhtml:li>
12799: <xhtml:li>The HTTP protocol is unencrypted and vulnerable to passive monitoring </xhtml:li>
12800: </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12801: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12802: The system's default web server software is Apache 2 and is provided
12803: in the RPM package httpd.</description>
12804: <reference href="">Ristic, I. Apache Security. O’Reilly and Associates, Mar 2005</reference>
12805: <Group id="group-3.16.1" hidden="false">
12806: <title xml:lang="en">Disable Apache if Possible</title>
12807: <description xml:lang="en">
12808: If Apache was installed and activated, but the system does not
12809: need to act as a web server, then it should be disabled and removed from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12810: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12811: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig httpd off <xhtml:br/>
12812: # yum erase httpd</xhtml:code></description>
12813: <Rule id="rule-3.16.1.a" selected="false" weight="10.000000" severity="low">
12814: <title xml:lang="en">Disable Apache if Possible</title>
12815: <description xml:lang="en">The httpd service should be disabled.</description>
12816: <ident system="http://cce.mitre.org">CCE-4338-0</ident>
12817: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
12818: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12819: <check-content-ref name="oval:org.fedoraproject.f14:def:20322" href="scap-fedora14-oval.xml"/>
12820: </check>
12821: </Rule>
12822: <Rule id="rule-3.16.1.b" selected="false" weight="10.000000">
12823: <title xml:lang="en">Uninstall Apache if Possible</title>
12824: <description xml:lang="en">The httpd package should be uninstalled.</description>
12825: <ident system="http://cce.mitre.org">CCE-4514-6</ident>
12826: <fixtext xml:lang="en">(1) via yum</fixtext>
12827: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12828: <check-content-ref name="oval:org.fedoraproject.f14:def:20323" href="scap-fedora14-oval.xml"/>
12829: </check>
12830: </Rule>
12831: </Group>
12832: <Group id="group-3.16.2" hidden="false">
12833: <title xml:lang="en">Install Apache if Necessary</title>
12834: <description xml:lang="en">
12835: If the Apache web server must be run, follow these guidelines to
12836: install it defensively. Then follow the guidelines in the remainder of Section 3.16 to
12837: configure the web server machine and software as securely as possible.</description>
12838: <Group id="group-3.16.2.1" hidden="false">
12839: <title xml:lang="en">Install Apache Software Safely</title>
12840: <description xml:lang="en">
12841: Install the Apache 2 package from the standard Red Hat
12842: distribution channel: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12843: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12844: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install httpd <xhtml:br/></xhtml:code>
12845: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12846: Note: This method of installation is
12847: recommended over installing the 'Web Server' package group during the system
12848: installation process. The Web Server package group includes many packages which are
12849: likely extraneous, while the command-line method installs only the required httpd
12850: package itself.</description>
12851: </Group>
12852: <Group id="group-3.16.2.2" hidden="false">
12853: <title xml:lang="en">Confirm Minimal Built-in Modules</title>
12854: <description xml:lang="en">
12855: The default Apache installation minimizes the number of modules
12856: that are compiled directly into the binary (core prefork http core mod so). This
12857: minimizes risk by limiting the capabilities allowed by the webserver. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12858: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12859: Query the set of compiled-in modules using the following command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12860: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12861: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ httpd -l <xhtml:br/></xhtml:code>
12862: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12863: If the number of compiled-in
12864: modules is significantly larger than the aforementioned set, this guide recommends
12865: reinstallating Apache with a reduced configuration.</description>
12866: </Group>
12867: </Group>
12868: <Group id="group-3.16.3" hidden="false">
12869: <title xml:lang="en">Secure the Apache Configuration</title>
12870: <description xml:lang="en">
12871: The Apache configuration file is /etc/httpd/conf/httpd.conf.
12872: Apply the recommendations in the remainder of this section to this file.</description>
12873: <Group id="group-3.16.3.1" hidden="false">
12874: <title xml:lang="en">Restrict Information Leakage</title>
12875: <description xml:lang="en">
12876: The ServerTokens and ServerSignature directives determine how
12877: much information the web server discloses about the configuration of the system.
12878: ServerTokens Prod restricts information in page headers, returning only the word
12879: 'Apache.' ServerSignature Off keeps Apache from displaying the server version on error
12880: pages. It is a good security practice to limit the information provided to clients. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12881: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12882: Add
12883: or correct the following directives in /etc/httpd/conf/httpd.conf so that as little
12884: information as possible is released: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12885: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12886: ServerTokens Prod <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12887: ServerSignature Off</description>
12888: <Value id="var-3.16.3.1.a" operator="equals" type="string">
12889: <title xml:lang="en">value of ServerTokens</title>
12890: <description xml:lang="en">Tells apache to only return Apache in the Server header, returned on every page request.</description>
12891: <question xml:lang="en">Specify restrictions of of provided information in page headers for web server</question>
12892: <value>Prod</value>
12893: <value selector="prod">Prod</value>
12894: </Value>
12895: <Value id="var-3.16.3.1.b" operator="equals" type="string">
12896: <title xml:lang="en">value of ServerSignature</title>
12897: <description xml:lang="en">Tells apache not to display the server version on error pages, or other pages it generates.</description>
12898: <question xml:lang="en">Enable/Disable Apache displaying the server version on error pages</question>
12899: <value>Off</value>
12900: <value selector="off">Off</value>
12901: </Value>
12902: <Rule id="rule-3.16.3.1.a" selected="false" weight="10.000000">
12903: <title xml:lang="en">Restrict Information Leakageusing ServerTokens</title>
12904: <description xml:lang="en">The apache2 server's ServerTokens value should be set appropriately</description>
12905: <ident system="http://cce.mitre.org">CCE-4474-3</ident>
12906: <fixtext xml:lang="en">(1) via /etc/httpd/conf/httpd.conf</fixtext>
12907: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12908: <check-export export-name="oval:org.fedoraproject.f14:var:20324" value-id="var-3.16.3.1.a"/>
12909: <check-content-ref name="oval:org.fedoraproject.f14:def:20324" href="scap-fedora14-oval.xml"/>
12910: </check>
12911: </Rule>
12912: <Rule id="rule-3.16.3.1.b" selected="false" weight="10.000000">
12913: <title xml:lang="en">Restrict Information Leakage using ServerSignature</title>
12914: <description xml:lang="en">The apache2 server's ServerSignature value should be set appropriately</description>
12915: <ident system="http://cce.mitre.org">CCE-3756-4</ident>
12916: <fixtext xml:lang="en">(1) via /etc/httpd/conf/httpd.conf</fixtext>
12917: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
12918: <check-export export-name="oval:org.fedoraproject.f14:var:20325" value-id="var-3.16.3.1.b"/>
12919: <check-content-ref name="oval:org.fedoraproject.f14:def:20325" href="scap-fedora14-oval.xml"/>
12920: </check>
12921: </Rule>
12922: </Group>
12923: <Group id="group-3.16.3.2" hidden="false">
12924: <title xml:lang="en">Minimize Loadable Modules</title>
12925: <description xml:lang="en">
12926: A default installation of Apache includes a plethora of
12927: 'dynamically shared objects' (DSO) that are loaded at run-time. Unlike the
12928: aforementioned 'compiled-in' modules, a DSO can be disabled in the configuration file by
12929: removing the corresponding LoadModule directive. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12930: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12931: Note: A DSO only provides additional
12932: functionality if associated directives are included in the Apache configuration file. It
12933: should also be noted that removing a DSO will produce errors on Apache startup if the
12934: configuration file contains directives that apply to that module. Refer to
12935: http://httpd.apache.org/docs/ for details on which directives are associated with each
12936: DSO. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12937: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12938: Follow each DSO removal, the configuration can be tested with the following command
12939: to check if everything still works: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12940: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12941: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># service httpd configtest <xhtml:br/></xhtml:code>
12942: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12943: The purpose of each of
12944: the modules loaded by default will now be addressed one at a time. If none of a module's
12945: directives are being used, remove it.</description>
12946: <Group id="group-3.16.3.2.1" hidden="false">
12947: <title xml:lang="en">Apache Core Modules</title>
12948: <description xml:lang="en">
12949: These modules comprise a basic subset of modules that are
12950: likely needed for base Apache functionality; ensure they are not commented out in
12951: /etc/httpd/conf/httpd.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12952: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12953: LoadModule auth_basic_module modules/mod_auth_basic.so<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12954: LoadModule authn_default_module modules/mod_authn_default.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12955: LoadModule authz_host_module modules/mod_authz_host.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12956: LoadModule authz_user_module modules/mod_authz_user.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12957: LoadModule authz_groupfile_module modules/mod_authz_groupfile.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12958: LoadModule authz_default_module modules/mod_authz_default.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12959: LoadModule log_config_module modules/mod_log_config.so<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12960: LoadModule logio_module modules/mod_logio.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12961: LoadModule setenvif_module modules/mod_setenvif.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12962: LoadModule mime_module modules/mod_mome.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12963: LoadModule autoindex_module modules/mod_autoindex.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12964: LoadModule negotiation_module modules/mod_negotiation.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12965: LoadModule dir_module modules/mod_dir.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12966: LoadModule alias_module modules/mod_alias.so</description>
12967: </Group>
12968: <Group id="group-3.16.3.2.2" hidden="false">
12969: <title xml:lang="en">HTTP Basic Authentication</title>
12970: <description xml:lang="en">
12971: The following modules are necessary if this web server will
12972: provide content that will be restricted by a password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12973: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12974: Authentication can be performed
12975: using local plain text password files (authn file), local DBM password files (authn
12976: dbm) or an LDAP directory (see Section 3.16.3.2.5). The only module required by the
12977: web server depends on your choice of authentication. Comment out the modules you don't
12978: need from the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12979: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12980: LoadModule authn_file_module modules/mod_authn_file.so<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12981: LoadModule authn_dbm_module modules/mod_authn_dbm.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12982: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12983: authn_alias allows for
12984: authentication based on aliases. authn_anon allows anonymous authentication similar to
12985: that of anonymous ftp sites. authz owner allows authorization based on file ownership.
12986: authz dbm allows for authorization based on group membership if the web server is
12987: using DBM authentication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12988: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12989: If the above functionality is unnecessary, comment out the
12990: related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12991: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
12992: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule authn_alias_module modules/mod_authn_alias.so <xhtml:br/>
12993: #LoadModule authn_anon_module modules/mod_authn_anon.so <xhtml:br/>
12994: #LoadModule authz_owner_module modules/mod_authz_owner.so <xhtml:br/>
12995: #LoadModule authz_dbm_module modules/mod_authz_dbm.so</xhtml:code></description>
12996: </Group>
12997: <Group id="group-3.16.3.2.3" hidden="false">
12998: <title xml:lang="en">HTTP Digest Authentication</title>
12999: <description xml:lang="en">
13000: This module provides encrypted authentication sessions.
13001: However, this module is rarely used and considered experimental. Alternate methods of
13002: encrypted authentication are recommended, such as SSL (Section 3.16.4.1) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13003: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13004: If the above
13005: functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13006: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13007: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule auth_digest_module modules/mod_auth_digest.so</xhtml:code></description>
13008: </Group>
13009: <Group id="group-3.16.3.2.4" hidden="false">
13010: <title xml:lang="en">mod rewrite</title>
13011: <description xml:lang="en">
13012: The mod rewrite module is very powerful and can protect
13013: against certain classes of web attacks. However, it is also very complex and has a
13014: significant history of vulnerabilities itself. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13015: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13016: If the above functionality is
13017: unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13018: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13019: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule rewrite_module modules/mod_rewrite.so</xhtml:code></description>
13020: </Group>
13021: <Group id="group-3.16.3.2.5" hidden="false">
13022: <title xml:lang="en">LDAP Support</title>
13023: <description xml:lang="en">
13024: This module provides HTTP authentication via an LDAP
13025: directory. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13026: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13027: If the above functionality is unnecessary, comment out the related modules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13028: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13029: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule ldap_module modules/mod_ldap.so <xhtml:br/>
13030: #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so <xhtml:br/></xhtml:code>
13031: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13032: If LDAP is to be used, SSL encryption (Section 3.16.4.1)
13033: should be used as well.</description>
13034: </Group>
13035: <Group id="group-3.16.3.2.6" hidden="false">
13036: <title xml:lang="en">Server Side Includes</title>
13037: <description xml:lang="en">
13038: Server Side Includes provide a method of dynamically
13039: generating web pages through the insertion of server-side code. However, the
13040: technology is also deprecated and introduces significant security concerns. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13041: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13042: If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13043: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13044: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule include_module modules/mod_include.so <xhtml:br/></xhtml:code>
13045: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13046: If there is a critical need for Server Side
13047: Includes, they should be enabled with the option IncludesNoExec to prevent arbitrary
13048: code execution. Additionally, user supplied data should be encoded to prevent
13049: cross-site scripting vulnerabilities.</description>
13050: </Group>
13051: <Group id="group-3.16.3.2.7" hidden="false">
13052: <title xml:lang="en">MIME Magic</title>
13053: <description xml:lang="en">
13054: This module provides a second layer of MIME support that in
13055: most configurations is likely extraneous. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13056: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13057: If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13058: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13059: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule mime_magic_module modules/mod_mime_magic.so</xhtml:code></description>
13060: </Group>
13061: <Group id="group-3.16.3.2.8" hidden="false">
13062: <title xml:lang="en">WebDAV (Distributed Authoring and Versioning)</title>
13063: <description xml:lang="en">
13064: WebDAV is an extension of the HTTP protocol that provides
13065: distributed and collaborative access to web content. Due to a number of security
13066: concerns with WebDAV, its use is not recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13067: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13068: If the above functionality is unnecessary, comment out the related modules: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13069: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13070: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule dav_module modules/mod_dav.so <xhtml:br/>
13071: #LoadModule dav_fs_module modules/mod_dav_fs.so <xhtml:br/></xhtml:code>
13072: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13073: If there is a
13074: critical need for WebDAV, extra care should be taken in its configuration. Since DAV
13075: access allows remote clients to manipulate server files, any location on the server
13076: that is DAV enabled should be protected by encrypted authentication.</description>
13077: </Group>
13078: <Group id="group-3.16.3.2.9" hidden="false">
13079: <title xml:lang="en">Server Activity Status</title>
13080: <description xml:lang="en">
13081: This module provides real-time access to statistics on the
13082: internal operation of the web server. This is an unnecessary information leak and
13083: should be disabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13084: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13085: If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13086: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13087: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule status_module modules/mod_status.so <xhtml:br/></xhtml:code>
13088: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13089: If there is a critical need
13090: for this module, ensure that access to the status page is properly restricted to a
13091: limited set of hosts in the status handler configuration.</description>
13092: </Group>
13093: <Group id="group-3.16.3.2.10" hidden="false">
13094: <title xml:lang="en">Web Server Configuration Display</title>
13095: <description xml:lang="en">
13096: This module creates a web page illustrating the configuration
13097: of the web server. This is an unnecessary security leak and should be disabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13098: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13099: If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13100: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13101: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule info_module modules/mod_info.so <xhtml:br/></xhtml:code>
13102: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13103: If there is a critical need for this module, use the
13104: Location directive to provide an access control list to restrict access to the
13105: information.</description>
13106: </Group>
13107: <Group id="group-3.16.3.2.11" hidden="false">
13108: <title xml:lang="en">URL Correction on Misspelled Entries</title>
13109: <description xml:lang="en">
13110: This module attempts to find a document match by allowing one
13111: misspelling in an otherwise failed request. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13112: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13113: If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13114: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13115: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule speling_module modules/mod_speling.so <xhtml:br/></xhtml:code>
13116: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13117: This functionality weakens server security by making site enumeration easier.</description>
13118: </Group>
13119: <Group id="group-3.16.3.2.12" hidden="false">
13120: <title xml:lang="en">User-specific directories</title>
13121: <description xml:lang="en">
13122: The UserDir directive provides user-specific directory
13123: translation, allowing URLs based on associated usernames. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13124: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13125: If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13126: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13127: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule userdir_module modules/mod_userdir.so <xhtml:br/></xhtml:code>
13128: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13129: If there is a critical need for this module, include the line
13130: UserDir disabled root (at a minimum) in the configuration file. Ideally, UserDir
13131: should be disabled, and then enabled on a case-by-case basis for specific users that
13132: require this functionality. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13133: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13134: Note: A web server's users can be trivially enumerated
13135: using this module.</description>
13136: </Group>
13137: <Group id="group-3.16.3.2.13" hidden="false">
13138: <title xml:lang="en">Proxy Support</title>
13139: <description xml:lang="en">
13140: This module provides proxying support, allowing Apache to
13141: forward requests and serve as a gateway for other servers. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13142: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13143: If the above functionality is unnecessary, comment out the related modules: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13144: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13145: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule proxy_module modules/mod_proxy.so <xhtml:br/>
13146: #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so<xhtml:br/>
13147: #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so <xhtml:br/>
13148: #LoadModule proxy_http_module modules/mod_proxy_http.so <xhtml:br/>
13149: #LoadModule proxy_connect_module modules/mod_proxy_connect.so <xhtml:br/></xhtml:code>
13150: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13151: If proxy support is needed, load proxy and the
13152: appropriate proxy protocol handler module (one of proxy http, proxy ftp, or proxy
13153: connect). Additionally, make certain that a server is secure before enabling proxying,
13154: as open proxy servers are a security risk. proxy balancer enables load balancing, but
13155: requires that mod status be enabled. Since mod status is not recommended, proxy
13156: balancer should be avoided as well.</description>
13157: </Group>
13158: <Group id="group-3.16.3.2.14" hidden="false">
13159: <title xml:lang="en">Cache Support</title>
13160: <description xml:lang="en">
13161: This module allows Apache to cache data, optimizing access to
13162: frequently accessed content. However, not only is it an experimental module, but it
13163: also introduces potential security flaws into the web server such as the possibility
13164: of circumventing Allow and Deny directives. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13165: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13166: If the above functionality is unnecessary, comment out the related modules: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13167: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13168: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule cache_module modules/mod_cache.so<xhtml:br/>
13169: #LoadModule disk_cache_module modules/mod_disk_cache.so <xhtml:br/>
13170: #LoadModule file_cache_module modules/mod_file_cache.so <xhtml:br/>
13171: #LoadModule mem_cache_module modules/mod_mem_cache.so <xhtml:br/></xhtml:code>
13172: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13173: If caching is required, it should not be enabled for any limited-access content.</description>
13174: </Group>
13175: <Group id="group-3.16.3.2.15" hidden="false">
13176: <title xml:lang="en">CGI Support (and Related Modules)</title>
13177: <description xml:lang="en">
13178: This module allows HTML to interact with the CGI web
13179: programming language. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13180: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13181: If the above functionality is unnecessary, comment out the related modules: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13182: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule cgi_module modules/mod_cgi.so <xhtml:br/>
13183: #LoadModule env_module modules/mod_env.so <xhtml:br/>
13184: #LoadModule actions_module modules/mod_actions.so <xhtml:br/>
13185: #LoadModule suexec_module modules/mod_suexec.so <xhtml:br/></xhtml:code>
13186: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13187: If the web server requires the use of CGI, enable
13188: the cgi module. If extended CGI functionality is required, include the appropriate
13189: modules. env allows for control of the environment passed to CGI scripts. actions
13190: allows CGI events to be triggered when files of a certain type are requested. su exec
13191: allows CGI scripts to run as a specified user/group instead of as the server's
13192: user/group.</description>
13193: </Group>
13194: <Group id="group-3.16.3.2.16" hidden="false">
13195: <title xml:lang="en">Various Optional Components</title>
13196: <description xml:lang="en">
13197: The following modules perform very specific tasks, sometimes
13198: providing access to just a few additional directives. If this functionality is not
13199: required (or if you are not using these directives), comment out the associated
13200: module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13201: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13202: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
13203: <xhtml:li>External filtering (response passed through external program prior to client delivery) <xhtml:br/>
13204: <xhtml:br/>
13205: <xhtml:code>#LoadModule ext_filter_module modules/mod_ext_filter.so </xhtml:code></xhtml:li>
13206: <xhtml:li>User-specified
13207: Cache Control and Expiration <xhtml:br/>
13208: <xhtml:br/>
13209: <xhtml:code>#LoadModule expires_module modules/mod_expires.so</xhtml:code> </xhtml:li>
13210: <xhtml:li>Compression Output Filter (provides content compression prior to client delivery)<xhtml:br/>
13211: <xhtml:br/>
13212: <xhtml:code>#LoadModule deflate_module modules/mod_deflate.so </xhtml:code></xhtml:li>
13213: <xhtml:li>HTTP Response/Request Header Customization <xhtml:br/>
13214: <xhtml:br/>
13215: <xhtml:code>#LoadModule headers_module modules/mod_headers.so</xhtml:code> </xhtml:li>
13216: <xhtml:li>User activity monitoring via cookies <xhtml:br/>
13217: <xhtml:br/>
13218: <xhtml:code>#LoadModule usertrack_module modules/mod_usertrack.so </xhtml:code></xhtml:li>
13219: <xhtml:li>Dynamically configured mass virtual hosting <xhtml:br/>
13220: <xhtml:br/>
13221: <xhtml:code>#LoadModule vhost_alias_module modules/mod_vhost_alias.so</xhtml:code></xhtml:li>
13222: </xhtml:ul>
13223: </description>
13224: </Group>
13225: </Group>
13226: <Group id="group-3.16.3.3" hidden="false">
13227: <title xml:lang="en">Minimize Configuration Files Included</title>
13228: <description xml:lang="en">
13229: The Include directive directs Apache to load supplementary
13230: configuration files from a provided path. The default configuration loads all files that
13231: end in .conf from the /etc/httpd/conf.d directory. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13232: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13233: To restrict excess configuration, the
13234: following line should be commented out and replaced with Include directives that only
13235: reference required configuration files: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13236: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13237: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#Include conf.d/*.conf <xhtml:br/></xhtml:code>
13238: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13239: If the above change was
13240: made, ensure that the SSL encryption remains loaded by explicitly including the
13241: corresponding configuration file: (see Section 3.16.4.1 for further details on SSL
13242: configuration) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13243: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13244: Include conf.d/ssl.conf <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13245: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13246: If PHP is necessary, a similar alteration must be
13247: made: (see Section 3.16.4.4.1 for further details on PHP configuration) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13248: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13249: Include conf.d/php.conf</description>
13250: </Group>
13251: <Group id="group-3.16.3.4" hidden="false">
13252: <title xml:lang="en">Directory Restrictions</title>
13253: <description xml:lang="en">
13254: The Directory tags in the web server configuration file allow
13255: finer grained access control for a specified directory. All web directories should be
13256: configured on a case-by-case basis, allowing access only where needed.</description>
13257: <Group id="group-3.16.3.4.1" hidden="false">
13258: <title xml:lang="en">Restrict Root Directory</title>
13259: <description xml:lang="en">
13260: The Apache root directory should always have the most
13261: restrictive configuration enabled.
13262: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13263: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13264: <Directory
13265: />
13266: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13267: Options None
13268: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13269: AllowOverride None
13270: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13271: Order
13272: allow,deny
13273: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13274: </Directory>
13275: </description>
13276: </Group>
13277: <Group id="group-3.16.3.4.2" hidden="false">
13278: <title xml:lang="en">Restrict Web Directory</title>
13279: <description xml:lang="en">
13280: The default configuration for the web (/var/www/html)
13281: Directory allows directory indexing (Indexes)and the following of symbolic links
13282: (FollowSymLinks). Neither of these is recommended.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13283: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13284: The
13285: /var/www/html directory hierarchy should not be viewable via the web, and symlinks
13286: should only be followed if the owner of the symlink also owns the linked
13287: file.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13288: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13289: Ensure that this policy is adhered to by altering the
13290: related section of the configuration:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13291: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13292: <Directory
13293: "/var/www/html">
13294: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13295: # ...
13296: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13297: Options SymLinksIfOwnerMatch
13298: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13299: # ...
13300: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13301: </Directory>
13302: </description>
13303: </Group>
13304: <Group id="group-3.16.3.4.3" hidden="false">
13305: <title xml:lang="en">Restrict Other Critical Directories</title>
13306: <description xml:lang="en">
13307: All accessible web directories should be configured with
13308: similar restrictive settings. The Options directive should be limited to necessary
13309: functionality and the AllowOverride directive should be used only if needed. The Order
13310: and Deny access control tags should be used to deny access by default, allowing access
13311: only where necessary.</description>
13312: </Group>
13313: </Group>
13314: <Group id="group-3.16.3.5" hidden="false">
13315: <title xml:lang="en">Configure Authentication if Applicable</title>
13316: <description xml:lang="en">
13317: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
13318: <xhtml:li>Set up a password file. <xhtml:br/>
13319: <xhtml:br/>
13320: If a password file doesn't yet exist, one must be generated with the following command: <xhtml:br/>
13321: <xhtml:br/>
13322: <xhtml:code># htpasswd -cs passwdfile user <xhtml:br/></xhtml:code>
13323: <xhtml:br/>
13324: <xhtml:em>WARNING: This command will overwrite an existing file at this location.</xhtml:em>
13325: <xhtml:br/>
13326: Once a password file has been generated, subsequent users can be added with the
13327: following command: <xhtml:br/>
13328: <xhtml:br/>
13329: <xhtml:code># htpasswd -s passwdfile user </xhtml:code></xhtml:li>
13330: <xhtml:li>Optionally, set up a group file (if using group authentication). <xhtml:br/>
13331: <xhtml:br/>
13332: The group file is a plain text file of the following format
13333: (each group is on its own line, followed by a colon and a list of users that belong to
13334: that group, separated by spaces): <xhtml:br/>
13335: <xhtml:br/>
13336: group : user1 user2 <xhtml:br/>
13337: group2 : user3 </xhtml:li>
13338: <xhtml:li>Modify file
13339: permissions so that Apache can read the group and passwd files: <xhtml:br/>
13340: <xhtml:br/>
13341: <xhtml:code># chgrp apache passwdfile groupfile <xhtml:br/>
13342: # chmod 640 passwdfile groupfile </xhtml:code></xhtml:li>
13343: <xhtml:li>Turn on authentication for desired directories <xhtml:br/>
13344: <xhtml:br/>
13345: Add the following options inside the appropriate Directory tag: <xhtml:br/>
13346: <xhtml:br/>
13347: <xhtml:ul>
13348: <xhtml:li>For single-user authentication: <xhtml:br/>
13349: <Directory "directory "> <xhtml:br/>
13350: # ... AuthName "Private Data" <xhtml:br/>
13351: AuthType Basic <xhtml:br/>
13352: AuthUserFile passwdfile <xhtml:br/>
13353: require user user <xhtml:br/>
13354: # ...<xhtml:br/>
13355: </Directory> </xhtml:li>
13356: <xhtml:li>For multiple-user authentication restricted by groups:<xhtml:br/>
13357: <Directory "directory "> <xhtml:br/>
13358: # ... <xhtml:br/>
13359: AuthName "Private Data" <xhtml:br/>
13360: AuthType Basic<xhtml:br/>
13361: <xhtml:br/>
13362: AuthUserFile passwdfile <xhtml:br/>
13363: AuthGroupFile groupfile <xhtml:br/>
13364: require group group <xhtml:br/>
13365: # ...<xhtml:br/>
13366: </Directory> </xhtml:li>
13367: <xhtml:li>For multiple-user authentication restricted by valid user accounts: <xhtml:br/>
13368: <xhtml:br/>
13369: <Directory "directory "> <xhtml:br/>
13370: # ... <xhtml:br/>
13371: AuthName "Private Data" <xhtml:br/>
13372: AuthType Basic <xhtml:br/>
13373: AuthUserFile passwdfile <xhtml:br/>
13374: require valid-user <xhtml:br/>
13375: # ... <xhtml:br/>
13376: </Directory> </xhtml:li>
13377: </xhtml:ul>
13378: </xhtml:li>
13379: </xhtml:ol>
13380: The AuthName directive specifies a label for the protected content. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13381: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13382: The AuthType directive
13383: specifies the kind of authentication (if using Digest authentication, this line would
13384: instead read AuthType Digest) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13385: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13386: The AuthUserFile and AuthGroupFile directives point to the
13387: password and group files (if using Digest authentication, these directives would instead
13388: be AuthDigestFile and AuthDigestGroupFile.)<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13389: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13390: The require user directive restricts access
13391: to a single user. The require group directive restricts access to multiple users in a
13392: designated group. The short-hand require valid-user directive restricts access to any
13393: user in the passwdfile <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13394: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13395: Note: Make sure the AuthUserFile and AuthGroupFile locations are
13396: outside the web server document tree to prevent remote clients from having access to
13397: restricted usernames and passwords. This guide recommends /etc/httpd/conf as a location
13398: for these files.</description>
13399: <warning xml:lang="en">Basic authentication is handled in plaintext over the network.
13400: Therefore, all login attempts are vulnerable to password sniffing. For increased
13401: protection against passive monitoring, encrypted authentication over a secure channel
13402: such as SSL (Section 3.16.4.1) is recommended. </warning>
13403: </Group>
13404: <Group id="group-3.16.3.6" hidden="false">
13405: <title xml:lang="en">Limit Available Methods</title>
13406: <description xml:lang="en">
13407: Web server methods are defined in section 9 of RFC 2616
13408: (http://www.ietf.org/rfc/rfc2616.txt). If a web server does not require the
13409: implementation of all available methods, they should be disabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13410: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13411: Note: GET and POST are
13412: the most common methods. A majority of the others are limited to the WebDAV protocol.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13413: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13414: <Directory /var/www/html> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13415: # ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13416: # Only allow specific methods (this command is case-sensitive!) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13417: <LimitExcept GET POST> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13418: Order allow,deny<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13419: </LimitExcept> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13420: # ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13421: </Directory></description>
13422: </Group>
13423: </Group>
13424: <Group id="group-3.16.4" hidden="false">
13425: <title xml:lang="en">Use Appropriate Modules to Improve Apaches Security'</title>
13426: <description xml:lang="en">
13427: Among the modules available for Apache are several whose use may
13428: improve the security of the web server installation. This section recommends and discusses
13429: the deployment of security-relevant modules.</description>
13430: <Group id="group-3.16.4.1" hidden="false">
13431: <title xml:lang="en">Deploy mod ssl</title>
13432: <description xml:lang="en">
13433: Because HTTP is a plain text protocol, all traffic is
13434: susceptible to passive monitoring. If there is a need for confidentiality, SSL should be
13435: configured and enabled to encrypt content. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13436: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13437: Note: mod nss is a FIPS 140-2 certified
13438: alternative to mod ssl. The modules share a considerable amount of code and should be
13439: nearly identical in functionality. If FIPS 140-2 validation is required, then mod nss
13440: should be used. If it provides some feature or its greater compatibility is required,
13441: thenmod ssl should be used.</description>
13442: <Group id="group-3.16.4.1.1" hidden="false">
13443: <title xml:lang="en">Install mod ssl</title>
13444: <description xml:lang="en">
13445: Install mod ssl: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13446: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13447: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install mod ssl</xhtml:code></description>
13448: </Group>
13449: <Group id="group-3.16.4.1.2" hidden="false">
13450: <title xml:lang="en">Create an SSL Certificate</title>
13451: <description xml:lang="en">
13452: On your CA (if you are using your own) or on another
13453: physically secure system, generate a key pair for the web server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13454: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13455: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/certs <xhtml:br/>
13456: # openssl genrsa -des3 -out httpserverkey.pem 2048 <xhtml:br/></xhtml:code>
13457: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13458: When prompted,
13459: enter a strong, unique passphrase to protect the web server key pair. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13460: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13461: Next, generate a Certificate Signing Request (CSR) from the key for the CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13462: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13463: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl req -new -key httpserverkey.pem -out httpserver.csr <xhtml:br/></xhtml:code>
13464: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13465: Enter the passphrase for the web server key pair
13466: and then fill out the fields as completely as possible (or hit return to accept
13467: defaults); the Common Name field is especially important. It must match the
13468: fullyqualified domain name of your server exactly (e.g. www.example.com) or the
13469: certificate will not work. The /etc/pki/tls/openssl.conf file will determine which
13470: other fields (e.g. Country Name, Organization Name, etc) must match between the server
13471: request and the CA. Leave the challenge password and an optional company name blank.
13472: Next, the web server CSR must be signed to create the web server certificate. You can
13473: either send the CSR to an established CA or sign it with your CA. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13474: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13475: To sign httpserver.csr using your CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13476: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13477: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl ca -in httpserver.csr -out httpservercert.pem<xhtml:br/></xhtml:code>
13478: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13479: When prompted, enter the CA passphrase to continue and then complete the process. The
13480: httpservercert. pem certificate needed to enable SSL on the web server is now in the
13481: directory. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13482: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13483: Finally, the web server key and certificate file need to be moved to the
13484: web server. Use removable media if possible. Place the server key and certificate file
13485: in /etc/pki/tls/http/, naming them serverkey.pem and servercert.pem, respectively.</description>
13486: </Group>
13487: <Group id="group-3.16.4.1.3" hidden="false">
13488: <title xml:lang="en">Install SSL Certificate</title>
13489: <description xml:lang="en">
13490: Add or modify the configuration file
13491: /etc/httpd/conf.d/ssl.conf to match the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13492: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13493: # establish new listening port<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13494: Listen 443 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13495: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13496: # seed appropriately <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13497: SSLRandomSeed startup file:/dev/urandom 1024<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13498: SSLRandomSeed connect file:/dev/urandom 1024 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13499: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13500: <VirtualHost site-on-certificate.com:443> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13501: # Enable SSL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13502: SSLEngine On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13503: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13504: # Path to server certificate + private key <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13505: SSLCertificateFile /etc/pki/tls/http/servercert.pem<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13506: SSLCertificateKeyFile /etc/pki/tls/http/serverkey.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13507: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13508: SSLProtocol All -SSLv2 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13509: # Weak ciphers and null authentication should be denied unless absolutely necessary <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13510: # (and even then, such cipher weakening should occur within a Location enclosure)<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13511: SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13512: </VirtualHost> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13513: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13514: Ensure that all
13515: directories that house SSL content are restricted to SSL access only in
13516: /etc/httpd/conf/ httpd.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13517: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13518: <Directory /var/www/html/secure> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13519: # require SSL for access <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13520: SSLRequireSSL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13521: SSLOptions +StrictRequire <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13522: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13523: # require domain to match certificate domain <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13524: SSLRequire %{HTTP HOST} eq "site-on-certificate.com" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13525: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13526: # rather than reply with 403 error, redirect user to appropriate site <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13527: # this is OPTIONAL - uncomment to apply <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13528: # ErrorDocument 403 https://site-on-certificate.com<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13529: </Directory></description>
13530: </Group>
13531: </Group>
13532: <Group id="group-3.16.4.2" hidden="false">
13533: <title xml:lang="en">Deploy mod security</title>
13534: <description xml:lang="en">
13535: mod security provides an application level firewall for Apache.
13536: Following the installation of mod security with the base ruleset, specific configuration
13537: advice can be found at http://www.modsecurity.org/ to design a policy that best matches
13538: the security needs of the web applications.</description>
13539: <Group id="group-3.16.4.2.1" hidden="false">
13540: <title xml:lang="en">Install mod security</title>
13541: <description xml:lang="en">
13542: Install mod security: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13543: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13544: # yum install mod_security</description>
13545: </Group>
13546: <Group id="group-3.16.4.2.2" hidden="false">
13547: <title xml:lang="en">Configure mod security Filtering</title>
13548: <description xml:lang="en">
13549: mod security supports a significant number of options, far
13550: too many to be fully covered in this guide. However, the following list comprises a
13551: smaller subset of suggested filters to be added to /etc/httpd/conf/ httpd.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13552: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13553: # enable mod_security <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13554: SecFilterEngine On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13555: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13556: # enable POST filtering <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13557: SecFilterScanPost On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13558: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13559: # Make sure that URL encoding is valid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13560: SecFilterCheckURLEncoding On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13561: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13562: # Accept almost all byte values <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13563: SecFilterForceByteRange 1 255 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13564: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13565: # Prevent directory traversal <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13566: SecFilter "\.\./" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13567: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13568: # Filter on specific system specific paths <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13569: SecFilter /etc/passwd <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13570: SecFilter /bin/ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13571: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13572: # Prevent cross-site scripting <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13573: SecFilter "<[[:space:]]* script" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13574: # Prevent SQL injection <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13575: SecFilter "delete[[:space:]]+from" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13576: SecFilter "insert[[:space:]]+into"<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13577: SecFilter "select.+from"</description>
13578: </Group>
13579: </Group>
13580: <Group id="group-3.16.4.3" hidden="false">
13581: <title xml:lang="en">Use Denial-of-Service Protection Modules</title>
13582: <description xml:lang="en">
13583: Denial-of-service attacks are difficult to detect and prevent
13584: while maintaining acceptable access to authorized users. However, there are a number of
13585: traffic-shaping modules that attempt to address the problem. Well-known DoS protection
13586: modules include: mod_throttle mod_bwshare mod_limitipconn mod_dosevasive It is
13587: recommended that denial-of-service prevention be implemented for the web server.
13588: However, this guide leaves specific configuration details to the discretion of the
13589: reader.</description>
13590: </Group>
13591: <Group id="group-3.16.4.4" hidden="false">
13592: <title xml:lang="en">Configure Supplemental Modules Appropriately</title>
13593: <description xml:lang="en">Any required functionality added to the web server via additional modules should be configured appropriately.</description>
13594: <Group id="group-3.16.4.4.1" hidden="false">
13595: <title xml:lang="en">Configure PHP Securely</title>
13596: <description xml:lang="en">
13597: PHP is a widely used and often misconfigured server-side
13598: scripting language. It should be used with caution, but configured appropriately when
13599: needed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13600: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13601: Make the following changes to /etc/php.ini: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13602: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13603: # Do not expose PHP error messages to external users <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13604: display_errors = Off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13605: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13606: # Enable safe mode <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13607: safe_mode = On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13608: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13609: # Only allow access to executables in isolated directory <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13610: safe_mode_exec_dir = php-required-executables-path <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13611: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13612: # Limit external access to PHP environment<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13613: safe_mode_allowed_env_vars = PHP_ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13614: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13615: # Restrict PHP information leakage <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13616: expose_php = Off<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13617: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13618: # Log all errors <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13619: log_errors = On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13620: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13621: # Do not register globals for input data<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13622: register_globals = Off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13623: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13624: # Minimize allowable PHP post size <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13625: post_max_size = 1K <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13626: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13627: # Ensure PHP redirects appropriately <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13628: cgi.force_redirect = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13629: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13630: # Disallow uploading unless necessary <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13631: file_uploads = Off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13632: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13633: # Disallow treatment of file requests as fopen calls<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13634: allow_url_fopen = Off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13635: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13636: # Enable SQL safe mode <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13637: sql.safe_mode = On</description>
13638: </Group>
13639: </Group>
13640: </Group>
13641: <Group id="group-3.16.5" hidden="false">
13642: <title xml:lang="en">Configure Operating System to Protect Web Server</title>
13643: <description xml:lang="en">
13644: The following configuration steps should be taken on the machine
13645: which hosts the web server, in order to provide as safe an environment as possible for the
13646: web server.</description>
13647: <Group id="group-3.16.5.1" hidden="false">
13648: <title xml:lang="en">Restrict File and Directory Access</title>
13649: <description xml:lang="en">
13650: Minimize access to critical Apache files and directories: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13651: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13652: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod 511 /usr/sbin/httpd <xhtml:br/>
13653: # chmod 750 /var/log/httpd/ <xhtml:br/>
13654: # chmod 750 /etc/httpd/conf/ <xhtml:br/>
13655: # chmod 640 /etc/httpd/conf/* <xhtml:br/>
13656: # chgrp -R apache /etc/httpd/conf</xhtml:code></description>
13657: <Value id="var-3.16.5.1.a" operator="equals" type="string">
13658: <title xml:lang="en">Directory permissions on /etc/httpd/conf</title>
13659: <description xml:lang="en">Specify directory permissions on /etc/httpd/conf</description>
13660: <question xml:lang="en">Specify directory permissions of /etc/httpd/conf</question>
13661: <value>111101000</value>
13662: <value selector="750">111101000</value>
13663: <match>^[01]+$</match>
13664: </Value>
13665: <Value id="var-3.16.5.1.b" operator="equals" type="string">
13666: <title xml:lang="en">File permissions on /etc/httpd/conf/*</title>
13667: <description xml:lang="en">Specify file permissions on /etc/httpd/conf/*</description>
13668: <question xml:lang="en">Specify file permissions of /etc/httpd/conf/*</question>
13669: <value>110100000</value>
13670: <value selector="640">110100000</value>
13671: <match>^[01]+$</match>
13672: </Value>
13673: <Value id="var-3.16.5.1.c" operator="equals" type="string">
13674: <title xml:lang="en">File permissions on /usr/sbin/httpd</title>
13675: <description xml:lang="en">Specify file permissions on /usr/sbin/httpd</description>
13676: <question xml:lang="en">Specify file permissions of /etc/sbin/httpd</question>
13677: <value>101001001</value>
13678: <value selector="511">101001001</value>
13679: <match>^[01]+$</match>
13680: </Value>
13681: <Value id="var-3.16.5.1.d" operator="equals" type="string">
13682: <title xml:lang="en">group owner of /etc/httpd/conf/*</title>
13683: <description xml:lang="en">Specify group owner of /etc/httpd/conf/*</description>
13684: <question xml:lang="en">Specify group owner of /etc/httpd/conf/*</question>
13685: <value>apache</value>
13686: <value selector="apache">apache</value>
13687: </Value>
13688: <Value id="var-3.16.5.1.e" operator="equals" type="string">
13689: <title xml:lang="en">File permissions on /var/log/httpd/</title>
13690: <description xml:lang="en">Specify file permissions on /var/log/httpd/</description>
13691: <question xml:lang="en">Specify file permissions of /var/log/httpd/</question>
13692: <value>111101000</value>
13693: <value selector="750">111101000</value>
13694: <match>^[01]+$</match>
13695: </Value>
13696: <Rule id="rule-3.16.5.1.a" selected="false" weight="10.000000">
13697: <title xml:lang="en">Restrict permissions on /etc/httpd/conf</title>
13698: <description xml:lang="en">File permissions for /etc/httpd/conf should be set correctly.</description>
13699: <ident system="http://cce.mitre.org">CCE-4509-6</ident>
13700: <fixtext xml:lang="en">(1) via chmod</fixtext>
13701: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13702: <check-export export-name="oval:org.fedoraproject.f14:var:20326" value-id="var-3.16.5.1.a"/>
13703: <check-content-ref name="oval:org.fedoraproject.f14:def:20326" href="scap-fedora14-oval.xml"/>
13704: </check>
13705: </Rule>
13706: <Rule id="rule-3.16.5.1.b" selected="false" weight="10.000000">
13707: <title xml:lang="en">Restrict permissions on /etc/httpd/conf/*</title>
13708: <description xml:lang="en">File permissions for /etc/httpd/conf/* should be set correctly.</description>
13709: <ident system="http://cce.mitre.org">CCE-4386-9</ident>
13710: <fixtext xml:lang="en">(1) via chmod</fixtext>
13711: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13712: <check-export export-name="oval:org.fedoraproject.f14:var:20327" value-id="var-3.16.5.1.b"/>
13713: <check-content-ref name="oval:org.fedoraproject.f14:def:20327" href="scap-fedora14-oval.xml"/>
13714: </check>
13715: </Rule>
13716: <Rule id="rule-3.16.5.1.c" selected="false" weight="10.000000">
13717: <title xml:lang="en">Restrict permissions on /usr/sbin/httpd</title>
13718: <description xml:lang="en">File permissions for /usr/sbin/httpd should be set correctly.</description>
13719: <ident system="http://cce.mitre.org">CCE-4029-5</ident>
13720: <fixtext xml:lang="en">(1) via chmod</fixtext>
13721: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13722: <check-export export-name="oval:org.fedoraproject.f14:var:20328" value-id="var-3.16.5.1.c"/>
13723: <check-content-ref name="oval:org.fedoraproject.f14:def:20328" href="scap-fedora14-oval.xml"/>
13724: </check>
13725: </Rule>
13726: <Rule id="rule-3.16.5.1.d" selected="false" weight="10.000000">
13727: <title xml:lang="en">Restrict group access to /etc/httpd/conf/*</title>
13728: <description xml:lang="en">The /etc/httpd/conf/* files should be owned by the appropriate group.</description>
13729: <ident system="http://cce.mitre.org">CCE-3581-6</ident>
13730: <fixtext xml:lang="en">(1) via chgrp</fixtext>
13731: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13732: <check-export export-name="oval:org.fedoraproject.f14:var:20329" value-id="var-3.16.5.1.d"/>
13733: <check-content-ref name="oval:org.fedoraproject.f14:def:20329" href="scap-fedora14-oval.xml"/>
13734: </check>
13735: </Rule>
13736: <Rule id="rule-3.16.5.1.e" selected="false" weight="10.000000">
13737: <title xml:lang="en">Restrict permissions on /var/log/httpd</title>
13738: <description xml:lang="en">File permissions for /var/log/httpd should be set correctly.</description>
13739: <ident system="http://cce.mitre.org">CCE-4574-0</ident>
13740: <fixtext xml:lang="en">(1) via chmod</fixtext>
13741: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13742: <check-export export-name="oval:org.fedoraproject.f14:var:20330" value-id="var-3.16.5.1.e"/>
13743: <check-content-ref name="oval:org.fedoraproject.f14:def:20330" href="scap-fedora14-oval.xml"/>
13744: </check>
13745: </Rule>
13746: </Group>
13747: <Group id="group-3.16.5.2" hidden="false">
13748: <title xml:lang="en">Configure iptables to Allow Access to the Web Server</title>
13749: <description xml:lang="en">
13750: Edit /etc/sysconfig/iptables. Add the following lines, ensuring
13751: that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13752: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13753: -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13754: -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13755: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13756: The default
13757: Iptables configuration does not allow inbound access to the HTTP (80) and HTTPS (443)
13758: ports used by the web server. This modification allows that access, while keeping other
13759: ports on the server in their default protected state. See Section 2.5.5 for more
13760: information about Iptables.</description>
13761: </Group>
13762: <Group id="group-3.16.5.3" hidden="false">
13763: <title xml:lang="en">Run Apache in a chroot Jail if Possible</title>
13764: <description xml:lang="en">
13765: Putting Apache in a chroot jail minimizes the damage done by a
13766: potential break-in by isolating the web server to a small section of the filesystem. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13767: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13768: In
13769: order to configure Apache to run from a chroot directory, edit the Apache configuration
13770: file, /etc/httpd/ conf/httpd.conf, and add the directive: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13771: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13772: SecChrootDir /chroot/apache <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13773: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13774: It
13775: is also necessary to place all files required by Apache inside the filesystem rooted at
13776: /chroot/apache , including Apache's binaries, modules, configuration files, and served
13777: web pages. The details of this configuration are beyond the scope of this guide.</description>
13778: </Group>
13779: </Group>
13780: <Group id="group-3.16.6" hidden="false">
13781: <title xml:lang="en">Additional Resources</title>
13782: <description xml:lang="en">
13783: Further resources should be consulted if your web server requires
13784: more extensive configuration guidance, especially if particular applications need to be
13785: secured. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13786: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13787: In particular, [26] is recommended as a more comprehensive guide to securing Apache.</description>
13788: </Group>
13789: </Group>
13790: <Group id="group-3.17" hidden="false">
13791: <title xml:lang="en">IMAP and POP3 Server</title>
13792: <description xml:lang="en">
13793: Dovecot provides IMAP and POP3 services. It is not installed by
13794: default. The project page at http://www.dovecot.org contains more detailed information
13795: about Dovecot configuration.</description>
13796: <Group id="group-3.17.1" hidden="false">
13797: <title xml:lang="en">Disable Dovecot if Possible</title>
13798: <description xml:lang="en">
13799: If the system does not need to operate as an IMAP or POP3 server,
13800: disable and remove Dovecot if it was installed: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13801: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13802: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig dovecot off <xhtml:br/>
13803: # yum erase dovecot</xhtml:code></description>
13804: <Rule id="rule-3.17.1.a" selected="false" weight="10.000000" severity="low">
13805: <title xml:lang="en">Disable Dovecot if Possible</title>
13806: <description xml:lang="en">The dovecot service should be disabled.</description>
13807: <ident system="http://cce.mitre.org">CCE-3847-1</ident>
13808: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
13809: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13810: <check-content-ref name="oval:org.fedoraproject.f14:def:20331" href="scap-fedora14-oval.xml"/>
13811: </check>
13812: </Rule>
13813: <Rule id="rule-3.17.1.b" selected="false" weight="10.000000">
13814: <title xml:lang="en">Uninstall Dovecot if Possible</title>
13815: <description xml:lang="en">The dovecot package should be uninstalled.</description>
13816: <ident system="http://cce.mitre.org">CCE-4239-0</ident>
13817: <fixtext xml:lang="en">(1) via yum</fixtext>
13818: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13819: <check-content-ref name="oval:org.fedoraproject.f14:def:20332" href="scap-fedora14-oval.xml"/>
13820: </check>
13821: </Rule>
13822: </Group>
13823: <Group id="group-3.17.2" hidden="false">
13824: <title xml:lang="en">Configure Dovecot if Necessary</title>
13825: <description xml:lang="en">Dovecot's main configuration file is /etc/dovecot.conf. The settings which appear, commented out, in the file are the defaults.</description>
13826: <Group id="group-3.17.2.1" hidden="false">
13827: <title xml:lang="en">Support Only the Necessary Protocols</title>
13828: <description xml:lang="en">
13829: Edit /etc/dovecot.conf. Add or correct the following lines,
13830: replacing PROTOCOL with only the subset of protocols (imap, imaps, pop3, pop3s)
13831: required: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13832: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13833: protocols = PROTOCOL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13834: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13835: Dovecot supports the IMAP and POP3 protocols, as well as
13836: SSL-protected versions of those protocols. Configure the Dovecot server to support only
13837: the protocols needed by your site. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13838: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13839: If possible, require SSL protection for all
13840: transactions. The SSL protocol variants listen on alternate ports (995 instead of 110
13841: for pop3s, and 993 instead of 143 for imaps), and require SSL-aware clients. An
13842: alternate approach is to listen on the standard port and require the client to use the
13843: STARTTLS command before authenticating.</description>
13844: <Rule id="rule-3.17.2.1.a" selected="false" weight="10.000000">
13845: <title xml:lang="en">Dovecot should not support imaps</title>
13846: <description xml:lang="en">Dovecot should be configured to not support the imaps protocol</description>
13847: <ident system="http://cce.mitre.org">CCE-4384-4</ident>
13848: <fixtext xml:lang="en">(1) via /etc/dovecot.conf</fixtext>
13849: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13850: <check-content-ref name="oval:org.fedoraproject.f14:def:20333" href="scap-fedora14-oval.xml"/>
13851: </check>
13852: </Rule>
13853: <Rule id="rule-3.17.2.1.b" selected="false" weight="10.000000">
13854: <title xml:lang="en">Dovecot should not support pop3s</title>
13855: <description xml:lang="en">Dovecot should be configured to not support the pop3s protocol</description>
13856: <ident system="http://cce.mitre.org">CCE-3887-7</ident>
13857: <fixtext xml:lang="en">(1) via /etc/dovecot.conf</fixtext>
13858: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13859: <check-content-ref name="oval:org.fedoraproject.f14:def:20334" href="scap-fedora14-oval.xml"/>
13860: </check>
13861: </Rule>
13862: <Rule id="rule-3.17.2.1.c" selected="false" weight="10.000000">
13863: <title xml:lang="en">Dovecot should not support pop3</title>
13864: <description xml:lang="en">Dovecot should be configured to not support the pop3 protocol</description>
13865: <ident system="http://cce.mitre.org">CCE-4530-2</ident>
13866: <fixtext xml:lang="en">(1) via /etc/dovecot.conf</fixtext>
13867: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13868: <check-content-ref name="oval:org.fedoraproject.f14:def:20335" href="scap-fedora14-oval.xml"/>
13869: </check>
13870: </Rule>
13871: <Rule id="rule-3.17.2.1.d" selected="false" weight="10.000000">
13872: <title xml:lang="en">Dovecot should not support imap</title>
13873: <description xml:lang="en">Dovecot should be configured to not support the imap protocol</description>
13874: <ident system="http://cce.mitre.org">CCE-4547-6</ident>
13875: <fixtext xml:lang="en">(1) via /etc/dovecot.conf</fixtext>
13876: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13877: <check-content-ref name="oval:org.fedoraproject.f14:def:20336" href="scap-fedora14-oval.xml"/>
13878: </check>
13879: </Rule>
13880: </Group>
13881: <Group id="group-3.17.2.2" hidden="false">
13882: <title xml:lang="en">Enable SSL Support</title>
13883: <description xml:lang="en">
13884: SSL should be used to encrypt network traffic between the
13885: Dovecot server and its clients. Users must authenticate to the Dovecot server in order
13886: to read their mail, and passwords should never be transmitted in clear text. In
13887: addition, protecting mail as it is downloaded is a privacy measure, and clients may use
13888: SSL certificates to authenticate the server, preventing another system from
13889: impersonating the server. See Section 2.5.6 for general SSL information, including the
13890: setup of a Certificate Authority (CA).</description>
13891: <reference href="">Apache 2 with SSL/TLS: Step-by-step, Part 2. Tech. rep.</reference>
13892: <Group id="group-3.17.2.2.1" hidden="false">
13893: <title xml:lang="en">Create an SSL Certificate</title>
13894: <description xml:lang="en">
13895: Note: The following steps should be performed on your CA
13896: system, and not on the Dovecot server itself. If you will have a commercial CA sign
13897: certificates, then these steps should be performed on a separate, physically secure
13898: system devoted to that purpose. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13899: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13900: On your CA (if you are using your own) or on another
13901: physically secure system, generate a key pair for the Dovecot server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13902: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13903: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/certs <xhtml:br/>
13904: # openssl genrsa -out imapserverkey.pem 2048 <xhtml:br/></xhtml:code>
13905: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13906: Next, generate a
13907: certificate signing request (CSR) for the CA to sign, making sure to enter the
13908: server's fully-qualified domain name when prompted for the Common Name: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13909: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13910: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl req -new -key imapserverkey.pem -out imapserver.csr <xhtml:br/></xhtml:code>
13911: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13912: Next, the mail server CSR must be
13913: signed to create the Dovecot server certificate. You can either send the CSR to an
13914: established CA or sign it with your CA. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13915: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13916: To sign imapserver.csr using your CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13917: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13918: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl ca -in imapserver.csr -out imapservercert.pem <xhtml:br/></xhtml:code>
13919: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13920: This step creates a private key,
13921: imapserverkey.pem, and a public certificate, imapservercert.pem. The Dovecot server
13922: will use these to prove its identity by demonstrating that it has a certificate which
13923: has been signed by a CA. POP3 or IMAP clients at your site should only be willing to
13924: provide users' credentials to a server they can authenticate.</description>
13925: </Group>
13926: <Group id="group-3.17.2.2.2" hidden="false">
13927: <title xml:lang="en">Install the SSL Certificate</title>
13928: <description xml:lang="en">
13929: Create the PKI directory for POP and IMAP certificates if it
13930: does not already exist: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13931: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13932: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># mkdir /etc/pki/tls/imap <xhtml:br/>
13933: # chown root:root /etc/pki/tls/imap<xhtml:br/>
13934: # chmod 755 /etc/pki/tls/imap <xhtml:br/></xhtml:code>
13935: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13936: Using removable media or some other secure transmission
13937: format, install the files generated in the previous step onto the Dovecot server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13938: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
13939: <xhtml:li>/etc/pki/tls/imap/serverkey.pem: the private key imapserverkey.pem</xhtml:li>
13940: <xhtml:li>/etc/pki/tls/imap/servercert.pem: the certificate file imapservercert.pem</xhtml:li>
13941: </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13942: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13943: Verify thepermissions on these files: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13944: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13945: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root /etc/pki/tls/imap/serverkey.pem <xhtml:br/>
13946: # chown root:root /etc/pki/tls/imap/servercert.pem <xhtml:br/>
13947: # chmod 600 /etc/pki/tls/imap/serverkey.pem<xhtml:br/>
13948: # chmod 600 /etc/pki/tls/imap/servercert.pem <xhtml:br/></xhtml:code>
13949: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13950: Verify that the CA's public certificate
13951: file has been installed as /etc/pki/tls/CA/cacert.pem, and has the correct
13952: permissions: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13953: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13954: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root /etc/pki/tls/CA/cacert.pem <xhtml:br/>
13955: # chmod 644 /etc/pki/tls/CA/cacert.pem</xhtml:code></description>
13956: </Group>
13957: <Group id="group-3.17.2.2.3" hidden="false">
13958: <title xml:lang="en">Configure Dovecot to Use the SSL Certificate</title>
13959: <description xml:lang="en">
13960: Edit /etc/dovecot.conf and add or correct the following lines
13961: (ensuring they reference the appropriate files): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13962: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13963: ssl_cert_file = /etc/pki/tls/imap/servercert.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13964: ssl_key_file = /etc/pki/tls/imap/serverkey.pem<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13965: ssl_ca_file = /etc/pki/tls/CA/cacert.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13966: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13967: These options tell Dovecot where to find the
13968: TLS configuration, allowing clients to make encrypted connections.</description>
13969: </Group>
13970: <Group id="group-3.17.2.2.4" hidden="false">
13971: <title xml:lang="en">Disable Plaintext Authentication</title>
13972: <description xml:lang="en">
13973: To prevent Dovecot from attempting plaintext authentication
13974: of clients, edit /etc/dovecot.conf and add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13975: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13976: disable_plaintext_auth = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13977: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13978: The disable_plaintext_auth command disallows
13979: login-related commands until an encrypted session has been negotiated using SSL. If
13980: client compatibility requires you to allow connections to the pop3 or imap ports,
13981: rather than the alternate SSL ports, you should use this command to require STARTTLS
13982: before authentication.</description>
13983: <Rule id="rule-3.17.2.2.4.a" selected="false" weight="10.000000">
13984: <title xml:lang="en">Disable Plaintext Authentication</title>
13985: <description xml:lang="en">Dovecot plaintext authentication of clients should be disabled</description>
13986: <ident system="http://cce.mitre.org">CCE-4552-6</ident>
13987: <fixtext xml:lang="en">(1) via /etc/dovecot.conf</fixtext>
13988: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
13989: <check-content-ref name="oval:org.fedoraproject.f14:def:20337" href="scap-fedora14-oval.xml"/>
13990: </check>
13991: </Rule>
13992: </Group>
13993: </Group>
13994: <Group id="group-3.17.2.3" hidden="false">
13995: <title xml:lang="en">Enable Dovecot Options to Protect Against Code Flaws</title>
13996: <description xml:lang="en">
13997: Edit /etc/dovecot.conf and add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13998: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
13999: login_process_per_connection = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14000: mail_drop_priv_before_exec = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14001: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14002: IMAP and POP3 are
14003: remote authenticated protocols, meaning that the server must accept remote connections
14004: from anyone, but provide substantial services only to clients who have successfully
14005: authenticated. To protect against security problems, Dovecot splits these functions into
14006: separate server processes. The imap-login and/or pop3-login processes accept connections
14007: from unauthenticated users, and only spawn imap or pop3 processes on successful
14008: authentication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14009: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14010: However, the imap-login and pop3-login processes themselves may contain
14011: vulnerabilities. Since each of these processes operates as a daemon, handling multiple
14012: sequential client connections from different users, bugs in the code could allow
14013: unauthenticated users to steal credential data. If the login_process_per_connection
14014: option is enabled, then a separate imap-login or pop3-login process is created for each
14015: new connection, protecting against this class of problems. This option has an efficiency
14016: cost, but is strongly recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14017: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14018: If the mail_drop_priv_before_exec option is on, the
14019: imap-login or pop3-login process will drop privileges to the user's ID after
14020: authentication and before executing the imap or pop3 process itself. Under some very
14021: limited circumstances, this could protect against privilege escalation by authenticated
14022: users. However, if the mail executable option is used to run code before starting each
14023: user's session, it is important to drop privileges to prevent the custom code from
14024: running as root.</description>
14025: <Rule id="rule-3.17.2.3.a" selected="false" weight="10.000000">
14026: <title xml:lang="en">Enable Dovecot Option mail_drop_priv_before_exec</title>
14027: <description xml:lang="en">The Dovecot option to drop privileges to user before executing mail process should be enabled</description>
14028: <ident system="http://cce.mitre.org">CCE-4371-1</ident>
14029: <fixtext xml:lang="en">(1) via /etc/dovecot.conf</fixtext>
14030: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14031: <check-content-ref name="oval:org.fedoraproject.f14:def:20338" href="scap-fedora14-oval.xml"/>
14032: </check>
14033: </Rule>
14034: <Rule id="rule-3.17.2.3.b" selected="false" weight="10.000000">
14035: <title xml:lang="en">Enable Dovecot Option mail_drop_priv_before_exec</title>
14036: <description xml:lang="en">The Dovecot option to spawn a new login process per connection should be enabled</description>
14037: <ident system="http://cce.mitre.org">CCE-4410-7</ident>
14038: <fixtext xml:lang="en">(1) via /etc/dovecot.conf</fixtext>
14039: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14040: <check-content-ref name="oval:org.fedoraproject.f14:def:20339" href="scap-fedora14-oval.xml"/>
14041: </check>
14042: </Rule>
14043: </Group>
14044: <Group id="group-3.17.2.4" hidden="false">
14045: <title xml:lang="en">Allow IMAP Clients to Access the Server</title>
14046: <description xml:lang="en">
14047: Edit /etc/sysconfig/iptables. Add the following line, ensuring
14048: that it appears before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14049: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14050: -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14051: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14052: The default
14053: iptables configuration does not allow inbound access to any services. This modification
14054: will allow remote hosts to initiate connections to the IMAP daemon, while keeping all
14055: other ports on the server in their default protected state. See Section 2.5.5 for more
14056: information about iptables.</description>
14057: </Group>
14058: </Group>
14059: </Group>
14060: <Group id="group-3.18" hidden="false">
14061: <title xml:lang="en">Samba(SMB) Microsoft Windows File Sharing Server</title>
14062: <description xml:lang="en">
14063: When properly configured, the Samba service allows Linux machines
14064: to provide file and print sharing to Microsoft Windows machines. There are two software
14065: packages that provide Samba support. The first, samba-client, provides a series of command
14066: line tools that enable a client machine to access Samba shares. The second, simply labeled
14067: samba, provides the Samba service. It is this second package that allows a Linux machine to
14068: act as an Active Directory server, a domain controller, or as a domain member. Only the
14069: samba-client package is installed by default.</description>
14070: <Group id="group-3.18.1" hidden="false">
14071: <title xml:lang="en">Disable Samba if Possible</title>
14072: <description xml:lang="en">
14073: If the Samba service has been enabled and will not be used, disable it: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14074: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14075: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig smb off <xhtml:br/></xhtml:code>
14076: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14077: Even after the Samba server package has been installed, it
14078: will remain disabled. Do not enable this service unless it is absolutely necessary to
14079: provide Microsoft Windows file and print sharing functionality.</description>
14080: <Rule id="rule-3.18.1.a" selected="false" weight="10.000000" severity="medium">
14081: <title xml:lang="en">Disable Samba if Possible</title>
14082: <description xml:lang="en">The smb service should be disabled.</description>
14083: <ident system="http://cce.mitre.org">CCE-4551-8</ident>
14084: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
14085: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14086: <check-content-ref name="oval:org.fedoraproject.f14:def:20340" href="scap-fedora14-oval.xml"/>
14087: </check>
14088: </Rule>
14089: </Group>
14090: <Group id="group-3.18.2" hidden="false">
14091: <title xml:lang="en">Configure Samba if Necessary</title>
14092: <description xml:lang="en">
14093: All settings for the Samba daemon can be found in
14094: /etc/samba/smb.conf. Settings are divided between a [global] configuration section and a
14095: series of user created share definition sections meant to describe file or print shares on
14096: the system. By default, Samba will operate in user mode and allow client machines to
14097: access local home directories and printers. It is recommended that these settings be
14098: changed or that additional limitations be set in place.</description>
14099: <Group id="group-3.18.2.1" hidden="false">
14100: <title xml:lang="en">Testing the Samba Configuration File</title>
14101: <description xml:lang="en">
14102: To test the configuration file for syntax errors, use the
14103: testparm command. It will also list all settings currently in place, including defaults
14104: that may not appear in the configuration file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14105: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14106: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># testparm -v</xhtml:code></description>
14107: </Group>
14108: <Group id="group-3.18.2.2" hidden="false">
14109: <title xml:lang="en">Choosing the Appropriate security Parameter</title>
14110: <description xml:lang="en">
14111: There are two kinds of security in Samba, share-level (share)
14112: and user-level. User-level security is further subdivided into four separate
14113: implementations: user, domain, ads, and server. It is recommended that the share and
14114: server security modes not be used. In share security, everyone is given the same
14115: password for each share, preventing individual user accountability. server security mode
14116: has been superseded by the domain and ads security modes. It may now be considered
14117: obsolete. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14118: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14119: The security parameter is set in the [global] section of the Samba
14120: configuration file. It determines how the server will handle user names and passwords.
14121: Some security modes require additional parameters, such as workgroup, realm, or password
14122: server names. All security modes will require that each remote user have a matching
14123: local account. One workaround to this problem is to use the winbindd daemon. Please
14124: consult the official Samba documentation to learn more.</description>
14125: <Group id="group-3.18.2.2.1" hidden="false">
14126: <title xml:lang="en">Use user Security for Servers Not in a Domain Context</title>
14127: <description xml:lang="en">
14128: This is the default setting with a new Samba installation and
14129: the best choice when operating outside of a domain security context. The relevant
14130: parameters in /etc/samba/smb.conf will read as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14131: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14132: security = user <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14133: workgroup = MYGROUP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14134: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14135: Set the value of workgroup so that it matches the value of other machines on
14136: the network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14137: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14138: In user mode, authentication requests are handled locally and not passed
14139: on to a separate authentication server. This is the desired behavior for standalone
14140: servers and domain controllers.</description>
14141: </Group>
14142: <Group id="group-3.18.2.2.2" hidden="false">
14143: <title xml:lang="en">Use domain Security for Servers in a Domain Context</title>
14144: <description xml:lang="en">
14145: First, change the security parameter to domain.
14146: Next, set the workgroup and netbios name parameters (if necessary): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14147: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14148: security = domain<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14149: workgroup = WORKGROUP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14150: netbios name = NETBIOSNAME <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14151: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14152: domain mode is used for any machine
14153: that will act as a domain member server. It lets Samba know that the authentication
14154: information it needs can be found on another machine. Primary and Backup Domain
14155: Controllers host copies of this information. Samba will try to automatically determine
14156: which machine it should authenticate against on a domain network. If this detection
14157: fails, it may be necessary to specify the location manually. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14158: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14159: Unlike the Microsoft
14160: Windows implementation of the SMB standard, a Samba machine can freely change roles
14161: within a domain without requiring that the machine be reinstalled (such roles include
14162: primary and backup domain controllers, domain member servers, and ordinary domain
14163: workstations). However, there are some limitations on how each machine can fulfill
14164: each role in a mixed network.</description>
14165: <warning xml:lang="en">When using Samba as a Primary or Backup Domain Controller,
14166: use security = user, not security = domain. This tells Samba that the local machine is
14167: hosting the authentication backend. </warning>
14168: </Group>
14169: <Group id="group-3.18.2.2.3" hidden="false">
14170: <title xml:lang="en">Use ads (Active Directory Service) Security For Servers in an ADS
14171: Domain</title>
14172: <description xml:lang="en">
14173: Context The security mode ads enables a Samba machine to act
14174: as an ADS domain member server. Since ADS requires Kerberos, be sure to set the realm
14175: parameter appropriately and configure the local copy of Kerberos. If necessary, it is
14176: also possible to manually set the password server parameter. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14177: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14178: security = ads <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14179: realm = MY_REALM <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14180: password server = your.kerberos.server <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14181: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14182: Currently, it is possible to act as an
14183: Active Directory domain member server, but not as a domain controller. Be sure to
14184: operate in mixed mode. Native mode may not work yet in current versions of Samba.
14185: Future support for ADS should be forthcoming in Samba 4. See the Samba project web
14186: site at http://www.samba.org for more details.</description>
14187: </Group>
14188: </Group>
14189: <Group id="group-3.18.2.3" hidden="false">
14190: <title xml:lang="en">Disable Guest Access and Local Login Support</title>
14191: <description xml:lang="en">
14192: Do not allow guest users to access local file or printer
14193: shares. In global or in each share, set the parameter guest ok to no: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14194: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14195: [share] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14196: guest ok = no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14197: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14198: It is safe to disable local login support for remote Samba users. Consider changing
14199: the add user account script to set remote user shells to /sbin/nologin.</description>
14200: <Rule id="rule-3.18.2.3.a" selected="false" weight="10.000000">
14201: <title xml:lang="en">Disable Guest Access and Local Login Support</title>
14202: <description xml:lang="en">Do not allow guest users to access local file or printer shares. In global or in each share, set the parameter guest ok to no.</description>
14203: <fixtext xml:lang="en">(1) via /etc/samba/smb.conf in [share] guest ok = no </fixtext>
14204: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14205: <check-content-ref name="oval:org.fedoraproject.f14:def:203403" href="scap-fedora14-oval.xml"/>
14206: </check>
14207: </Rule>
14208: </Group>
14209: <Group id="group-3.18.2.4" hidden="false">
14210: <title xml:lang="en">Disable Root Access</title>
14211: <description xml:lang="en">
14212: Administrators should not use administrator accounts to access
14213: Samba file and printer shares. If possible, disable the root user and the wheel
14214: administrator group: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14215: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14216: [share] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14217: invalid users = root @wheel <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14218: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14219: If administrator accounts
14220: cannot be disabled, ensure that local machine passwords and Samba service passwords do
14221: not match. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14222: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14223: Typically, administrator access is required when Samba must create user and
14224: machine accounts and shares. Domain member servers and standalone servers may not need
14225: administrator access at all. If that is the case, add the invalid users parameter to
14226: [global] instead.</description>
14227: </Group>
14228: <Group id="group-3.18.2.5" hidden="false">
14229: <title xml:lang="en">Set the Allowed Authentication Negotiation Levels</title>
14230: <description xml:lang="en">By default, Samba will attempt to negotiate with Microsoft
14231: Windows machines to set a common communication protocol. Whenever possible, be sure to
14232: disable LANMAN authentication, as it is far weaker than the other supported protocols.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14233: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14234: [global] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14235: client lanman auth = no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14236: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14237: Newer versions of Microsoft Windows may require the use
14238: of NTLMv2. NTLMv2 is the preferred protocol for authentication, but since older machines
14239: do not support it, Samba has disabled it by default. If possible, reenable it. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14240: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14241: [global]<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14242: client ntlmv2 auth = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14243: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14244: For the sake of backwards compatibility, most modern Windows
14245: machines will still allow other machines to communicate with them over weak protocols
14246: such as LANMAN. On Samba, by enabling NTLMv2, you are also disabling LANMAN and NTLMv1.
14247: If NTLMv1 is required, it is still possible to individually disable LANMAN.</description>
14248: </Group>
14249: <Group id="group-3.18.2.6" hidden="false">
14250: <title xml:lang="en">Let Domain Controllers Create Machine Trust Accounts On-the-Fly</title>
14251: <description xml:lang="en">
14252: Add or correct an add machine script entry to the [global]
14253: section of /etc/samba/smb.conf to allow Samba to dynamically create Machine Trust
14254: Accounts: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14255: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14256: [global] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14257: add machine script = /usr/sbin/useradd -n -g machines -d /dev/null -s /sbin/nologin %u <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14258: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14259: Make sure that the group machines exists. If not, add it with the
14260: following command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14261: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14262: /usr/sbin/groupadd machines <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14263: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14264: When acting as a PDC, it becomes
14265: necessary to create and store Machine Trust Accounts for each machine that joins the
14266: domain. On a Microsoft Windows PDC, this account is created with the Server Manager
14267: tool, but on a Samba PDC, two accounts must be created. The first is the local machine
14268: account, and the second is the Samba account. For security purposes, it is recommended
14269: to let Samba create these accounts on-the-fly. When Machine Trust Accounts are created
14270: manually, there is a small window of opportunity in which a rogue machine could join the
14271: domain in place of the new server.</description>
14272: </Group>
14273: <Group id="group-3.18.2.7" hidden="false">
14274: <title xml:lang="en">Restrict Access to the [IPC$] Share</title>
14275: <description xml:lang="en">
14276: Limit access to the [IPC$] share so that only machines in your
14277: network will be able to connect to it: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14278: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14279: [IPC$] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14280: hosts allow = 192.168.1. 127.0.0.1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14281: hosts deny = 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14282: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14283: The [IPC$] share allows users to anonymously fetch a list of shared
14284: resources from a server. It is intended to allow users to browse the list of available
14285: shares. It also can be used as a point of attack into a system. Disabling it completely
14286: may break some functionality, so it is recommended that you merely limit access to it
14287: instead.</description>
14288: </Group>
14289: <Group id="group-3.18.2.8" hidden="false">
14290: <title xml:lang="en">Restrict File Sharing</title>
14291: <description xml:lang="en">
14292: Only users with local user accounts will be able to log in to
14293: Samba shares by default. Shares can be limited to particular users or network addresses.
14294: Use the hosts allow and hosts deny directives accordingly, and consider setting the
14295: valid users directive to a limited subset of users or to a group of users. Separate each
14296: address, user, or user group with a space as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14297: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14298: [share] hosts allow = 192.168.1. 127.0.0.1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14299: valid users = userone usertwo @usergroup <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14300: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14301: It is also possible to limit read and
14302: write access to particular users with the read list and write list options, though the
14303: permissions set by the system itself will override these settings. Set the read only
14304: attribute for each share to ensure that global settings will not accidentally override
14305: the individual share settings. Then, as with the valid users directive, separate each
14306: user or group of users with a space: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14307: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14308: [share] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14309: read only = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14310: write list = userone usertwo @usergroup <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14311: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14312: The Samba service is only required for sharing files and printers
14313: with Microsoft Windows workstations, and even then, other options may exist. Do not use
14314: the Samba service to share files between Unix or Linux machines.</description>
14315: </Group>
14316: <Group id="group-3.18.2.9" hidden="false">
14317: <title xml:lang="en">Require Server SMB Packet Signing</title>
14318: <description xml:lang="en">
14319: To make the server use packet signing, add the following to the [global] section of the Samba configuration
14320: file:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14321: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14322: server signing = mandatory<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14323: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14324: The Samba server should only communicate with clients who can support SMB packet signing. Packet signing
14325: can prevent man-in-the-middle attacks which modify SMB packets in transit.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14326: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14327: The Samba service is only required for sharing files and printers with Microsoft Windows workstations, and even
14328: then, other options may exist. Do not use the Samba service to share files between Unix or Linux machines.
14329: </description>
14330: </Group>
14331: <Group id="group-3.18.2.10" hidden="false">
14332: <title xml:lang="en">Require Client SMB Packet Signing, if using smbclient</title>
14333: <description xml:lang="en">
14334: To require samba clients running smbclient to use packet signing, add the following to the [global] section
14335: of the Samba configuration file:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14336: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14337: client signing = mandatory<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14338: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14339: A Samba client should only communicate with servers who can support SMB packet signing. Packet signing can
14340: prevent man-in-the-middle attacks which modify SMB packets in transit.
14341: </description>
14342: <Rule id="rule-3.18.2.10.a" selected="false" weight="10.000000">
14343: <title xml:lang="en">Require Client SMB Packet Signing, if using smbclient</title>
14344: <description xml:lang="en">
14345: Require samba clients running smbclient to use packet signing. A Samba client should only communicate with servers who can support SMB packet signing. Packet signing can
14346: prevent man-in-the-middle attacks which modify SMB packets in transit.</description>
14347: <ident system="http://cce.mitre.org">CCE-4556-7</ident>
14348: <fixtext xml:lang="en">(1) via /etc/samba/smb.conf in [global] client signing = mandatory</fixtext>
14349: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14350: <check-content-ref name="oval:org.fedoraproject.f14:def:2034010" href="scap-fedora14-oval.xml"/>
14351: </check>
14352: </Rule>
14353: </Group>
14354: <Group id="group-3.18.2.11" hidden="false">
14355: <title xml:lang="en">Require Client SMB Packet Signing, if using mount.cifs</title>
14356: <description xml:lang="en">
14357: Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who
14358: specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are
14359: used.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14360: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14361: See the mount.cifs(8) man page for more information. A Samba client should only communicate with servers
14362: who can support SMB packet signing. Packet signing can prevent man-in-the-middle attacks which modify SMB
14363: packets in transit.
14364: </description>
14365: <Rule id="rule-3.18.2.11.a" selected="false" weight="10.000000">
14366: <title xml:lang="en">Require Client SMB Packet Signing, if using mount.cifs</title>
14367: <description xml:lang="en">
14368: Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who
14369: specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are
14370: used.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14371: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14372: See the mount.cifs(8) man page for more information. A Samba client should only communicate with servers
14373: who can support SMB packet signing. Packet signing can prevent man-in-the-middle attacks which modify SMB
14374: packets in transit.</description>
14375: <ident system="http://cce.mitre.org">CCE-4556-7</ident>
14376: <fixtext xml:lang="en">(1) via /etc/fstab</fixtext>
14377: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14378: <check-content-ref name="oval:org.fedoraproject.f14:def:2034011" href="scap-fedora14-oval.xml"/>
14379: </check>
14380: </Rule>
14381: </Group>
14382: <Group id="group-3.18.2.12" hidden="false">
14383: <title xml:lang="en">Restrict Printer Sharing</title>
14384: <description xml:lang="en">
14385: By default, Samba utilizes the CUPS printing service to enable
14386: printer sharing with Microsoft Windows workstations. If there are no printers on the
14387: local machine, or if printer sharing with Microsoft Windows is not required, disable the
14388: printer sharing capability by commenting out the following lines, found in /etc/
14389: samba/smb.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14390: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14391: [global] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14392: ; load printers = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14393: ; cups options = raw <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14394: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14395: [printers] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14396: comment = All Printers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14397: path = /usr/spool/samba <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14398: browseable = no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14399: guest ok = no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14400: writable = no
14401: printable = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14402: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14403: There may be other options present, but these are the only options
14404: enabled and uncommented by default. Removing the [printers] share should be enough for
14405: most users. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14406: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14407: If the Samba printer sharing capability is needed, consider disabling the
14408: Samba network browsing capability or restricting access to a particular set of users or
14409: network addresses. Set the valid users parameter to a small subset of users or restrict
14410: it to a particular group of users with the shorthand @. Separate each user or group of
14411: users with a space. For example, under the [printers] share: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14412: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14413: [printers] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14414: valid users = user @printerusers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14415: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14416: The CUPS service is capable of sharing printers with other Unix and
14417: Linux machines on the local network without the Samba service. The Samba service is only
14418: required when a Microsoft Windows machine needs printer access on a Unix or Linux host.</description>
14419: </Group>
14420: <Group id="group-3.18.2.13" hidden="false">
14421: <title xml:lang="en">Configure iptables to Allow Access to the Samba Server</title>
14422: <description xml:lang="en">
14423: Determine an appropriate network block, netwk , and network
14424: mask, mask , representing the machines on your network which should operate as clients
14425: of the Samba server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14426: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14427: Edit /etc/sysconfig/iptables. Add the following lines, ensuring
14428: that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14429: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 137 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14430: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 138 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14431: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 139 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14432: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 445 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14433: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14434: The default Iptables configuration does not allow inbound access to the ports used by
14435: the Samba service. This modification allows that access, while keeping other ports on
14436: the server in their default protected state. Since these ports are frequent targets of
14437: network scanning attacks, restricting access to only the network segments which need to
14438: access the Samba server is strongly recommended. See Section 2.5.5 for more information
14439: about Iptables.</description>
14440: </Group>
14441: </Group>
14442: <Group id="group-3.18.3" hidden="false">
14443: <title xml:lang="en">Avoid the Samba Web Administration Tool (SWAT)</title>
14444: <description xml:lang="en">
14445: SWAT is a web based configuration tool provided by the Samba team
14446: that enables both local and remote configuration management. It is not installed by
14447: default. It is recommended that SWAT not be used, as it requires the use of a Samba
14448: administrator account and sends that password in the clear over a network connection. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14449: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14450: If
14451: SWAT is absolutely required, limit access to the local machine or tunnel SWAT connections
14452: through SSL with stunnel.</description>
14453: </Group>
14454: </Group>
14455: <Group id="group-3.19" hidden="false">
14456: <title xml:lang="en">Proxy Server</title>
14457: <description xml:lang="en">
14458: A proxy server is a very desirable target for a potential adversary
14459: because much (or all) sensitive data for a given infrastructure may flow through it.
14460: Therefore, if one is required, the machine acting as a proxy server should be dedicated to
14461: that purpose alone and be stored in a physically secure location. The system's default proxy
14462: server software is Squid, and provided in an RPM package of the same name.</description>
14463: <reference href="">Galarneua, E. Security Considerations with Squid proxy server. Tech. rep., Apr 2003</reference>
14464: <reference href="">Wessels, D. Squid: The Definitive Guide. O’Reilly and Associates, Jan 2004</reference>
14465: <Group id="group-3.19.1" hidden="false">
14466: <title xml:lang="en">Disable Squid if Possible</title>
14467: <description xml:lang="en">
14468: If Squid was installed and activated, but the system does not
14469: need to act as a proxy server, then it should be disabled and removed: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14470: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14471: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig squid off <xhtml:br/>
14472: # yum erase squid</xhtml:code></description>
14473: <Rule id="rule-3.19.1.a" selected="false" weight="10.000000" severity="low">
14474: <title xml:lang="en">Disable Squid if Possible</title>
14475: <description xml:lang="en">The squid service should be disabled.</description>
14476: <ident system="http://cce.mitre.org">CCE-4556-7</ident>
14477: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
14478: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14479: <check-content-ref name="oval:org.fedoraproject.f14:def:20341" href="scap-fedora14-oval.xml"/>
14480: </check>
14481: </Rule>
14482: <Rule id="rule-3.19.1.b" selected="false" weight="10.000000">
14483: <title xml:lang="en">Uninstall Squid if Possible</title>
14484: <description xml:lang="en">The squid package should be uninstalled.</description>
14485: <ident system="http://cce.mitre.org">CCE-4076-6</ident>
14486: <fixtext xml:lang="en">(1) via yum</fixtext>
14487: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14488: <check-content-ref name="oval:org.fedoraproject.f14:def:20342" href="scap-fedora14-oval.xml"/>
14489: </check>
14490: </Rule>
14491: </Group>
14492: <Group id="group-3.19.2" hidden="false">
14493: <title xml:lang="en">Configure Squid if Necessary</title>
14494: <description xml:lang="en">
14495: The Squid configuration file is /etc/squid/squid.conf. The
14496: following recommendations can be applied to this file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14497: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14498: Note: If a particular tag is not
14499: present in the configuration file, Squid falls back to the default setting (which is often
14500: illustrated by a comment).</description>
14501: <Group id="group-3.19.2.1" hidden="false">
14502: <title xml:lang="en">Listen on Uncommon Port</title>
14503: <description xml:lang="en">
14504: The default listening port for the Squid service is 3128. As
14505: such, it is frequently scanned by adversaries looking for proxy servers. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14506: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14507: Select an
14508: arbitrary (but uncommon) high port to use as the Squid listening port and make the
14509: corresponding change to the configuration file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14510: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14511: http_port port <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14512: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14513: Run the following command
14514: to add a new SELinux port mapping for the service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14515: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14516: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage port -a -t http_cache_port_t -p tcp port</xhtml:code></description>
14517: </Group>
14518: <Group id="group-3.19.2.2" hidden="false">
14519: <title xml:lang="en">Verify Default Secure Settings</title>
14520: <description xml:lang="en">
14521: Several security-enhancing settings in the Squid configuration
14522: file are enabled by default, but appear as comments in the configuration file (as
14523: mentioned in Section 3.19.2). In these instances, the explicit directive is not present,
14524: which means it is implicitly enabled. If you are operating with a default configuration
14525: file, this section can be ignored. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14526: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14527: Ensure that the following security settings are NOT
14528: explicitly changed from their default values: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14529: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14530: ftp_passive on <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14531: ftp_sanitycheck on<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14532: check_hostnames on <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14533: request_header_max_size 20 KB <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14534: reply_header_max_size 20 KB<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14535: cache_effective_user squid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14536: cache_effective_group squid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14537: ignore_unknown_nameservers on <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14538: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14539: ftp_passive forces FTP passive connections. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14540: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14541: ftp_sanitycheck performs additional sanity checks on FTP data connections. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14542: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14543: check_hostnames ensures that hostnames meet RFC compliance. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14544: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14545: request_header_max_size and reply_header_max_size place an upper limit on
14546: HTTP header length, precautions against denial-of-service and buffer overflow
14547: vulnerabilities. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14548: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14549: cache_effective_user and cache_effective_group designate the EUID and
14550: EGID of Squid following initialization (it is essential that the EUID/EGID be set to an
14551: unprivileged sandbox account). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14552: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14553: ignore_unknown_nameservers checks to make sure that DNS
14554: responses come from the same IP the request was sent to.</description>
14555: <Value id="var-3.19.2.2.d" operator="equals" type="string">
14556: <title xml:lang="en">request_header_max_size</title>
14557: <description xml:lang="en">Place an upper limit on HTTP request header length, precautions against denial-of-service and buffer overflow vulnerabilities.</description>
14558: <question xml:lang="en">Specify an upper limit on HTTP request header length</question>
14559: <value>20kb</value>
14560: <value selector="20kb">20kb</value>
14561: <match>^[\d][KMGkmg]?[Bb]?$</match>
14562: </Value>
14563: <Value id="var-3.19.2.2.e" operator="equals" type="string">
14564: <title xml:lang="en">reply_header_max_size</title>
14565: <description xml:lang="en">Place an upper limit on HTTP reply header length, precautions against denial-of-service and buffer overflow vulnerabilities.</description>
14566: <question xml:lang="en">Specify an upper limit on HTTP reply header length</question>
14567: <value>20kb</value>
14568: <value selector="20kb">20kb</value>
14569: <match>^[\d][KMGkmg]?[Bb]?$</match>
14570: </Value>
14571: <Value id="var-3.19.2.2.f" operator="equals" type="string">
14572: <title xml:lang="en">cache_effective_user</title>
14573: <description xml:lang="en">Designate the EUID of Squid following initialization (it is essential that the EUID be set to an unprivileged sandbox account)..</description>
14574: <question xml:lang="en">Designate the EUID of Squid following initialization</question>
14575: <value>squid</value>
14576: <value selector="squid">squid</value>
14577: </Value>
14578: <Value id="var-3.19.2.2.g" operator="equals" type="string">
14579: <title xml:lang="en">cache_effective_group</title>
14580: <description xml:lang="en">Designate the EGID of Squid following initialization (it is essential that the EGID be set to an unprivileged sandbox account)..</description>
14581: <question xml:lang="en">Designate the EGID of Squid following initialization</question>
14582: <value>squid</value>
14583: <value selector="squid">squid</value>
14584: </Value>
14585: <Rule id="rule-3.19.2.2.a" selected="false" weight="10.000000">
14586: <title xml:lang="en">Verify ftp_passive setting</title>
14587: <description xml:lang="en">The Squid option to force FTP passive connections should be enabled</description>
14588: <ident system="http://cce.mitre.org">CCE-4454-5</ident>
14589: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14590: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14591: <check-content-ref name="oval:org.fedoraproject.f14:def:20343" href="scap-fedora14-oval.xml"/>
14592: </check>
14593: </Rule>
14594: <Rule id="rule-3.19.2.2.b" selected="false" weight="10.000000">
14595: <title xml:lang="en">Verify ftp_sanitycheck setting</title>
14596: <description xml:lang="en">The Squid option to perform FTP sanity checks should be enabled</description>
14597: <ident system="http://cce.mitre.org">CCE-4459-4</ident>
14598: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14599: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14600: <check-content-ref name="oval:org.fedoraproject.f14:def:20344" href="scap-fedora14-oval.xml"/>
14601: </check>
14602: </Rule>
14603: <Rule id="rule-3.19.2.2.c" selected="false" weight="10.000000">
14604: <title xml:lang="en">Verify check_hostnames stting</title>
14605: <description xml:lang="en">The Squid option to check for RFC compliant hostnames should be enabled</description>
14606: <ident system="http://cce.mitre.org">CCE-4503-9</ident>
14607: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14608: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14609: <check-content-ref name="oval:org.fedoraproject.f14:def:20345" href="scap-fedora14-oval.xml"/>
14610: </check>
14611: </Rule>
14612: <Rule id="rule-3.19.2.2.d" selected="false" weight="10.000000">
14613: <title xml:lang="en">Verify request_header_max_size setting</title>
14614: <description xml:lang="en">The Squid max request HTTP header length should be set to an appropriate value</description>
14615: <ident system="http://cce.mitre.org">CCE-4353-9</ident>
14616: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14617: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14618: <check-export export-name="oval:org.fedoraproject.f14:var:20346" value-id="var-3.19.2.2.d"/>
14619: <check-content-ref name="oval:org.fedoraproject.f14:def:20346" href="scap-fedora14-oval.xml"/>
14620: </check>
14621: </Rule>
14622: <Rule id="rule-3.19.2.2.e" selected="false" weight="10.000000">
14623: <title xml:lang="en">Verify reply_header_max_size setting</title>
14624: <description xml:lang="en">The Squid max reply HTTP header length should be set to an appropriate value</description>
14625: <ident system="http://cce.mitre.org">CCE-4419-8</ident>
14626: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14627: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14628: <check-export export-name="oval:org.fedoraproject.f14:var:20347" value-id="var-3.19.2.2.e"/>
14629: <check-content-ref name="oval:org.fedoraproject.f14:def:20347" href="scap-fedora14-oval.xml"/>
14630: </check>
14631: </Rule>
14632: <Rule id="rule-3.19.2.2.f" selected="false" weight="10.000000">
14633: <title xml:lang="en">Verify cache_effective_user setting</title>
14634: <description xml:lang="en">The Squid EUID should be set to an appropriate user</description>
14635: <ident system="http://cce.mitre.org">CCE-3692-1</ident>
14636: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14637: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14638: <check-export export-name="oval:org.fedoraproject.f14:var:20348" value-id="var-3.19.2.2.f"/>
14639: <check-content-ref name="oval:org.fedoraproject.f14:def:20348" href="scap-fedora14-oval.xml"/>
14640: </check>
14641: </Rule>
14642: <Rule id="rule-3.19.2.2.g" selected="false" weight="10.000000">
14643: <title xml:lang="en">Verify cache_effective_group setting</title>
14644: <description xml:lang="en">The Squid GUID should be set to an appropriate group</description>
14645: <ident system="http://cce.mitre.org">CCE-4476-8</ident>
14646: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14647: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14648: <check-export export-name="oval:org.fedoraproject.f14:var:20349" value-id="var-3.19.2.2.g"/>
14649: <check-content-ref name="oval:org.fedoraproject.f14:def:20349" href="scap-fedora14-oval.xml"/>
14650: </check>
14651: </Rule>
14652: <Rule id="rule-3.19.2.2.h" selected="false" weight="10.000000">
14653: <title xml:lang="en">Verify ignore_unknown_nameservers setting</title>
14654: <description xml:lang="en">The Squid option to ignore unknown nameservers should be enabled</description>
14655: <ident system="http://cce.mitre.org">CCE-3585-7</ident>
14656: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14657: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14658: <check-content-ref name="oval:org.fedoraproject.f14:def:20350" href="scap-fedora14-oval.xml"/>
14659: </check>
14660: </Rule>
14661: </Group>
14662: <Group id="group-3.19.2.3" hidden="false">
14663: <title xml:lang="en">Change Default Insecure Settings</title>
14664: <description xml:lang="en">
14665: The default configuration settings for the following tags are
14666: considered to be weak security and NOT recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14667: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14668: Add or modify the configuration file to include the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14669: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14670: allow_underscore off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14671: httpd_suppress_version_string on<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14672: forwarded_for off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14673: log_mime_hdrs on <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14674: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14675: allow_underscore enforces RFC 1034 compliance on
14676: hostnames by disallowing the use of underscores. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14677: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14678: httpd_suppress_version string prevents
14679: Squid from revealing version information in web headers and error pages. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14680: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14681: forwarded_for
14682: reveals proxy client IP addresses in HTTP headers and should be disabled to prevent the
14683: leakage of internal network configuration details. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14684: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14685: log_mime_hdrs enables logging of HTTP
14686: response/request headers.</description>
14687: <Value id="var-3.19.2.3.a" operator="equals" type="string">
14688: <title xml:lang="en">allow_underscore</title>
14689: <description xml:lang="en">allow_underscore enforces RFC 1034 compliance on hostnames by disallowing the use of underscores.</description>
14690: <question xml:lang="en">Enable/Disable enforcing RFC 1034 compliance on hostnames</question>
14691: <value>off</value>
14692: <value selector="enabled">on</value>
14693: <value selector="disabled">off</value>
14694: <match>on|off</match>
14695: <choices mustMatch="true">
14696: <choice>on</choice>
14697: <choice>off</choice>
14698: </choices>
14699: </Value>
14700: <Value id="var-3.19.2.3.b" operator="equals" type="string">
14701: <title xml:lang="en">httpd_suppress_version</title>
14702: <description xml:lang="en">httpd_suppress_version string prevents Squid from revealing version information in web headers and error pages.</description>
14703: <question xml:lang="en">Enable/Disable preventing squid from revealing version information in web headers and error pages</question>
14704: <value>on</value>
14705: <value selector="enabled">on</value>
14706: <value selector="disabled">off</value>
14707: <match>on|off</match>
14708: <choices mustMatch="true">
14709: <choice>on</choice>
14710: <choice>off</choice>
14711: </choices>
14712: </Value>
14713: <Value id="var-3.19.2.3.c" operator="equals" type="string">
14714: <title xml:lang="en">forwarded_for</title>
14715: <description xml:lang="en">forwarded_for reveals proxy client IP addresses in HTTP headers and should be disabled to prevent the leakage of internal network configuration details. </description>
14716: <question xml:lang="en">Enable/Disable revealing proxy client IP addresses in HTTP headers</question>
14717: <value>off</value>
14718: <value selector="enabled">on</value>
14719: <value selector="disabled">off</value>
14720: <match>on|off</match>
14721: <choices mustMatch="true">
14722: <choice>on</choice>
14723: <choice>off</choice>
14724: </choices>
14725: </Value>
14726: <Value id="var-3.19.2.3.d" operator="equals" type="string">
14727: <title xml:lang="en">log_mime_hdrs</title>
14728: <description xml:lang="en">log_mime_hdrs enables logging of HTTP response/request headers.</description>
14729: <question xml:lang="en">Enable/Disable logging of HTTP response/request headers</question>
14730: <value>on</value>
14731: <value selector="enabled">on</value>
14732: <value selector="disabled">off</value>
14733: <match>on|off</match>
14734: <choices mustMatch="true">
14735: <choice>on</choice>
14736: <choice>off</choice>
14737: </choices>
14738: </Value>
14739: <Rule id="rule-3.19.2.3.a" selected="false" weight="10.000000">
14740: <title xml:lang="en">Check allow_underscore setting</title>
14741: <description xml:lang="en">The Squid option to allow underscores in hostnames should be disabled</description>
14742: <ident system="http://cce.mitre.org">CCE-4344-8</ident>
14743: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14744: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14745: <check-export export-name="oval:org.fedoraproject.f14:var:20351" value-id="var-3.19.2.3.a"/>
14746: <check-content-ref name="oval:org.fedoraproject.f14:def:20351" href="scap-fedora14-oval.xml"/>
14747: </check>
14748: </Rule>
14749: <Rule id="rule-3.19.2.3.b" selected="false" weight="10.000000">
14750: <title xml:lang="en">Check httpd_suppress_version setting</title>
14751: <description xml:lang="en">The Squid option to suppress the httpd version string should be enabled</description>
14752: <ident system="http://cce.mitre.org">CCE-4494-1</ident>
14753: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14754: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14755: <check-export export-name="oval:org.fedoraproject.f14:var:20352" value-id="var-3.19.2.3.b"/>
14756: <check-content-ref name="oval:org.fedoraproject.f14:def:20352" href="scap-fedora14-oval.xml"/>
14757: </check>
14758: </Rule>
14759: <Rule id="rule-3.19.2.3.c" selected="false" weight="10.000000">
14760: <title xml:lang="en">Check forwarded_for setting</title>
14761: <description xml:lang="en">The Squid option to show proxy client IP addresses in HTTP headers should be disabled</description>
14762: <ident system="http://cce.mitre.org">CCE-4181-4</ident>
14763: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14764: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14765: <check-export export-name="oval:org.fedoraproject.f14:var:20353" value-id="var-3.19.2.3.c"/>
14766: <check-content-ref name="oval:org.fedoraproject.f14:def:20353" href="scap-fedora14-oval.xml"/>
14767: </check>
14768: </Rule>
14769: <Rule id="rule-3.19.2.3.d" selected="false" weight="10.000000">
14770: <title xml:lang="en">Check log_mime_hdrs setting</title>
14771: <description xml:lang="en">The Squid option to log HTTP MIME headers should be enabled</description>
14772: <ident system="http://cce.mitre.org">CCE-4577-3</ident>
14773: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14774: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14775: <check-export export-name="oval:org.fedoraproject.f14:var:20354" value-id="var-3.19.2.3.d"/>
14776: <check-content-ref name="oval:org.fedoraproject.f14:def:20354" href="scap-fedora14-oval.xml"/>
14777: </check>
14778: </Rule>
14779: </Group>
14780: <Group id="group-3.19.2.4" hidden="false">
14781: <title xml:lang="en">Configure Authentication if Applicable</title>
14782: <description xml:lang="en">
14783: Note: Authentication cannot be used in the case of transparent
14784: proxies due to limitations of the TCP/IP protocol. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14785: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14786: Similar to web servers, two of the
14787: available options are Basic and Digest authentication. The other options are NTLM and
14788: Negotiate authentication. As noted in Section 3.16.3.5, Basic authentication transmits
14789: passwords in plain-text and is susceptible to passive monitoring. If network sniffing is
14790: a concern, basic authentication should not be used. Negotiate is the newest and most
14791: secure protocol. It attempts to use Kerberos authentication and falls back to NTLM if it
14792: cannot. It should be noted that Kerberos requires a third-party Key Distribution Center
14793: (KDC) to function properly, whereas the other methods of authentication are two-party
14794: schemes. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14795: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14796: Squid also offers the ability to choose a custom external authenticator.
14797: Designating an external authenticator (also known as a 'helper' module) allows Squid to
14798: offer pluggable third-party authentication schemes. LDAP is one example of a helper
14799: module that exists and is in use today. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14800: There are comments under the auth_param tag
14801: inside /etc/squid/squid.conf that provide extensive detail on how to configure each of
14802: these methods. If authentication is necessary, choose a method of authentication and
14803: configure appropriately. The recommended minimum configurations illustrated for each
14804: method are acceptable. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14805: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14806: To force an ACL (as discussed in Section 3.19.2.5) to require
14807: authentication, use the following directive: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14808: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14809: acl name-of-ACL proxy_auth REQUIRED <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14810: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14811: Note:
14812: The keyword REQUIRED can be replaced with a user or list of users to further restrict
14813: access to a smaller subset of users.</description>
14814: </Group>
14815: <Group id="group-3.19.2.5" hidden="false">
14816: <title xml:lang="en">Access Control Lists (ACL)</title>
14817: <description xml:lang="en">
14818: The acl and http access tags are used in combination to allow filtering based on a series of
14819: access control lists. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14820: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14821: Squid has a list of default ACLs for localhost, SSL ports, and
14822: 'safe' ports. Following the definition of these ACLs, a series of http access directives
14823: establish the following default filtering policy: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14824: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14825: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
14826: <xhtml:li>Allow cachemgr access only from localhost </xhtml:li>
14827: <xhtml:li>Allow access to only ports in the 'safe' access control list</xhtml:li>
14828: <xhtml:li>Limit CONNECT method to SSL ports only</xhtml:li>
14829: <xhtml:li>Allow access from localhost</xhtml:li>
14830: <xhtml:li>Deny all other requests</xhtml:li>
14831: </xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14832: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14833: The
14834: default ACL policies are reasonable from a security standpoint. However, the number of
14835: ports listed as 'safe' could be significantly trimmed depending on the needs of your
14836: network. Out of the box, ports 21, 70, 80, 210, 280, 443, 488, 591, 777, and 1025
14837: through 65535 are all considered safe. Some of these ports are associated with
14838: deprecated or rarely used protocols. As such, this list could be trimmed to further
14839: tighten filtering. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14840: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14841: The following actions should be taken to tighten the ACL policies: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14842: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14843: <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml">
14844: <xhtml:li>There is a filter line in the configuration file that is recommended but commented out.
14845: This line should be uncommented or added to prevent access to localhost from the proxy:<xhtml:br/>
14846: <xhtml:br/>
14847: http access deny to_localhost </xhtml:li>
14848: <xhtml:li>An access list should be setup for the specific network
14849: or networks that the proxy is intended to serve. Only this subset of IP addresses should
14850: be allowed access. <xhtml:br/>
14851: <xhtml:br/>
14852: Add these lines where the following comment appears: <xhtml:br/>
14853: <xhtml:br/>
14854: # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS <xhtml:br/>
14855: acl your-network-acl-name src ip-range <xhtml:br/>
14856: http_access allow your-network-acl-name <xhtml:br/>
14857: <xhtml:br/>
14858: Note: ip-range is of the format xxx.xxx.xxx.xxx/xx</xhtml:li>
14859: <xhtml:li>Ensure that the final http access line to appear in the document
14860: is the following: <xhtml:br/>
14861: <xhtml:br/>
14862: http_access deny all <xhtml:br/>
14863: <xhtml:br/>
14864: This guarantees that all traffic not meeting an
14865: explicit filtering rule is denied. <xhtml:br/>
14866: <xhtml:br/>
14867: Further filters should be established to meet the
14868: specific needs of a network, explicitly allowing access only where necessary.</xhtml:li>
14869: <xhtml:li>Consult
14870: the chart below. Corresponding acl entries for unused protocols should be commented out
14871: and thus denied. </xhtml:li>
14872: </xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14873: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
14874: <xhtml:table xmlns:xhtml="http://www.w3.org/1999/xhtml">
14875: <xhtml:thead>
14876: <xhtml:tr>
14877: <xhtml:td>Port</xhtml:td><xhtml:td>Service</xhtml:td><xhtml:td>Summary</xhtml:td><xhtml:td>Recommendation</xhtml:td>
14878: </xhtml:tr>
14879: </xhtml:thead>
14880: <xhtml:tbody>
14881: <xhtml:tr>
14882: <xhtml:td>21</xhtml:td>
14883: <xhtml:td>ftp</xhtml:td>
14884: <xhtml:td>File Transfer Protocol(FTP)
14885: is a widely used file transfer protocol. </xhtml:td>
14886: <xhtml:td>ALLOW</xhtml:td>
14887: </xhtml:tr>
14888: <xhtml:tr>
14889: <xhtml:td>70</xhtml:td>
14890: <xhtml:td>gopher</xhtml:td>
14891: <xhtml:td>The gopher protocol is a
14892: deprecated search and retrieval protocol that is almost extinct, with as few as 100
14893: gopher servers present worldwide. Support for gopher is disabled in most modern
14894: browsers. </xhtml:td>
14895: <xhtml:td>DENY</xhtml:td>
14896: </xhtml:tr>
14897: <xhtml:tr>
14898: <xhtml:td>80</xhtml:td>
14899: <xhtml:td>http</xhtml:td>
14900: <xhtml:td>A web proxy needs to allow access to HTTP traffic. </xhtml:td>
14901: <xhtml:td>ALLOW</xhtml:td>
14902: </xhtml:tr>
14903: <xhtml:tr>
14904: <xhtml:td>210</xhtml:td>
14905: <xhtml:td>wais</xhtml:td>
14906: <xhtml:td>The Wide Area Information Server port is similar to gopher, serving as a text searching
14907: system to scour indexes on remote machines. Today, it is deprecated and nearly
14908: non-existent on the Internet. </xhtml:td>
14909: <xhtml:td>DENY</xhtml:td>
14910: </xhtml:tr>
14911: <xhtml:tr>
14912: <xhtml:td>280</xhtml:td>
14913: <xhtml:td>http-mgmt</xhtml:td>
14914: <xhtml:td>No documentation of any kind could be
14915: found on the obscure service that resides on this port. </xhtml:td>
14916: <xhtml:td>DENY</xhtml:td>
14917: </xhtml:tr>
14918: <xhtml:tr>
14919: <xhtml:td>443</xhtml:td>
14920: <xhtml:td>https</xhtml:td>
14921: <xhtml:td>SSL traffic is
14922: likely (and recommended) for any proxy and should be allowed. </xhtml:td>
14923: <xhtml:td>ALLOW</xhtml:td>
14924: </xhtml:tr>
14925: <xhtml:tr>
14926: <xhtml:td>488</xhtml:td>
14927: <xhtml:td>gss-http</xhtml:td>
14928: <xhtml:td>No
14929: documentation of any kind could be found on the obscure service that resides on this
14930: port. </xhtml:td>
14931: <xhtml:td>DENY</xhtml:td>
14932: </xhtml:tr>
14933: <xhtml:tr>
14934: <xhtml:td>591</xhtml:td>
14935: <xhtml:td>filemaker</xhtml:td>
14936: <xhtml:td>Filemaker is a database application originally offered by Apple
14937: in the 1980s. Although development continues and it remains in use today, it should be
14938: disabled if your network does not require such traffic. </xhtml:td>
14939: <xhtml:td>DENY</xhtml:td>
14940: </xhtml:tr>
14941: <xhtml:tr>
14942: <xhtml:td>777</xhtml:td>
14943: <xhtml:td>multiling http</xhtml:td>
14944: <xhtml:td>No documentation of any kind could be found on
14945: the obscure service that resides on this port</xhtml:td>
14946: <xhtml:td>DENY</xhtml:td>
14947: </xhtml:tr>
14948: <xhtml:tr>
14949: <xhtml:td>1025-65535</xhtml:td>
14950: <xhtml:td>unregistered ports http</xhtml:td>
14951: <xhtml:td>unregistered
14952: ports Random high ports are used by a variety of applications and should be allowed.</xhtml:td>
14953: <xhtml:td>ALLOW</xhtml:td>
14954: </xhtml:tr>
14955: </xhtml:tbody>
14956: </xhtml:table></description>
14957: <warning xml:lang="en">Be very careful with the order of access control tags. Access
14958: control is handled top-down. The first rule that matches is the only rule adhered to.
14959: The last rule on the list defines the default behavior in the case of no rule match. </warning>
14960: <Rule id="rule-3.19.2.5.a" selected="false" weight="10.000000">
14961: <title xml:lang="en">Restrict gss-http traffic</title>
14962: <description xml:lang="en">Squid should be configured to not allow gss-http traffic</description>
14963: <ident system="http://cce.mitre.org">CCE-4511-2</ident>
14964: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14965: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14966: <check-content-ref name="oval:org.fedoraproject.f14:def:20355" href="scap-fedora14-oval.xml"/>
14967: </check>
14968: </Rule>
14969: <Rule id="rule-3.19.2.5.b" selected="false" weight="10.000000">
14970: <title xml:lang="en">Restrict https traffic</title>
14971: <description xml:lang="en">Squid should be configured to not allow https traffic</description>
14972: <ident system="http://cce.mitre.org">CCE-4529-4</ident>
14973: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14974: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14975: <check-content-ref name="oval:org.fedoraproject.f14:def:20356" href="scap-fedora14-oval.xml"/>
14976: </check>
14977: </Rule>
14978: <Rule id="rule-3.19.2.5.c" selected="false" weight="10.000000">
14979: <title xml:lang="en">Restrict wais traffic</title>
14980: <description xml:lang="en">Squid should be configured to not allow wais traffic</description>
14981: <ident system="http://cce.mitre.org">CCE-3610-3</ident>
14982: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14983: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14984: <check-content-ref name="oval:org.fedoraproject.f14:def:20357" href="scap-fedora14-oval.xml"/>
14985: </check>
14986: </Rule>
14987: <Rule id="rule-3.19.2.5.d" selected="false" weight="10.000000">
14988: <title xml:lang="en">Restrict multiling http traffic</title>
14989: <description xml:lang="en">Squid should be configured to not allow multiling http traffic</description>
14990: <ident system="http://cce.mitre.org">CCE-4466-9</ident>
14991: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
14992: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
14993: <check-content-ref name="oval:org.fedoraproject.f14:def:20358" href="scap-fedora14-oval.xml"/>
14994: </check>
14995: </Rule>
14996: <Rule id="rule-3.19.2.5.e" selected="false" weight="10.000000">
14997: <title xml:lang="en">Restrict http traffic</title>
14998: <description xml:lang="en">Squid should be configured to not allow http traffic</description>
14999: <ident system="http://cce.mitre.org">CCE-4607-8</ident>
15000: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
15001: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
15002: <check-content-ref name="oval:org.fedoraproject.f14:def:20359" href="scap-fedora14-oval.xml"/>
15003: </check>
15004: </Rule>
15005: <Rule id="rule-3.19.2.5.f" selected="false" weight="10.000000">
15006: <title xml:lang="en">Restrict ftp traffic</title>
15007: <description xml:lang="en">Squid should be configured to not allow ftp traffic</description>
15008: <ident system="http://cce.mitre.org">CCE-4255-6</ident>
15009: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
15010: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
15011: <check-content-ref name="oval:org.fedoraproject.f14:def:20360" href="scap-fedora14-oval.xml"/>
15012: </check>
15013: </Rule>
15014: <Rule id="rule-3.19.2.5.g" selected="false" weight="10.000000">
15015: <title xml:lang="en">Restrict gopher traffic</title>
15016: <description xml:lang="en">Squid should be configured to not allow gopher traffic</description>
15017: <ident system="http://cce.mitre.org">CCE-4127-7</ident>
15018: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
15019: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
15020: <check-content-ref name="oval:org.fedoraproject.f14:def:20361" href="scap-fedora14-oval.xml"/>
15021: </check>
15022: </Rule>
15023: <Rule id="rule-3.19.2.5.h" selected="false" weight="10.000000">
15024: <title xml:lang="en">Restrict filemaker traffic</title>
15025: <description xml:lang="en">Squid should be configured to not allow filemaker traffic</description>
15026: <ident system="http://cce.mitre.org">CCE-4519-5</ident>
15027: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
15028: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
15029: <check-content-ref name="oval:org.fedoraproject.f14:def:20362" href="scap-fedora14-oval.xml"/>
15030: </check>
15031: </Rule>
15032: <Rule id="rule-3.19.2.5.i" selected="false" weight="10.000000">
15033: <title xml:lang="en">Restrict proxy access to localhost </title>
15034: <description xml:lang="en">Squid proxy access to localhost should be denied</description>
15035: <ident system="http://cce.mitre.org">CCE-4413-1</ident>
15036: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
15037: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
15038: <check-content-ref name="oval:org.fedoraproject.f14:def:20363" href="scap-fedora14-oval.xml"/>
15039: </check>
15040: </Rule>
15041: <Rule id="rule-3.19.2.5.j" selected="false" weight="10.000000">
15042: <title xml:lang="en">Restrict http-mgmt traffic</title>
15043: <description xml:lang="en">Squid should be configured to not allow http-mgmt traffic</description>
15044: <ident system="http://cce.mitre.org">CCE-4373-7</ident>
15045: <fixtext xml:lang="en">(1) via /etc/squid/squid.conf</fixtext>
15046: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
15047: <check-content-ref name="oval:org.fedoraproject.f14:def:20364" href="scap-fedora14-oval.xml"/>
15048: </check>
15049: </Rule>
15050: </Group>
15051: <Group id="group-3.19.2.6" hidden="false">
15052: <title xml:lang="en">Configure Internet Cache Protocol (ICP) if Necessary</title>
15053: <description xml:lang="en">
15054: The ICP protocol is a cache communication protocol that allows
15055: multiple Squid servers to communicate. The ICP protocol was designed with no security in
15056: mind, relying on user-defined access control lists alone to determine which ICP messages
15057: to allow. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15058: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15059: If a Squid server is standalone, the ICP port should be disabled by adding or
15060: correcting the following line in the configuration file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15061: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15062: icp_port 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15063: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15064: If the Squid server
15065: is meant to speak with peers, strict ACLs should be established to only allow ICP
15066: traffic from trusted neighbors. To accomplish this, add or correct the following lines:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15067: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15068: icp_access allow acl-defining-trusted-neighbors <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15069: icp_access deny all</description>
15070: </Group>
15071: <Group id="group-3.19.2.7" hidden="false">
15072: <title xml:lang="en">Configure iptables to Allow Access to the Proxy Server</title>
15073: <description xml:lang="en">
15074: Determine an appropriate network block, netwk , and network
15075: mask, mask , representing the machines on your network which should operate as clients
15076: of the proxy server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15077: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15078: Edit /etc/sysconfig/iptables. Add the following line, ensuring that
15079: it appears before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15080: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15081: -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport port -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15082: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15083: For port , use either the default 3128 or the alternate port was selected in Section
15084: 3.19.2.1. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15085: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15086: The default Iptables configuration does not allow inbound access to the Squid
15087: proxy service. This modification allows that access, while keeping other ports on the
15088: server in their default protected state. See Section 2.5.5 for more information about
15089: Iptables.</description>
15090: </Group>
15091: <Group id="group-3.19.2.8" hidden="false">
15092: <title xml:lang="en">Forward Log Messages to Syslog Daemon</title>
15093: <description xml:lang="en">
15094: The default behavior of Squid is to record its log messages in
15095: /var/log/squid.log. This behavior can be supplemented so that Squid also sends messages
15096: to syslog as well. This is useful for centralizing log data, particularly in instances
15097: where multiple Squid servers are present. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15098: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15099: Squid provides a command line argument to
15100: enable syslog forwarding. Modify the SQUID OPTS line in /etc/init.d/squid to include the
15101: -s option: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15102: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15103: SQUID_OPTS="${SQUID_OPTS:-"-D"} -s"</description>
15104: </Group>
15105: <Group id="group-3.19.2.9" hidden="false">
15106: <title xml:lang="en">Do Not Run as Root</title>
15107: <description xml:lang="en">
15108: Since Squid is loaded by the system's service utility, it
15109: starts as root and then changes its effective UID to the UID specified by the cache
15110: effective user directive. However, since it was still executed by root, the program
15111: maintains a saved UID of root even after changing its effective UID. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15112: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15113: To prevent this
15114: undesired behavior, Squid must either be configured to run in a chroot environment or it
15115: must be executed by a non-privileged user in non-daemon mode (the service utility must
15116: not be used).</description>
15117: <Group id="group-3.19.2.9.1" hidden="false">
15118: <title xml:lang="en">Run Squid in a chroot Jail</title>
15119: <description xml:lang="en">
15120: Chrooting Squid can be a very complicated task. Documentation
15121: for the process is vague and a great deal of trial and error may be required to
15122: determine all the files that need to be transitioned over to the chroot environment.
15123: Therefore, this guide recommends instead the method detailed in Section 3.19.2.9.2 to
15124: lower privileges. If chrooting Squid is still desired, it can be enabled with the
15125: following directive in the configuration file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15126: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15127: chroot chroot-path <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15128: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15129: Then, all the
15130: necessary files used by Squid must be copied into the chroot-path directory. The
15131: specifics of this step cannot be covered in this guide because they are highly
15132: dependent on the external programs used in the Squid configuration. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15133: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15134: Note: The strace
15135: utility is a valuable resource for discovering the files needed for the chroot
15136: environment.</description>
15137: </Group>
15138: <Group id="group-3.19.2.9.2" hidden="false">
15139: <title xml:lang="en">Modify Service Entry to Lower Privileges</title>
15140: <description xml:lang="en">T
15141: he following modification to /etc/init.d/squid forces the
15142: service utility to execute Squid as the squid user instead of the root user: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15143: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15144: # determine the name of the squid binary <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15145: [ -f /usr/sbin/squid ] && SQUID="sudo -u squid squid" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15146: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15147: Making this change prevents Squid from writing its pid to
15148: /var/run. This pid file is used by service to check to see if the program started
15149: successfully. Therefore, a new location must be chosen for this pid file that the
15150: squid user has access to, and the corresponding references in /etc/init.d/squid must
15151: be altered to point to it. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15152: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15153: Make the following modification to the Squid configuration file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15154: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15155: pid_filename /var/spool/squid/squid.pid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15156: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15157: Edit the file /etc/init.d/squid by
15158: changing all occurrences of /var/run/squid.pid to /var/spool/squid/ squid.pid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15159: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15160: Also modify the following line in /etc/init.d/squid: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15161: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15162: [ $RETVAL -eq 0 ] && touch /var/lock/subsys/squid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15163: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15164: and add the following lines immediately after it: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15165: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15166: rm -f /var/lock/subsys/squid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15167: status squid</description>
15168: </Group>
15169: </Group>
15170: </Group>
15171: </Group>
15172: <Group id="group-3.20" hidden="false">
15173: <title xml:lang="en">SNMP Server</title>
15174: <description xml:lang="en">
15175: The Simple Network Management Protocol allows administrators to
15176: monitor the state of network devices, including computers. Older versions of SNMP were
15177: well-known for weak security, such as plaintext transmission of the community string (used
15178: for authentication) and also usage of easily-guessable choices for community string.</description>
15179: <Group id="group-3.20.1" hidden="false">
15180: <title xml:lang="en">Disable SNMP Server if Possible</title>
15181: <description xml:lang="en">
15182: The system includes an SNMP daemon that allows for its remote
15183: monitoring, though it not installed by default. If it was installed and activated, it is
15184: important that the software be disabled and removed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15185: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15186: If there is not a mission-critical
15187: need for hosts at this site to be remotely monitored by a SNMP tool, then disable and
15188: remove SNMP as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15189: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15190: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig snmpd off <xhtml:br/>
15191: # yum erase net-snmpd</xhtml:code></description>
15192: <Rule id="rule-3.20.1.a" selected="false" weight="10.000000" severity="medium">
15193: <title xml:lang="en">Disable snmpd if Possible</title>
15194: <description xml:lang="en">The snmpd service should be disabled.</description>
15195: <ident system="http://cce.mitre.org">CCE-3765-5</ident>
15196: <fixtext xml:lang="en">(1) via chkconfig</fixtext>
15197: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
15198: <check-content-ref name="oval:org.fedoraproject.f14:def:20365" href="scap-fedora14-oval.xml"/>
15199: </check>
15200: </Rule>
15201: <Rule id="rule-3.20.1.b" selected="false" weight="10.000000">
15202: <title xml:lang="en">Uninstall net-snmp if Possible</title>
15203: <description xml:lang="en">The net-snmp package should be uninstalled.</description>
15204: <ident system="http://cce.mitre.org">CCE-4404-0</ident>
15205: <fixtext xml:lang="en">(1) via yum</fixtext>
15206: <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
15207: <check-content-ref name="oval:org.fedoraproject.f14:def:20366" href="scap-fedora14-oval.xml"/>
15208: </check>
15209: </Rule>
15210: </Group>
15211: <Group id="group-3.20.2" hidden="false">
15212: <title xml:lang="en">Configure SNMP Server if Necessary</title>
15213: <description xml:lang="en">
15214: If it is necessary to run the snmpd agent on the system, some
15215: best practices should be followed to minimize the security risk from the installation. The
15216: multiple security models implemented by SNMP cannot be fully covered here so only the
15217: following general configuration advice can be offered: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15218: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15219: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
15220: <xhtml:li>use only SNMP version 3 security
15221: models and enable the use of authentication and encryption for those </xhtml:li>
15222: <xhtml:li>write access to the
15223: MIB (Management Information Base) should be allowed only if necessary </xhtml:li>
15224: <xhtml:li>all access to the
15225: MIB should be restricted following a principle of least privilege </xhtml:li>
15226: <xhtml:li>network access should
15227: be limited to the maximum extent possible including restricting to expected network
15228: addresses both in the configuration files and in the system firewall rules </xhtml:li>
15229: <xhtml:li>ensure SNMP
15230: agents send traps only to, and accept SNMP queries only from, authorized management
15231: stations </xhtml:li>
15232: <xhtml:li>ensure that permissions on the snmpd.conf configuration file (by default, in
15233: /etc/snmp) are 640 or more restrictive </xhtml:li>
15234: <xhtml:li>ensure that any MIB files' permissions are also
15235: 640 or more restrictive</xhtml:li>
15236: </xhtml:ul></description>
15237: <Group id="group-3.20.2.1" hidden="false">
15238: <title xml:lang="en">Further Resources</title>
15239: <description xml:lang="en">
15240: The following resources provide more detailed information about the SNMP software: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15241: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
15242: <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
15243: <xhtml:li>The CERT SNMP Vulnerabilities FAQ at http://www.cert.org/tech
15244: tips/snmp faq.html </xhtml:li>
15245: <xhtml:li>The Net-SNMP project web page at http://net-snmp.sourceforge.net </xhtml:li>
15246: <xhtml:li>The snmp config(5) man page </xhtml:li>
15247: <xhtml:li>the snmpd.conf(5) man page</xhtml:li>
15248: </xhtml:ul>
15249: </description>
15250: </Group>
15251: </Group>
15252: </Group>
15253: </Group>
15254: <TestResult id="OSCAP-Test-F14-Desktop" start-time="2011-06-28T00:21:03" end-time="2011-06-28T00:42:58">
15255: <title>OSCAP Scan Result</title>
15256: <profile idref="F14-Desktop"/>
15257: <target>localhost.localdomain</target>
15258: <target-address>127.0.0.1</target-address>
15259: <target-address>192.168.0.9</target-address>
15260: <target-address>::1</target-address>
15261: <target-address>2002:614c:a6cd:0:a00:27ff:fefc:6b6</target-address>
15262: <target-address>fe80::a00:27ff:fefc:6b6%eth0</target-address>
15263: <target-facts>
15264: <fact name="urn:xccdf:fact:ethernet:MAC" type="string">00:00:00:00:00:00</fact>
15265: <fact name="urn:xccdf:fact:ethernet:MAC" type="string">08:00:27:FC:06:B6</fact>
15266: <fact name="urn:xccdf:fact:ethernet:MAC" type="string">00:00:00:00:00:00</fact>
15267: <fact name="urn:xccdf:fact:ethernet:MAC" type="string">08:00:27:FC:06:B6</fact>
15268: <fact name="urn:xccdf:fact:ethernet:MAC" type="string">08:00:27:FC:06:B6</fact>
15269: </target-facts>
15270: <rule-result idref="rule-2.1.1.1.1.a" time="2011-06-28T00:21:03" weight="10.000000">
15271: <result>notselected</result>
15272: </rule-result>
15273: <rule-result idref="rule-2.1.1.1.1.b" time="2011-06-28T00:21:03" weight="2.000000">
15274: <result>notselected</result>
15275: </rule-result>
15276: <rule-result idref="rule-2.1.1.1.2.a" time="2011-06-28T00:21:03" severity="low" weight="10.000000">
15277: <result>notselected</result>
15278: </rule-result>
15279: <rule-result idref="rule-2.1.1.1.2.b" time="2011-06-28T00:21:03" weight="10.000000">
15280: <result>notselected</result>
15281: </rule-result>
15282: <rule-result idref="rule-2.1.1.1.3.a" time="2011-06-28T00:21:03" weight="10.000000">
15283: <result>notselected</result>
15284: </rule-result>
15285: <rule-result idref="rule-2.1.1.1.4.a" time="2011-06-28T00:21:03" weight="10.000000">
15286: <result>notselected</result>
15287: </rule-result>
15288: <rule-result idref="rule-2.1.1.1.5.a" time="2011-06-28T00:21:03" severity="low" weight="10.000000">
15289: <result>notselected</result>
15290: </rule-result>
15291: <rule-result idref="rule-2.1.2.1.1.a" time="2011-06-28T00:21:03" weight="10.000000">
15292: <result>pass</result>
15293: </rule-result>
15294: <rule-result idref="rule-2.1.2.3.2.a" time="2011-06-28T00:21:03" severity="low" weight="10.000000">
15295: <result>notselected</result>
15296: <ident system="http://cce.mitre.org">CCE-4218-4</ident>
15297: <fix># chkconfig yum-updatesd off</fix>
15298: </rule-result>
15299: <rule-result idref="rule-2.1.2.3.2.b" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15300: <result>notselected</result>
15301: <fix>echo -e "/usr/bin/yum -R 120 -e 0 -d 0 -y update yum\n/usr/bin/yum -R 10 -e 0 -d 0 -y update" > /etc/cron.weekly/yum.cron</fix>
15302: </rule-result>
15303: <rule-result idref="rule-2.1.2.3.3.a" time="2011-06-28T00:21:03" weight="10.000000">
15304: <result>pass</result>
15305: </rule-result>
15306: <rule-result idref="rule-2.1.2.3.4.a" time="2011-06-28T00:21:03" weight="10.000000">
15307: <result>pass</result>
15308: </rule-result>
15309: <rule-result idref="rule-2.1.2.3.5.a" time="2011-06-28T00:21:03" weight="10.000000">
15310: <result>notselected</result>
15311: </rule-result>
15312: <rule-result idref="rule-2.1.2.3.6.a" time="2011-06-28T00:21:03" weight="10.000000">
15313: <result>pass</result>
15314: </rule-result>
15315: <rule-result idref="rule-2.1.3.1.1.a" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15316: <result>notselected</result>
15317: <ident system="http://cce.mitre.org">CCE-4209-3</ident>
15318: <fix>yum install aide</fix>
15319: </rule-result>
15320: <rule-result idref="rule-2.1.3.1.4.a" role="full" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15321: <result>notselected</result>
15322: <fix>echo -e "/usr/sbin/aide --check" > /etc/cron.daily/aide.cron</fix>
15323: </rule-result>
15324: <rule-result idref="rule-2.1.3.2.a" time="2011-06-28T00:21:03" weight="10.000000">
15325: <result>notselected</result>
15326: </rule-result>
15327: <rule-result idref="rule-2.2.1.1.a" role="full" time="2011-06-28T00:21:03" severity="unknown" weight="10.000000">
15328: <result>notselected</result>
15329: <ident system="http://cce.mitre.org">CCE-4249-9</ident>
15330: </rule-result>
15331: <rule-result idref="rule-2.2.1.2.a" time="2011-06-28T00:21:03" weight="10.000000">
15332: <result>notselected</result>
15333: <ident system="http://cce.mitre.org">CCE-3522-0</ident>
15334: </rule-result>
15335: <rule-result idref="rule-2.2.1.2.b" time="2011-06-28T00:21:03" weight="10.000000">
15336: <result>notselected</result>
15337: <ident system="http://cce.mitre.org">CCE-4275-4</ident>
15338: </rule-result>
15339: <rule-result idref="rule-2.2.1.2.c" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15340: <result>notselected</result>
15341: <ident system="http://cce.mitre.org">CCE-4042-8</ident>
15342: </rule-result>
15343: <rule-result idref="rule-2.2.2.1.1.a" time="2011-06-28T00:21:03" weight="10.000000">
15344: <result>notselected</result>
15345: <ident system="http://cce.mitre.org">CCE-4187-1</ident>
15346: <fix>echo -e "\nblacklist usb_storage" >> /etc/modprobe.d/blacklist.conf</fix>
15347: </rule-result>
15348: <rule-result idref="rule-2.2.2.1.2.a" time="2011-06-28T00:21:03" weight="10.000000">
15349: <result>notselected</result>
15350: <ident system="http://cce.mitre.org">CCE-4006-3</ident>
15351: <fix>rm /lib/modules/2.6.*/kernel/drivers/usb/storage/usb-storage.ko</fix>
15352: </rule-result>
15353: <rule-result idref="rule-2.2.2.1.3.a" time="2011-06-28T00:21:03" weight="10.000000">
15354: <result>notselected</result>
15355: <ident system="http://cce.mitre.org">CCE-4173-1</ident>
15356: </rule-result>
15357: <rule-result idref="rule-2.2.2.1.4.a" time="2011-06-28T00:21:03" severity="high" weight="10.000000">
15358: <result>notselected</result>
15359: <ident system="http://cce.mitre.org">CCE-3944-6</ident>
15360: </rule-result>
15361: <rule-result idref="rule-2.2.2.2.a" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15362: <result>notselected</result>
15363: <ident system="http://cce.mitre.org">CCE-4072-5</ident>
15364: <fix>chkconfig autofs off</fix>
15365: </rule-result>
15366: <rule-result idref="rule-2.2.2.3.a" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15367: <result>notselected</result>
15368: <ident system="http://cce.mitre.org">CCE-4231-7</ident>
15369: </rule-result>
15370: <rule-result idref="rule-2.2.2.4.a" time="2011-06-28T00:21:03" weight="10.000000">
15371: <result>notselected</result>
15372: <fix>echo "blacklist cramfs" >> /etc/modprobe.d/blacklist.conf</fix>
15373: </rule-result>
15374: <rule-result idref="rule-2.2.2.4.b" time="2011-06-28T00:21:03" weight="10.000000">
15375: <result>notselected</result>
15376: <fix>echo "blacklist freevxfs" >> /etc/modprobe.d/blacklist.conf</fix>
15377: </rule-result>
15378: <rule-result idref="rule-2.2.2.4.c" time="2011-06-28T00:21:03" weight="10.000000">
15379: <result>notselected</result>
15380: <fix>echo "blacklist jffs2" >> /etc/modprobe.d/blacklist.conf</fix>
15381: </rule-result>
15382: <rule-result idref="rule-2.2.2.4.d" time="2011-06-28T00:21:03" weight="10.000000">
15383: <result>notselected</result>
15384: <fix>echo "blacklist hfs" >> /etc/modprobe.d/blacklist.conf</fix>
15385: </rule-result>
15386: <rule-result idref="rule-2.2.2.4.e" time="2011-06-28T00:21:03" weight="10.000000">
15387: <result>notselected</result>
15388: <fix>echo "blacklist hfsplus" >> /etc/modprobe.d/blacklist.conf</fix>
15389: </rule-result>
15390: <rule-result idref="rule-2.2.2.4.f" time="2011-06-28T00:21:03" weight="10.000000">
15391: <result>notselected</result>
15392: <fix>echo "blacklist squashfs" >> /etc/modprobe.d/blacklist.conf</fix>
15393: </rule-result>
15394: <rule-result idref="rule-2.2.2.4.g" time="2011-06-28T00:21:03" weight="10.000000">
15395: <result>notselected</result>
15396: <fix>echo "blacklist udf" >> /etc/modprobe.d/blacklist.conf</fix>
15397: </rule-result>
15398: <rule-result idref="rule-2.2.3.1.a" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15399: <result>pass</result>
15400: <ident system="http://cce.mitre.org">CCE-3918-0</ident>
15401: </rule-result>
15402: <rule-result idref="rule-2.2.3.1.b" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15403: <result>pass</result>
15404: <ident system="http://cce.mitre.org">CCE-3988-3</ident>
15405: </rule-result>
15406: <rule-result idref="rule-2.2.3.1.c" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15407: <result>pass</result>
15408: <ident system="http://cce.mitre.org">CCE-3276-3</ident>
15409: </rule-result>
15410: <rule-result idref="rule-2.2.3.1.d" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15411: <result>pass</result>
15412: <ident system="http://cce.mitre.org">CCE-3883-6</ident>
15413: </rule-result>
15414: <rule-result idref="rule-2.2.3.1.e" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15415: <result>pass</result>
15416: <ident system="http://cce.mitre.org">CCE-4210-1</ident>
15417: </rule-result>
15418: <rule-result idref="rule-2.2.3.1.f" time="2011-06-28T00:21:03" severity="medium" weight="10.000000">
15419: <result>pass</result>
15420: <ident system="http://cce.mitre.org">CCE-4064-2</ident>
15421: </rule-result>
15422: <rule-result idref="rule-2.2.3.1.g" time="2011-06-28T00:21:04" severity="medium" weight="10.000000">
15423: <result>pass</result>
15424: <ident system="http://cce.mitre.org">CCE-3958-6</ident>
15425: </rule-result>
15426: <rule-result idref="rule-2.2.3.1.h" time="2011-06-28T00:21:04" severity="medium" weight="10.000000">
15427: <result>pass</result>
15428: <ident system="http://cce.mitre.org">CCE-3495-9</ident>
15429: </rule-result>
15430: <rule-result idref="rule-2.2.3.1.i" time="2011-06-28T00:21:04" severity="medium" weight="10.000000">
15431: <result>pass</result>
15432: <ident system="http://cce.mitre.org">CCE-4130-1</ident>
15433: </rule-result>
15434: <rule-result idref="rule-2.2.3.1.j" time="2011-06-28T00:21:04" severity="medium" weight="10.000000">
15435: <result>pass</result>
15436: <ident system="http://cce.mitre.org">CCE-3967-7</ident>
15437: </rule-result>
15438: <rule-result idref="rule-2.2.3.1.k" time="2011-06-28T00:21:04" severity="medium" weight="10.000000">
15439: <result>pass</result>
15440: <ident system="http://cce.mitre.org">CCE-3932-1</ident>
15441: </rule-result>
15442: <rule-result idref="rule-2.2.3.1.l" time="2011-06-28T00:21:04" severity="medium" weight="10.000000">
15443: <result>pass</result>
15444: <ident system="http://cce.mitre.org">CCE-3566-7</ident>
15445: </rule-result>
15446: <rule-result idref="rule-2.2.3.2.a" time="2011-06-28T00:23:27" severity="low" weight="10.000000">
15447: <result>pass</result>
15448: <ident system="http://cce.mitre.org">CCE-3399-3</ident>
15449: </rule-result>
15450: <rule-result idref="rule-2.2.3.3.a" time="2011-06-28T00:26:32" severity="medium" weight="10.000000">
15451: <result>pass</result>
15452: <ident system="http://cce.mitre.org">CCE-3795-2</ident>
15453: </rule-result>
15454: <rule-result idref="rule-2.2.3.4.a" time="2011-06-28T00:29:38" severity="medium" weight="10.000000">
15455: <result>fail</result>
15456: <ident system="http://cce.mitre.org">CCE-4178-0</ident>
15457: </rule-result>
15458: <rule-result idref="rule-2.2.3.4.b" time="2011-06-28T00:32:43" severity="high" weight="10.000000">
15459: <result>fail</result>
15460: <ident system="http://cce.mitre.org">CCE-3324-1</ident>
15461: </rule-result>
15462: <rule-result idref="rule-2.2.3.5.a" time="2011-06-28T00:36:29" severity="medium" weight="10.000000">
15463: <result>fail</result>
15464: <ident system="http://cce.mitre.org">CCE-4223-4</ident>
15465: </rule-result>
15466: <rule-result idref="rule-2.2.3.5.b" time="2011-06-28T00:40:53" severity="medium" weight="10.000000">
15467: <result>fail</result>
15468: <ident system="http://cce.mitre.org">CCE-3573-3</ident>
15469: </rule-result>
15470: <rule-result idref="rule-2.2.3.6.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15471: <result>pass</result>
15472: </rule-result>
15473: <rule-result idref="rule-2.2.4.1.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15474: <result>pass</result>
15475: <ident system="http://cce.mitre.org">CCE-4220-0</ident>
15476: </rule-result>
15477: <rule-result idref="rule-2.2.4.2.a" time="2011-06-28T00:42:56" severity="low" weight="10.000000">
15478: <result>notselected</result>
15479: <ident system="http://cce.mitre.org">CCE-4225-9</ident>
15480: </rule-result>
15481: <rule-result idref="rule-2.2.4.2.b" time="2011-06-28T00:42:56" severity="low" weight="10.000000">
15482: <result>pass</result>
15483: <ident system="http://cce.mitre.org">CCE-4247-3</ident>
15484: </rule-result>
15485: <rule-result idref="rule-2.2.4.3.a" time="2011-06-28T00:42:56" weight="10.000000">
15486: <result>pass</result>
15487: <ident system="http://cce.mitre.org">CCE-4168-1</ident>
15488: </rule-result>
15489: <rule-result idref="rule-2.2.4.3.b" time="2011-06-28T00:42:56" weight="10.000000">
15490: <result>pass</result>
15491: <ident system="http://cce.mitre.org">CCE-4146-7</ident>
15492: </rule-result>
15493: <rule-result idref="rule-2.2.4.4.2.a" time="2011-06-28T00:42:56" weight="10.000000">
15494: <result>notselected</result>
15495: <ident system="http://cce.mitre.org">CCE-4177-2</ident>
15496: </rule-result>
15497: <rule-result idref="rule-2.3.1.1.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15498: <result>notselected</result>
15499: <ident system="http://cce.mitre.org">CCE-3820-8</ident>
15500: </rule-result>
15501: <rule-result idref="rule-2.3.1.1.b" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15502: <result>notselected</result>
15503: <ident system="http://cce.mitre.org">CCE-3485-0</ident>
15504: </rule-result>
15505: <rule-result idref="rule-2.3.1.1.c" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15506: <result>notselected</result>
15507: <ident system="http://cce.mitre.org">CCE-4111-1</ident>
15508: </rule-result>
15509: <rule-result idref="rule-2.3.1.1.d" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15510: <result>pass</result>
15511: <ident system="http://cce.mitre.org">CCE-4256-4</ident>
15512: </rule-result>
15513: <rule-result idref="rule-2.3.1.2.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15514: <result>notselected</result>
15515: </rule-result>
15516: <rule-result idref="rule-2.3.1.2.b" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15517: <result>notselected</result>
15518: </rule-result>
15519: <rule-result idref="rule-2.3.1.3.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15520: <result>notselected</result>
15521: <ident system="http://cce.mitre.org">CCE-4044-4</ident>
15522: <fix>echo "%wheel ALL=(ALL) ALL" >> /etc/sudoers</fix>
15523: </rule-result>
15524: <rule-result idref="rule-2.3.1.4.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15525: <result>notselected</result>
15526: <ident system="http://cce.mitre.org">CCE-3987-5</ident>
15527: </rule-result>
15528: <rule-result idref="rule-2.3.1.5.1.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15529: <result>pass</result>
15530: <ident system="http://cce.mitre.org">CCE-4238-2</ident>
15531: </rule-result>
15532: <rule-result idref="rule-2.3.1.5.2.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15533: <result>pass</result>
15534: </rule-result>
15535: <rule-result idref="rule-2.3.1.6.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15536: <result>pass</result>
15537: <ident system="http://cce.mitre.org">CCE-4009-7</ident>
15538: </rule-result>
15539: <rule-result idref="rule-2.3.1.7.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15540: <result>pass</result>
15541: <ident system="http://cce.mitre.org">CCE-4154-1</ident>
15542: </rule-result>
15543: <rule-result idref="rule-2.3.1.7.b" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15544: <result>notselected</result>
15545: <ident system="http://cce.mitre.org">CCE-4180-6</ident>
15546: </rule-result>
15547: <rule-result idref="rule-2.3.1.7.c" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15548: <result>notselected</result>
15549: <ident system="http://cce.mitre.org">CCE-4092-3</ident>
15550: </rule-result>
15551: <rule-result idref="rule-2.3.1.7.d" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15552: <result>pass</result>
15553: <ident system="http://cce.mitre.org">CCE-4097-2</ident>
15554: </rule-result>
15555: <rule-result idref="rule-2.3.1.8.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15556: <result>notselected</result>
15557: </rule-result>
15558: <rule-result idref="rule-2.3.1.8.b" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15559: <result>notselected</result>
15560: </rule-result>
15561: <rule-result idref="rule-2.3.1.8.c" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15562: <result>notselected</result>
15563: <ident system="http://cce.mitre.org">CCE-4114-5</ident>
15564: </rule-result>
15565: <rule-result idref="rule-2.3.3.1.1.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15566: <result>notselected</result>
15567: <ident system="http://cce.mitre.org">CCE-3762-2</ident>
15568: </rule-result>
15569: <rule-result idref="rule-2.3.3.1.2.a" time="2011-06-28T00:42:56" weight="10.000000">
15570: <result>notselected</result>
15571: <ident system="http://cce.mitre.org">CCE-3762-2</ident>
15572: </rule-result>
15573: <rule-result idref="rule-2.3.3.2.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15574: <result>notselected</result>
15575: <ident system="http://cce.mitre.org">CCE-3410-8</ident>
15576: </rule-result>
15577: <rule-result idref="rule-2.3.3.2.b" time="2011-06-28T00:42:56" weight="10.000000">
15578: <result>notselected</result>
15579: </rule-result>
15580: <rule-result idref="rule-2.3.3.4.a" time="2011-06-28T00:42:56" weight="10.000000">
15581: <result>notselected</result>
15582: <ident system="http://cce.mitre.org">CCE-4185-5</ident>
15583: <fix># chgrp usergroup /usr/sbin/userhelper</fix>
15584: </rule-result>
15585: <rule-result idref="rule-2.3.3.4.b" time="2011-06-28T00:42:56" weight="10.000000">
15586: <result>notselected</result>
15587: <ident system="http://cce.mitre.org">CCE-3952-9</ident>
15588: <fix># chmod 4710 /usr/sbin/userhelper</fix>
15589: </rule-result>
15590: <rule-result idref="rule-2.3.3.5.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15591: <result>fail</result>
15592: <fix>/usr/sbin/authconfig --passalgo=sha512 --update</fix>
15593: </rule-result>
15594: <rule-result idref="rule-2.3.3.6.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15595: <result>notselected</result>
15596: </rule-result>
15597: <rule-result idref="rule-2.3.4.1.a" time="2011-06-28T00:42:56" severity="medium" weight="10.000000">
15598: <result>pass</result>
15599: <ident system="http://cce.mitre.org">CCE-3301-9</ident>
15600: </rule-result>
15601: <rule-result idref="rule-2.3.4.1.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15602: <result>pass</result>
15603: </rule-result>
15604: <rule-result idref="rule-2.3.4.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15605: <result>fail</result>
15606: <ident system="http://cce.mitre.org">CCE-4090-7</ident>
15607: </rule-result>
15608: <rule-result idref="rule-2.3.4.4.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15609: <result>pass</result>
15610: <ident system="http://cce.mitre.org">CCE-3844-8</ident>
15611: </rule-result>
15612: <rule-result idref="rule-2.3.4.4.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15613: <result>pass</result>
15614: <ident system="http://cce.mitre.org">CCE-4227-5</ident>
15615: </rule-result>
15616: <rule-result idref="rule-2.3.4.5.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15617: <result>notselected</result>
15618: <fix>rm .netrc</fix>
15619: </rule-result>
15620: <rule-result idref="rule-2.3.5.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15621: <result>pass</result>
15622: <ident system="http://cce.mitre.org">CCE-4144-2</ident>
15623: <fix>chown root /boot/grub/grub.conf</fix>
15624: </rule-result>
15625: <rule-result idref="rule-2.3.5.2.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15626: <result>fail</result>
15627: <ident system="http://cce.mitre.org">CCE-4197-0</ident>
15628: <fix>chown :root /boot/grub/grub.conf</fix>
15629: </rule-result>
15630: <rule-result idref="rule-2.3.5.2.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15631: <result>pass</result>
15632: <ident system="http://cce.mitre.org">CCE-3923-0</ident>
15633: <fix>chmod 600 /boot/grub/grub.conf</fix>
15634: </rule-result>
15635: <rule-result idref="rule-2.3.5.2.d" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
15636: <result>notselected</result>
15637: <ident system="http://cce.mitre.org">CCE-3818-2</ident>
15638: </rule-result>
15639: <rule-result idref="rule-2.3.5.3.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15640: <result>notselected</result>
15641: <ident system="http://cce.mitre.org">CCE-4241-6</ident>
15642: </rule-result>
15643: <rule-result idref="rule-2.3.5.4.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15644: <result>notselected</result>
15645: <ident system="http://cce.mitre.org">CCE-4245-7</ident>
15646: </rule-result>
15647: <rule-result idref="rule-2.3.5.5.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15648: <result>notselected</result>
15649: <ident system="http://cce.mitre.org">CCE-3689-7</ident>
15650: </rule-result>
15651: <rule-result idref="rule-2.3.5.5.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15652: <result>notselected</result>
15653: <ident system="http://cce.mitre.org">CCE-3707-7</ident>
15654: </rule-result>
15655: <rule-result idref="rule-2.3.5.6.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15656: <result>notselected</result>
15657: <ident system="http://cce.mitre.org">CCE-3315-9</ident>
15658: </rule-result>
15659: <rule-result idref="rule-2.3.5.6.1.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15660: <result>notselected</result>
15661: </rule-result>
15662: <rule-result idref="rule-2.3.5.6.1.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15663: <result>notselected</result>
15664: </rule-result>
15665: <rule-result idref="rule-2.3.5.6.1.d" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15666: <result>notselected</result>
15667: </rule-result>
15668: <rule-result idref="rule-2.3.5.6.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15669: <result>notselected</result>
15670: <ident system="http://cce.mitre.org">CCE-3910-7</ident>
15671: <fix>yum install vlock</fix>
15672: </rule-result>
15673: <rule-result idref="rule-2.3.7.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15674: <result>notselected</result>
15675: <ident system="http://cce.mitre.org">CCE-4060-0</ident>
15676: </rule-result>
15677: <rule-result idref="rule-2.3.7.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15678: <result>notselected</result>
15679: <ident system="http://cce.mitre.org">CCE-4188-9</ident>
15680: </rule-result>
15681: <rule-result idref="rule-2.4.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15682: <result>pass</result>
15683: <ident system="http://cce.mitre.org">CCE-3977-6</ident>
15684: </rule-result>
15685: <rule-result idref="rule-2.4.2.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15686: <result>notselected</result>
15687: </rule-result>
15688: <rule-result idref="rule-2.4.2.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15689: <result>fail</result>
15690: </rule-result>
15691: <rule-result idref="rule-2.4.2.d" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15692: <result>pass</result>
15693: <ident system="http://cce.mitre.org">CCE-3624-4</ident>
15694: </rule-result>
15695: <rule-result idref="rule-2.4.2.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15696: <result>notselected</result>
15697: </rule-result>
15698: <rule-result idref="rule-2.4.3.2.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
15699: <result>notselected</result>
15700: <ident system="http://cce.mitre.org">CCE-3668-1</ident>
15701: </rule-result>
15702: <rule-result idref="rule-2.4.3.3.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
15703: <result>notselected</result>
15704: <ident system="http://cce.mitre.org">CCE-4129-3</ident>
15705: </rule-result>
15706: <rule-result idref="rule-2.4.5.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15707: <result>notselected</result>
15708: </rule-result>
15709: <rule-result idref="rule-2.5.1.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15710: <result>notselected</result>
15711: <ident system="http://cce.mitre.org">CCE-4151-7</ident>
15712: </rule-result>
15713: <rule-result idref="rule-2.5.1.1.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15714: <result>notselected</result>
15715: <ident system="http://cce.mitre.org">CCE-4155-8</ident>
15716: </rule-result>
15717: <rule-result idref="rule-2.5.1.1.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15718: <result>notselected</result>
15719: <ident system="http://cce.mitre.org">CCE-3561-8</ident>
15720: </rule-result>
15721: <rule-result idref="rule-2.5.1.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15722: <result>notselected</result>
15723: <ident system="http://cce.mitre.org">CCE-4236-6</ident>
15724: </rule-result>
15725: <rule-result idref="rule-2.5.1.2.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15726: <result>notselected</result>
15727: <ident system="http://cce.mitre.org">CCE-4217-6</ident>
15728: </rule-result>
15729: <rule-result idref="rule-2.5.1.2.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15730: <result>notselected</result>
15731: <ident system="http://cce.mitre.org">CCE-3472-8</ident>
15732: </rule-result>
15733: <rule-result idref="rule-2.5.1.2.d" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15734: <result>notselected</result>
15735: <ident system="http://cce.mitre.org">CCE-4320-8</ident>
15736: </rule-result>
15737: <rule-result idref="rule-2.5.1.2.e" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15738: <result>notselected</result>
15739: <ident system="http://cce.mitre.org">CCE-4091-5</ident>
15740: </rule-result>
15741: <rule-result idref="rule-2.5.1.2.f" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15742: <result>notselected</result>
15743: <ident system="http://cce.mitre.org">CCE-4186-3</ident>
15744: </rule-result>
15745: <rule-result idref="rule-2.5.1.2.g" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15746: <result>notselected</result>
15747: <ident system="http://cce.mitre.org">CCE-3339-9</ident>
15748: </rule-result>
15749: <rule-result idref="rule-2.5.1.2.h" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15750: <result>notselected</result>
15751: <ident system="http://cce.mitre.org">CCE-3644-2</ident>
15752: </rule-result>
15753: <rule-result idref="rule-2.5.1.2.i" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15754: <result>notselected</result>
15755: <ident system="http://cce.mitre.org">CCE-4133-5</ident>
15756: </rule-result>
15757: <rule-result idref="rule-2.5.1.2.j" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15758: <result>notselected</result>
15759: <ident system="http://cce.mitre.org">CCE-4265-5</ident>
15760: </rule-result>
15761: <rule-result idref="rule-2.5.1.2.k" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15762: <result>notselected</result>
15763: <ident system="http://cce.mitre.org">CCE-4080-8</ident>
15764: </rule-result>
15765: <rule-result idref="rule-2.5.1.2.l" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15766: <result>notselected</result>
15767: <ident system="http://cce.mitre.org">CCE-3840-6</ident>
15768: </rule-result>
15769: <rule-result idref="rule-2.5.2.2.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15770: <result>notselected</result>
15771: <ident system="http://cce.mitre.org">CCE-3628-5</ident>
15772: </rule-result>
15773: <rule-result idref="rule-2.5.2.2.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15774: <result>notselected</result>
15775: <ident system="http://cce.mitre.org">CCE-4276-2</ident>
15776: </rule-result>
15777: <rule-result idref="rule-2.5.2.2.3.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15778: <result>notselected</result>
15779: <ident system="http://cce.mitre.org">CCE-4170-7</ident>
15780: </rule-result>
15781: <rule-result idref="rule-2.5.3.1.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15782: <result>notselected</result>
15783: <ident system="http://cce.mitre.org">CCE-3562-6</ident>
15784: </rule-result>
15785: <rule-result idref="rule-2.5.3.1.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15786: <result>notselected</result>
15787: <ident system="http://cce.mitre.org">CCE-3381-1</ident>
15788: </rule-result>
15789: <rule-result idref="rule-2.5.3.1.2.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15790: <result>notselected</result>
15791: <ident system="http://cce.mitre.org">CCE-3377-9</ident>
15792: </rule-result>
15793: <rule-result idref="rule-2.5.3.1.2.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15794: <result>notselected</result>
15795: <ident system="http://cce.mitre.org">CCE-4296-0</ident>
15796: </rule-result>
15797: <rule-result idref="rule-2.5.3.2.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15798: <result>notselected</result>
15799: <ident system="http://cce.mitre.org">CCE-4269-7</ident>
15800: </rule-result>
15801: <rule-result idref="rule-2.5.3.2.1.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15802: <result>notselected</result>
15803: <ident system="http://cce.mitre.org">CCE-4291-1</ident>
15804: </rule-result>
15805: <rule-result idref="rule-2.5.3.2.1.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15806: <result>notselected</result>
15807: <ident system="http://cce.mitre.org">CCE-4313-3</ident>
15808: </rule-result>
15809: <rule-result idref="rule-2.5.3.2.1.d" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15810: <result>notselected</result>
15811: <ident system="http://cce.mitre.org">CCE-4198-8</ident>
15812: </rule-result>
15813: <rule-result idref="rule-2.5.3.2.3.a" time="2011-06-28T00:42:57" weight="10.000000">
15814: <result>notselected</result>
15815: <ident system="http://cce.mitre.org">CCE-3842-2</ident>
15816: </rule-result>
15817: <rule-result idref="rule-2.5.3.2.5.a" time="2011-06-28T00:42:57" weight="10.000000">
15818: <result>notselected</result>
15819: <ident system="http://cce.mitre.org">CCE-4159-0</ident>
15820: </rule-result>
15821: <rule-result idref="rule-2.5.3.2.5.b" time="2011-06-28T00:42:57" weight="10.000000">
15822: <result>notselected</result>
15823: <ident system="http://cce.mitre.org">CCE-4221-8</ident>
15824: </rule-result>
15825: <rule-result idref="rule-2.5.3.2.5.c" time="2011-06-28T00:42:57" weight="10.000000">
15826: <result>notselected</result>
15827: <ident system="http://cce.mitre.org">CCE-4058-4</ident>
15828: </rule-result>
15829: <rule-result idref="rule-2.5.3.2.5.d" time="2011-06-28T00:42:57" weight="10.000000">
15830: <result>notselected</result>
15831: <ident system="http://cce.mitre.org">CCE-4128-5</ident>
15832: </rule-result>
15833: <rule-result idref="rule-2.5.3.2.5.e" time="2011-06-28T00:42:57" weight="10.000000">
15834: <result>notselected</result>
15835: <ident system="http://cce.mitre.org">CCE-4287-9</ident>
15836: </rule-result>
15837: <rule-result idref="rule-2.5.3.2.5.f" time="2011-06-28T00:42:57" weight="10.000000">
15838: <result>notselected</result>
15839: <ident system="http://cce.mitre.org">CCE-3895-0</ident>
15840: </rule-result>
15841: <rule-result idref="rule-2.5.3.2.5.g" time="2011-06-28T00:42:57" weight="10.000000">
15842: <result>notselected</result>
15843: <ident system="http://cce.mitre.org">CCE-4137-6</ident>
15844: </rule-result>
15845: <rule-result idref="rule-2.5.5.1.a" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
15846: <result>pass</result>
15847: <ident system="http://cce.mitre.org">CCE-4167-3</ident>
15848: <fix>chkconfig ip6tables on</fix>
15849: </rule-result>
15850: <rule-result idref="rule-2.5.5.1.b" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
15851: <result>pass</result>
15852: <ident system="http://cce.mitre.org">CCE-4189-7</ident>
15853: <fix>chkconfig iptables on</fix>
15854: </rule-result>
15855: <rule-result idref="rule-2.5.5.3.1.a" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
15856: <result>notselected</result>
15857: </rule-result>
15858: <rule-result idref="rule-2.5.5.3.1.b" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
15859: <result>notselected</result>
15860: </rule-result>
15861: <rule-result idref="rule-2.5.7.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15862: <result>notselected</result>
15863: </rule-result>
15864: <rule-result idref="rule-2.5.7.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15865: <result>notselected</result>
15866: </rule-result>
15867: <rule-result idref="rule-2.5.7.3.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15868: <result>notselected</result>
15869: </rule-result>
15870: <rule-result idref="rule-2.5.7.4.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15871: <result>notselected</result>
15872: </rule-result>
15873: <rule-result idref="rule-2.6.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15874: <result>pass</result>
15875: <ident system="http://cce.mitre.org">CCE-3679-8</ident>
15876: <fix>chkconfig rsyslog on</fix>
15877: </rule-result>
15878: <rule-result idref="rule-2.6.1.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15879: <result>pass</result>
15880: <ident system="http://cce.mitre.org">CCE-4366-1</ident>
15881: </rule-result>
15882: <rule-result idref="rule-2.6.1.2.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15883: <result>pass</result>
15884: <ident system="http://cce.mitre.org">CCE-3701-0</ident>
15885: </rule-result>
15886: <rule-result idref="rule-2.6.1.2.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15887: <result>pass</result>
15888: <ident system="http://cce.mitre.org">CCE-4233-3</ident>
15889: </rule-result>
15890: <rule-result idref="rule-2.6.1.3.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15891: <result>notselected</result>
15892: <ident system="http://cce.mitre.org">CCE-4260-6</ident>
15893: </rule-result>
15894: <rule-result idref="rule-2.6.1.4.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15895: <result>notselected</result>
15896: <ident system="http://cce.mitre.org">CCE-3382-9</ident>
15897: </rule-result>
15898: <rule-result idref="rule-2.6.1.5.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15899: <result>notselected</result>
15900: <ident system="http://cce.mitre.org">CCE-4182-2</ident>
15901: </rule-result>
15902: <rule-result idref="rule-2.6.1.6.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15903: <result>notselected</result>
15904: <ident system="http://cce.mitre.org">CCE-4323-2</ident>
15905: </rule-result>
15906: <rule-result idref="rule-2.6.2.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15907: <result>pass</result>
15908: <ident system="http://cce.mitre.org">CCE-4292-9</ident>
15909: </rule-result>
15910: <rule-result idref="rule-2.6.2.3.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15911: <result>notselected</result>
15912: </rule-result>
15913: <rule-result idref="rule-2.6.2.4.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15914: <result>notselected</result>
15915: </rule-result>
15916: <rule-result idref="rule-2.6.2.4.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15917: <result>notselected</result>
15918: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15919: </rule-result>
15920: <rule-result idref="rule-2.6.2.4.3.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15921: <result>notselected</result>
15922: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15923: </rule-result>
15924: <rule-result idref="rule-2.6.2.4.4.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15925: <result>notselected</result>
15926: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15927: </rule-result>
15928: <rule-result idref="rule-2.6.2.4.5.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15929: <result>notselected</result>
15930: </rule-result>
15931: <rule-result idref="rule-2.6.2.4.6.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15932: <result>notselected</result>
15933: </rule-result>
15934: <rule-result idref="rule-2.6.2.4.7.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15935: <result>notselected</result>
15936: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15937: </rule-result>
15938: <rule-result idref="rule-2.6.2.4.8.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15939: <result>notselected</result>
15940: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15941: </rule-result>
15942: <rule-result idref="rule-2.6.2.4.9.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15943: <result>notselected</result>
15944: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15945: </rule-result>
15946: <rule-result idref="rule-2.6.2.4.10.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15947: <result>notselected</result>
15948: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15949: </rule-result>
15950: <rule-result idref="rule-2.6.2.4.11.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15951: <result>notselected</result>
15952: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15953: </rule-result>
15954: <rule-result idref="rule-2.6.2.4.12.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15955: <result>notselected</result>
15956: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15957: </rule-result>
15958: <rule-result idref="rule-2.6.2.4.13.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15959: <result>notselected</result>
15960: </rule-result>
15961: <rule-result idref="rule-2.6.2.4.14.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15962: <result>notselected</result>
15963: <fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</fix>
15964: </rule-result>
15965: <rule-result idref="rule-3.2.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15966: <result>notselected</result>
15967: <ident system="http://cce.mitre.org">CCE-4234-1</ident>
15968: </rule-result>
15969: <rule-result idref="rule-3.2.1.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
15970: <result>notselected</result>
15971: <ident system="http://cce.mitre.org">CCE-4252-3</ident>
15972: </rule-result>
15973: <rule-result idref="rule-3.2.1.c" time="2011-06-28T00:42:57" weight="10.000000">
15974: <result>notselected</result>
15975: <ident system="http://cce.mitre.org">CCE-4023-8</ident>
15976: <fix># yum erase inetd</fix>
15977: </rule-result>
15978: <rule-result idref="rule-3.2.1.d" time="2011-06-28T00:42:57" weight="10.000000">
15979: <result>notselected</result>
15980: <ident system="http://cce.mitre.org">CCE-4164-0</ident>
15981: <fix># yum erase xinetd</fix>
15982: </rule-result>
15983: <rule-result idref="rule-3.2.2.a" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
15984: <result>notselected</result>
15985: <ident system="http://cce.mitre.org">CCE-4330-7</ident>
15986: <fix># yum erase telnet-server</fix>
15987: </rule-result>
15988: <rule-result idref="rule-3.2.2.b" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
15989: <result>notselected</result>
15990: <ident system="http://cce.mitre.org">CCE-3390-2</ident>
15991: </rule-result>
15992: <rule-result idref="rule-3.2.2.1.a" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
15993: <result>notselected</result>
15994: <fix># yum erase telnet</fix>
15995: </rule-result>
15996: <rule-result idref="rule-3.2.2.1.b" time="2011-06-28T00:42:57" weight="10.000000">
15997: <result>notselected</result>
15998: <fix># yum erase rsh-server</fix>
15999: </rule-result>
16000: <rule-result idref="rule-3.2.3.1.a" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
16001: <result>notselected</result>
16002: <ident system="http://cce.mitre.org">CCE-4308-3</ident>
16003: <fix># yum erase rsh-server</fix>
16004: </rule-result>
16005: <rule-result idref="rule-3.2.3.1.b" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
16006: <result>notselected</result>
16007: <ident system="http://cce.mitre.org">CCE-3974-3</ident>
16008: <fix># chkconfig rcp off</fix>
16009: </rule-result>
16010: <rule-result idref="rule-3.2.3.1.c" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
16011: <result>notselected</result>
16012: <ident system="http://cce.mitre.org">CCE-4141-8</ident>
16013: <fix># chkconfig rsh off</fix>
16014: </rule-result>
16015: <rule-result idref="rule-3.2.3.1.d" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
16016: <result>notselected</result>
16017: <ident system="http://cce.mitre.org">CCE-3537-8</ident>
16018: <fix># chkconfig rlogin off</fix>
16019: </rule-result>
16020: <rule-result idref="rule-3.2.3.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16021: <result>notselected</result>
16022: </rule-result>
16023: <rule-result idref="rule-3.2.3.3.a" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
16024: <result>notselected</result>
16025: <fix># yum erase rsh</fix>
16026: </rule-result>
16027: <rule-result idref="rule-3.2.4.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16028: <result>notselected</result>
16029: <ident system="http://cce.mitre.org">CCE-4348-9</ident>
16030: <fix># yum erase ypserv</fix>
16031: </rule-result>
16032: <rule-result idref="rule-3.2.4.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16033: <result>notselected</result>
16034: <ident system="http://cce.mitre.org">CCE-3705-1</ident>
16035: <fix># chkconfig ypbind off</fix>
16036: </rule-result>
16037: <rule-result idref="rule-3.2.5.a" time="2011-06-28T00:42:57" weight="10.000000">
16038: <result>notselected</result>
16039: <ident system="http://cce.mitre.org">CCE-3916-4</ident>
16040: <fix># yum erase tftp-server</fix>
16041: </rule-result>
16042: <rule-result idref="rule-3.2.5.b" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16043: <result>notselected</result>
16044: <ident system="http://cce.mitre.org">CCE-4273-9</ident>
16045: <fix># chkconfig tftp off</fix>
16046: </rule-result>
16047: <rule-result idref="rule-3.3.1.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16048: <result>notselected</result>
16049: <ident system="http://cce.mitre.org">CCE-3412-4</ident>
16050: <fix># chkconfig firstboot off</fix>
16051: </rule-result>
16052: <rule-result idref="rule-3.3.2.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16053: <result>notselected</result>
16054: <ident system="http://cce.mitre.org">CCE-4229-1</ident>
16055: <fix># chkconfig gpm off</fix>
16056: </rule-result>
16057: <rule-result idref="rule-3.3.3.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16058: <result>notselected</result>
16059: <ident system="http://cce.mitre.org">CCE-4123-6</ident>
16060: <fix># chkconfig irqbalance off</fix>
16061: </rule-result>
16062: <rule-result idref="rule-3.3.4.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16063: <result>notselected</result>
16064: <ident system="http://cce.mitre.org">CCE-4286-1</ident>
16065: <fix># chkconfig isdn off</fix>
16066: </rule-result>
16067: <rule-result idref="rule-3.3.5.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16068: <result>notselected</result>
16069: <ident system="http://cce.mitre.org">CCE-3425-6</ident>
16070: <fix># chkconfig kdump off</fix>
16071: </rule-result>
16072: <rule-result idref="rule-3.3.6.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16073: <result>notselected</result>
16074: <ident system="http://cce.mitre.org">CCE-4211-9</ident>
16075: <fix># chkconfig kudzu off</fix>
16076: </rule-result>
16077: <rule-result idref="rule-3.3.7.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16078: <result>notselected</result>
16079: <ident system="http://cce.mitre.org">CCE-3854-7</ident>
16080: <fix># chkconfig mdmonitor off</fix>
16081: </rule-result>
16082: <rule-result idref="rule-3.3.8.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16083: <result>notselected</result>
16084: <ident system="http://cce.mitre.org">CCE-4356-2</ident>
16085: <fix># chkconfig microcode ctl off</fix>
16086: </rule-result>
16087: <rule-result idref="rule-3.3.9.1.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16088: <result>notselected</result>
16089: <ident system="http://cce.mitre.org">CCE-4369-5</ident>
16090: <fix># chkconfig network off</fix>
16091: </rule-result>
16092: <rule-result idref="rule-3.3.9.2.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16093: <result>notselected</result>
16094: <fix># rm /etc/sysconfig/network-scripts/ifcfg-interface</fix>
16095: </rule-result>
16096: <rule-result idref="rule-3.3.9.3.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16097: <result>notselected</result>
16098: <ident system="http://cce.mitre.org">CCE-4369-5</ident>
16099: </rule-result>
16100: <rule-result idref="rule-3.3.10.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16101: <result>notselected</result>
16102: <ident system="http://cce.mitre.org">CCE-4100-4</ident>
16103: <fix># chkconfig pcscd off</fix>
16104: </rule-result>
16105: <rule-result idref="rule-3.3.11.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16106: <result>notselected</result>
16107: <ident system="http://cce.mitre.org">CCE-3455-3</ident>
16108: <fix># chkconfig smartd off</fix>
16109: </rule-result>
16110: <rule-result idref="rule-3.3.12.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16111: <result>notselected</result>
16112: <ident system="http://cce.mitre.org">CCE-4421-4</ident>
16113: <fix># chkconfig readahead early off</fix>
16114: </rule-result>
16115: <rule-result idref="rule-3.3.12.b" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16116: <result>notselected</result>
16117: <ident system="http://cce.mitre.org">CCE-4302-6</ident>
16118: <fix># chkconfig readahead later off</fix>
16119: </rule-result>
16120: <rule-result idref="rule-3.3.13.1.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16121: <result>notselected</result>
16122: <ident system="http://cce.mitre.org">CCE-3822-4</ident>
16123: <fix># chkconfig messagebus off</fix>
16124: </rule-result>
16125: <rule-result idref="rule-3.3.13.2.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16126: <result>notselected</result>
16127: <ident system="http://cce.mitre.org">CCE-4364-6</ident>
16128: <fix># chkconfig haldaemon off</fix>
16129: </rule-result>
16130: <rule-result idref="rule-3.3.14.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16131: <result>notselected</result>
16132: <ident system="http://cce.mitre.org">CCE-4355-4</ident>
16133: <fix># chkconfig bluetooth off</fix>
16134: </rule-result>
16135: <rule-result idref="rule-3.3.14.2.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16136: <result>notselected</result>
16137: <ident system="http://cce.mitre.org">CCE-4377-8</ident>
16138: <fix># chkconfig hidd off</fix>
16139: </rule-result>
16140: <rule-result idref="rule-3.3.14.3.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16141: <result>notselected</result>
16142: </rule-result>
16143: <rule-result idref="rule-3.3.15.1.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16144: <result>notselected</result>
16145: <ident system="http://cce.mitre.org">CCE-4289-5</ident>
16146: <fix># chkconfig apmd off</fix>
16147: </rule-result>
16148: <rule-result idref="rule-3.3.15.2.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16149: <result>notselected</result>
16150: <ident system="http://cce.mitre.org">CCE-4298-6</ident>
16151: </rule-result>
16152: <rule-result idref="rule-3.3.15.3.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16153: <result>notselected</result>
16154: <ident system="http://cce.mitre.org">CCE-4051-9</ident>
16155: </rule-result>
16156: <rule-result idref="rule-3.4.a" time="2011-06-28T00:42:57" severity="high" weight="10.000000">
16157: <result>notselected</result>
16158: <ident system="http://cce.mitre.org">CCE-4324-0</ident>
16159: </rule-result>
16160: <rule-result idref="rule-3.4.1.a" time="2011-06-28T00:42:57" severity="low" weight="10.000000">
16161: <result>notselected</result>
16162: <ident system="http://cce.mitre.org">CCE-4406-5</ident>
16163: </rule-result>
16164: <rule-result idref="rule-3.4.1.b" time="2011-06-28T00:42:57" weight="10.000000">
16165: <result>notselected</result>
16166: <ident system="http://cce.mitre.org">CCE-4428-9</ident>
16167: <fix># yum erase anacron</fix>
16168: </rule-result>
16169: <rule-result idref="rule-3.4.2.1.a" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16170: <result>pass</result>
16171: <ident system="http://cce.mitre.org">CCE-3626-9</ident>
16172: </rule-result>
16173: <rule-result idref="rule-3.4.2.1.b" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16174: <result>pass</result>
16175: <ident system="http://cce.mitre.org">CCE-3851-3</ident>
16176: </rule-result>
16177: <rule-result idref="rule-3.4.2.1.c" time="2011-06-28T00:42:57" severity="medium" weight="10.000000">
16178: <result>pass</result>
16179: <ident system="http://cce.mitre.org">CCE-4388-5</ident>
16180: </rule-result>
16181: <rule-result idref="rule-3.4.2.2.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16182: <result>pass</result>
16183: <ident system="http://cce.mitre.org">CCE-3604-6</ident>
16184: </rule-result>
16185: <rule-result idref="rule-3.4.2.2.b" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16186: <result>pass</result>
16187: <ident system="http://cce.mitre.org">CCE-4379-4</ident>
16188: </rule-result>
16189: <rule-result idref="rule-3.4.2.2.c" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16190: <result>pass</result>
16191: <ident system="http://cce.mitre.org">CCE-4304-2</ident>
16192: </rule-result>
16193: <rule-result idref="rule-3.4.2.3.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16194: <result>pass</result>
16195: <ident system="http://cce.mitre.org">CCE-4054-3</ident>
16196: </rule-result>
16197: <rule-result idref="rule-3.4.2.3.b" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16198: <result>pass</result>
16199: <ident system="http://cce.mitre.org">CCE-3481-9</ident>
16200: </rule-result>
16201: <rule-result idref="rule-3.4.2.3.c" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16202: <result>pass</result>
16203: <ident system="http://cce.mitre.org">CCE-4331-5</ident>
16204: </rule-result>
16205: <rule-result idref="rule-3.4.2.3.d" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16206: <result>pass</result>
16207: <ident system="http://cce.mitre.org">CCE-4322-4</ident>
16208: </rule-result>
16209: <rule-result idref="rule-3.4.2.3.e" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16210: <result>pass</result>
16211: <ident system="http://cce.mitre.org">CCE-4212-7</ident>
16212: </rule-result>
16213: <rule-result idref="rule-3.4.2.3.f" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16214: <result>pass</result>
16215: <ident system="http://cce.mitre.org">CCE-3983-4</ident>
16216: </rule-result>
16217: <rule-result idref="rule-3.4.2.3.g" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16218: <result>pass</result>
16219: <ident system="http://cce.mitre.org">CCE-4022-0</ident>
16220: </rule-result>
16221: <rule-result idref="rule-3.4.2.3.h" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16222: <result>pass</result>
16223: <ident system="http://cce.mitre.org">CCE-3833-1</ident>
16224: </rule-result>
16225: <rule-result idref="rule-3.4.2.3.i" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16226: <result>pass</result>
16227: <ident system="http://cce.mitre.org">CCE-4441-2</ident>
16228: </rule-result>
16229: <rule-result idref="rule-3.4.2.3.j" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16230: <result>pass</result>
16231: <ident system="http://cce.mitre.org">CCE-4380-2</ident>
16232: </rule-result>
16233: <rule-result idref="rule-3.4.2.3.k" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16234: <result>pass</result>
16235: <ident system="http://cce.mitre.org">CCE-4106-1</ident>
16236: </rule-result>
16237: <rule-result idref="rule-3.4.2.3.l" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16238: <result>pass</result>
16239: <ident system="http://cce.mitre.org">CCE-4450-3</ident>
16240: </rule-result>
16241: <rule-result idref="rule-3.4.2.3.m" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16242: <result>pass</result>
16243: <ident system="http://cce.mitre.org">CCE-4203-6</ident>
16244: </rule-result>
16245: <rule-result idref="rule-3.4.2.3.n" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16246: <result>pass</result>
16247: <ident system="http://cce.mitre.org">CCE-4251-5</ident>
16248: </rule-result>
16249: <rule-result idref="rule-3.4.2.3.o" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16250: <result>pass</result>
16251: <ident system="http://cce.mitre.org">CCE-4250-7</ident>
16252: </rule-result>
16253: <rule-result idref="rule-3.4.2.4.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16254: <result>pass</result>
16255: </rule-result>
16256: <rule-result idref="rule-3.4.2.4.b" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16257: <result>pass</result>
16258: </rule-result>
16259: <rule-result idref="rule-3.4.2.4.c" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16260: <result>pass</result>
16261: </rule-result>
16262: <rule-result idref="rule-3.4.3.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16263: <result>notselected</result>
16264: </rule-result>
16265: <rule-result idref="rule-3.4.3.b" time="2011-06-28T00:42:58" weight="10.000000">
16266: <result>notselected</result>
16267: </rule-result>
16268: <rule-result idref="rule-3.4.4.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16269: <result>notselected</result>
16270: <fix>rm /etc/cron.deny</fix>
16271: </rule-result>
16272: <rule-result idref="rule-3.4.4.b" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16273: <result>notselected</result>
16274: <fix>rm /etc/at.deny</fix>
16275: </rule-result>
16276: <rule-result idref="rule-3.5.1.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16277: <result>notselected</result>
16278: <ident system="http://cce.mitre.org">CCE-4268-9</ident>
16279: <fix># chkconfig sshd off</fix>
16280: </rule-result>
16281: <rule-result idref="rule-3.5.1.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16282: <result>notselected</result>
16283: <ident system="http://cce.mitre.org">CCE-4272-1</ident>
16284: <fix># yum erase openssh-server</fix>
16285: </rule-result>
16286: <rule-result idref="rule-3.5.1.2.a" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16287: <result>notselected</result>
16288: <ident system="http://cce.mitre.org">CCE-4295-2</ident>
16289: </rule-result>
16290: <rule-result idref="rule-3.5.1.2.b" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16291: <result>notselected</result>
16292: </rule-result>
16293: <rule-result idref="rule-3.5.2.1.a" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16294: <result>notselected</result>
16295: <ident system="http://cce.mitre.org">CCE-4325-7</ident>
16296: </rule-result>
16297: <rule-result idref="rule-3.5.2.3.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16298: <result>notselected</result>
16299: <ident system="http://cce.mitre.org">CCE-3845-5</ident>
16300: </rule-result>
16301: <rule-result idref="rule-3.5.2.3.b" time="2011-06-28T00:42:58" weight="10.000000">
16302: <result>notselected</result>
16303: </rule-result>
16304: <rule-result idref="rule-3.5.2.4.a" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16305: <result>notselected</result>
16306: <ident system="http://cce.mitre.org">CCE-4475-0</ident>
16307: </rule-result>
16308: <rule-result idref="rule-3.5.2.5.a" time="2011-06-28T00:42:58" weight="10.000000">
16309: <result>notselected</result>
16310: <ident system="http://cce.mitre.org">CCE-4370-3</ident>
16311: </rule-result>
16312: <rule-result idref="rule-3.5.2.6.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16313: <result>notselected</result>
16314: <ident system="http://cce.mitre.org">CCE-4387-7</ident>
16315: </rule-result>
16316: <rule-result idref="rule-3.5.2.7.a" time="2011-06-28T00:42:58" weight="10.000000">
16317: <result>notselected</result>
16318: <ident system="http://cce.mitre.org">CCE-3660-8</ident>
16319: </rule-result>
16320: <rule-result idref="rule-3.5.2.8.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16321: <result>notselected</result>
16322: <ident system="http://cce.mitre.org">CCE-4431-3</ident>
16323: </rule-result>
16324: <rule-result idref="rule-3.5.2.9.a" time="2011-06-28T00:42:58" weight="10.000000">
16325: <result>notselected</result>
16326: </rule-result>
16327: <rule-result idref="rule-3.5.2.10.a" time="2011-06-28T00:42:58" weight="10.000000">
16328: <result>notselected</result>
16329: </rule-result>
16330: <rule-result idref="rule-3.6.1.1.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16331: <result>notselected</result>
16332: <ident system="http://cce.mitre.org">CCE-4462-8</ident>
16333: </rule-result>
16334: <rule-result idref="rule-3.6.1.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16335: <result>notselected</result>
16336: <ident system="http://cce.mitre.org">CCE-4422-2</ident>
16337: <fix># yum groupremove "X Window System"</fix>
16338: </rule-result>
16339: <rule-result idref="rule-3.6.1.3.2.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16340: <result>notselected</result>
16341: <ident system="http://cce.mitre.org">CCE-4074-1</ident>
16342: <fix>echo "exec X :0 -nolisten tcp $@" > /etc/X11/xinit/xserverrc</fix>
16343: </rule-result>
16344: <rule-result idref="rule-3.6.2.1.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16345: <result>notselected</result>
16346: <ident system="http://cce.mitre.org">CCE-3717-6</ident>
16347: </rule-result>
16348: <rule-result idref="rule-3.7.1.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16349: <result>notselected</result>
16350: <ident system="http://cce.mitre.org">CCE-4365-3</ident>
16351: <fix># chkconfig avahi-daemon off</fix>
16352: </rule-result>
16353: <rule-result idref="rule-3.7.2.1.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16354: <result>notselected</result>
16355: <ident system="http://cce.mitre.org">CCE-4136-8</ident>
16356: </rule-result>
16357: <rule-result idref="rule-3.7.2.1.b" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16358: <result>notselected</result>
16359: <ident system="http://cce.mitre.org">CCE-4409-9</ident>
16360: </rule-result>
16361: <rule-result idref="rule-3.7.2.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16362: <result>notselected</result>
16363: <ident system="http://cce.mitre.org">CCE-4426-3</ident>
16364: </rule-result>
16365: <rule-result idref="rule-3.7.2.3.a" time="2011-06-28T00:42:58" weight="10.000000">
16366: <result>notselected</result>
16367: <ident system="http://cce.mitre.org">CCE-4193-9</ident>
16368: </rule-result>
16369: <rule-result idref="rule-3.7.2.4.a" time="2011-06-28T00:42:58" weight="10.000000">
16370: <result>notselected</result>
16371: <ident system="http://cce.mitre.org">CCE-4444-6</ident>
16372: </rule-result>
16373: <rule-result idref="rule-3.7.2.5.a" time="2011-06-28T00:42:58" weight="10.000000">
16374: <result>notselected</result>
16375: <ident system="http://cce.mitre.org">CCE-4352-1</ident>
16376: </rule-result>
16377: <rule-result idref="rule-3.7.2.5.b" time="2011-06-28T00:42:58" weight="10.000000">
16378: <result>notselected</result>
16379: <ident system="http://cce.mitre.org">CCE-4433-9</ident>
16380: </rule-result>
16381: <rule-result idref="rule-3.7.2.5.c" time="2011-06-28T00:42:58" weight="10.000000">
16382: <result>notselected</result>
16383: <ident system="http://cce.mitre.org">CCE-4451-1</ident>
16384: </rule-result>
16385: <rule-result idref="rule-3.7.2.5.d" time="2011-06-28T00:42:58" weight="10.000000">
16386: <result>notselected</result>
16387: <ident system="http://cce.mitre.org">CCE-4341-4</ident>
16388: </rule-result>
16389: <rule-result idref="rule-3.7.2.5.e" time="2011-06-28T00:42:58" weight="10.000000">
16390: <result>notselected</result>
16391: <ident system="http://cce.mitre.org">CCE-4358-8</ident>
16392: </rule-result>
16393: <rule-result idref="rule-3.8.1.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16394: <result>notselected</result>
16395: <ident system="http://cce.mitre.org">CCE-4112-9</ident>
16396: <fix># chkconfig cups off</fix>
16397: </rule-result>
16398: <rule-result idref="rule-3.8.2.a" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16399: <result>notselected</result>
16400: <ident system="http://cce.mitre.org">CCE-3649-1</ident>
16401: </rule-result>
16402: <rule-result idref="rule-3.8.2.b" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16403: <result>notselected</result>
16404: </rule-result>
16405: <rule-result idref="rule-3.8.3.1.1.a" time="2011-06-28T00:42:58" weight="10.000000">
16406: <result>notselected</result>
16407: <ident system="http://cce.mitre.org">CCE-4420-6</ident>
16408: </rule-result>
16409: <rule-result idref="rule-3.8.3.1.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16410: <result>notselected</result>
16411: <ident system="http://cce.mitre.org">CCE-4407-3</ident>
16412: </rule-result>
16413: <rule-result idref="rule-3.8.4.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16414: <result>notselected</result>
16415: <ident system="http://cce.mitre.org">CCE-4425-5</ident>
16416: </rule-result>
16417: <rule-result idref="rule-3.9.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16418: <result>notselected</result>
16419: <ident system="http://cce.mitre.org">CCE-4191-3</ident>
16420: </rule-result>
16421: <rule-result idref="rule-3.9.3.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16422: <result>notselected</result>
16423: <ident system="http://cce.mitre.org">CCE-4336-4</ident>
16424: <fix># chkconfig dhcpd off</fix>
16425: </rule-result>
16426: <rule-result idref="rule-3.9.3.b" time="2011-06-28T00:42:58" weight="10.000000">
16427: <result>notselected</result>
16428: <ident system="http://cce.mitre.org">CCE-4464-4</ident>
16429: <fix># yum erase dhcp</fix>
16430: </rule-result>
16431: <rule-result idref="rule-3.9.4.1.a" time="2011-06-28T00:42:58" weight="10.000000">
16432: <result>notselected</result>
16433: <ident system="http://cce.mitre.org">CCE-4257-2</ident>
16434: </rule-result>
16435: <rule-result idref="rule-3.9.4.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16436: <result>notselected</result>
16437: <ident system="http://cce.mitre.org">CCE-4403-2</ident>
16438: </rule-result>
16439: <rule-result idref="rule-3.9.4.3.a" time="2011-06-28T00:42:58" weight="10.000000">
16440: <result>notselected</result>
16441: <ident system="http://cce.mitre.org">CCE-4345-5</ident>
16442: </rule-result>
16443: <rule-result idref="rule-3.9.4.4.a" time="2011-06-28T00:42:58" weight="10.000000">
16444: <result>notselected</result>
16445: <ident system="http://cce.mitre.org">CCE-3724-2</ident>
16446: </rule-result>
16447: <rule-result idref="rule-3.9.4.4.b" time="2011-06-28T00:42:58" weight="10.000000">
16448: <result>notselected</result>
16449: <ident system="http://cce.mitre.org">CCE-4243-2</ident>
16450: </rule-result>
16451: <rule-result idref="rule-3.9.4.4.c" time="2011-06-28T00:42:58" weight="10.000000">
16452: <result>notselected</result>
16453: <ident system="http://cce.mitre.org">CCE-4389-3</ident>
16454: </rule-result>
16455: <rule-result idref="rule-3.9.4.4.d" time="2011-06-28T00:42:58" weight="10.000000">
16456: <result>notselected</result>
16457: <ident system="http://cce.mitre.org">CCE-3913-1</ident>
16458: </rule-result>
16459: <rule-result idref="rule-3.9.4.4.e" time="2011-06-28T00:42:58" weight="10.000000">
16460: <result>notselected</result>
16461: <ident system="http://cce.mitre.org">CCE-4169-9</ident>
16462: </rule-result>
16463: <rule-result idref="rule-3.9.4.4.f" time="2011-06-28T00:42:58" weight="10.000000">
16464: <result>notselected</result>
16465: <ident system="http://cce.mitre.org">CCE-4318-2</ident>
16466: </rule-result>
16467: <rule-result idref="rule-3.9.4.4.g" time="2011-06-28T00:42:58" weight="10.000000">
16468: <result>notselected</result>
16469: <ident system="http://cce.mitre.org">CCE-4319-0</ident>
16470: </rule-result>
16471: <rule-result idref="rule-3.9.4.5.a" time="2011-06-28T00:42:58" weight="10.000000">
16472: <result>notselected</result>
16473: <ident system="http://cce.mitre.org">CCE-3733-3</ident>
16474: </rule-result>
16475: <rule-result idref="rule-3.10.2.2.1.a" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16476: <result>notselected</result>
16477: <ident system="http://cce.mitre.org">CCE-4376-0</ident>
16478: <fix># chkconfig ntpd on</fix>
16479: </rule-result>
16480: <rule-result idref="rule-3.10.2.2.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16481: <result>notselected</result>
16482: <ident system="http://cce.mitre.org">CCE-4134-3</ident>
16483: </rule-result>
16484: <rule-result idref="rule-3.10.2.2.3.a" time="2011-06-28T00:42:58" weight="10.000000">
16485: <result>notselected</result>
16486: <ident system="http://cce.mitre.org">CCE-4385-1</ident>
16487: </rule-result>
16488: <rule-result idref="rule-3.10.3.1.a" time="2011-06-28T00:42:58" weight="10.000000">
16489: <result>notselected</result>
16490: <ident system="http://cce.mitre.org">CCE-4032-9</ident>
16491: </rule-result>
16492: <rule-result idref="rule-3.10.3.2.1.a" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16493: <result>notselected</result>
16494: <ident system="http://cce.mitre.org">CCE-4424-8</ident>
16495: </rule-result>
16496: <rule-result idref="rule-3.10.3.2.2.a" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16497: <result>notselected</result>
16498: <ident system="http://cce.mitre.org">CCE-3487-6</ident>
16499: </rule-result>
16500: <rule-result idref="rule-3.11.2.1.a" time="2011-06-28T00:42:58" weight="10.000000">
16501: <result>notselected</result>
16502: <ident system="http://cce.mitre.org">CCE-4293-7</ident>
16503: </rule-result>
16504: <rule-result idref="rule-3.12.2.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16505: <result>notselected</result>
16506: </rule-result>
16507: <rule-result idref="rule-3.12.3.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16508: <result>notselected</result>
16509: <ident system="http://cce.mitre.org">CCE-3501-4</ident>
16510: </rule-result>
16511: <rule-result idref="rule-3.13.1.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16512: <result>notselected</result>
16513: <ident system="http://cce.mitre.org">CCE-4396-8</ident>
16514: </rule-result>
16515: <rule-result idref="rule-3.13.1.1.b" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16516: <result>notselected</result>
16517: <ident system="http://cce.mitre.org">CCE-3535-2</ident>
16518: </rule-result>
16519: <rule-result idref="rule-3.13.1.1.c" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16520: <result>notselected</result>
16521: <ident system="http://cce.mitre.org">CCE-3568-3</ident>
16522: </rule-result>
16523: <rule-result idref="rule-3.13.1.2.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16524: <result>notselected</result>
16525: <ident system="http://cce.mitre.org">CCE-4533-6</ident>
16526: </rule-result>
16527: <rule-result idref="rule-3.13.2.3.a" time="2011-06-28T00:42:58" weight="10.000000">
16528: <result>notselected</result>
16529: <ident system="http://cce.mitre.org">CCE-4559-1</ident>
16530: </rule-result>
16531: <rule-result idref="rule-3.13.2.3.b" time="2011-06-28T00:42:58" weight="10.000000">
16532: <result>notselected</result>
16533: <ident system="http://cce.mitre.org">CCE-4015-4</ident>
16534: </rule-result>
16535: <rule-result idref="rule-3.13.2.3.c" time="2011-06-28T00:42:58" weight="10.000000">
16536: <result>notselected</result>
16537: <ident system="http://cce.mitre.org">CCE-3667-3</ident>
16538: </rule-result>
16539: <rule-result idref="rule-3.13.2.3.d" time="2011-06-28T00:42:58" weight="10.000000">
16540: <result>notselected</result>
16541: <ident system="http://cce.mitre.org">CCE-4310-9</ident>
16542: </rule-result>
16543: <rule-result idref="rule-3.13.2.3.e" time="2011-06-28T00:42:58" weight="10.000000">
16544: <result>notselected</result>
16545: <ident system="http://cce.mitre.org">CCE-4438-8</ident>
16546: </rule-result>
16547: <rule-result idref="rule-3.13.2.3.f" time="2011-06-28T00:42:58" weight="10.000000">
16548: <result>notselected</result>
16549: <ident system="http://cce.mitre.org">CCE-3579-0</ident>
16550: </rule-result>
16551: <rule-result idref="rule-3.13.3.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16552: <result>notselected</result>
16553: <ident system="http://cce.mitre.org">CCE-4473-5</ident>
16554: </rule-result>
16555: <rule-result idref="rule-3.13.3.1.b" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16556: <result>notselected</result>
16557: <ident system="http://cce.mitre.org">CCE-4491-7</ident>
16558: </rule-result>
16559: <rule-result idref="rule-3.13.3.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16560: <result>notselected</result>
16561: <ident system="http://cce.mitre.org">CCE-4368-7</ident>
16562: </rule-result>
16563: <rule-result idref="rule-3.13.3.2.b" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16564: <result>notselected</result>
16565: <ident system="http://cce.mitre.org">CCE-4024-6</ident>
16566: </rule-result>
16567: <rule-result idref="rule-3.13.3.2.c" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16568: <result>notselected</result>
16569: <ident system="http://cce.mitre.org">CCE-4526-0</ident>
16570: </rule-result>
16571: <rule-result idref="rule-3.13.4.1.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16572: <result>notselected</result>
16573: <ident system="http://cce.mitre.org">CCE-4544-3</ident>
16574: </rule-result>
16575: <rule-result idref="rule-3.13.4.1.3.a" time="2011-06-28T00:42:58" weight="10.000000">
16576: <result>notselected</result>
16577: <ident system="http://cce.mitre.org">CCE-4465-1</ident>
16578: </rule-result>
16579: <rule-result idref="rule-3.13.4.1.4.a" time="2011-06-28T00:42:58" weight="10.000000">
16580: <result>notselected</result>
16581: <ident system="http://cce.mitre.org">CCE-4350-5</ident>
16582: </rule-result>
16583: <rule-result idref="rule-3.14.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16584: <result>notselected</result>
16585: <ident system="http://cce.mitre.org">CCE-3578-2</ident>
16586: </rule-result>
16587: <rule-result idref="rule-3.14.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16588: <result>notselected</result>
16589: <ident system="http://cce.mitre.org">CCE-4219-2</ident>
16590: </rule-result>
16591: <rule-result idref="rule-3.14.3.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16592: <result>notselected</result>
16593: <ident system="http://cce.mitre.org">CCE-3985-9</ident>
16594: </rule-result>
16595: <rule-result idref="rule-3.14.3.2.b" time="2011-06-28T00:42:58" weight="10.000000">
16596: <result>notselected</result>
16597: <ident system="http://cce.mitre.org">CCE-4258-0</ident>
16598: </rule-result>
16599: <rule-result idref="rule-3.14.3.2.c" time="2011-06-28T00:42:58" weight="10.000000">
16600: <result>notselected</result>
16601: <ident system="http://cce.mitre.org">CCE-4487-5</ident>
16602: </rule-result>
16603: <rule-result idref="rule-3.14.4.5.a" time="2011-06-28T00:42:58" weight="10.000000">
16604: <result>notselected</result>
16605: <ident system="http://cce.mitre.org">CCE-4399-2</ident>
16606: </rule-result>
16607: <rule-result idref="rule-3.15.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16608: <result>notselected</result>
16609: <ident system="http://cce.mitre.org">CCE-3919-8</ident>
16610: </rule-result>
16611: <rule-result idref="rule-3.15.1.b" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16612: <result>notselected</result>
16613: <ident system="http://cce.mitre.org">CCE-3919-8</ident>
16614: </rule-result>
16615: <rule-result idref="rule-3.15.3.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16616: <result>notselected</result>
16617: <ident system="http://cce.mitre.org">CCE-4549-2</ident>
16618: </rule-result>
16619: <rule-result idref="rule-3.15.3.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16620: <result>notselected</result>
16621: <ident system="http://cce.mitre.org">CCE-4554-2</ident>
16622: </rule-result>
16623: <rule-result idref="rule-3.15.3.3.1.a" time="2011-06-28T00:42:58" severity="high" weight="10.000000">
16624: <result>notselected</result>
16625: <ident system="http://cce.mitre.org">CCE-4443-8</ident>
16626: </rule-result>
16627: <rule-result idref="rule-3.15.3.4.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16628: <result>notselected</result>
16629: <ident system="http://cce.mitre.org">CCE-4461-0</ident>
16630: </rule-result>
16631: <rule-result idref="rule-3.16.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16632: <result>notselected</result>
16633: <ident system="http://cce.mitre.org">CCE-4338-0</ident>
16634: </rule-result>
16635: <rule-result idref="rule-3.16.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16636: <result>notselected</result>
16637: <ident system="http://cce.mitre.org">CCE-4514-6</ident>
16638: </rule-result>
16639: <rule-result idref="rule-3.16.3.1.a" time="2011-06-28T00:42:58" weight="10.000000">
16640: <result>notselected</result>
16641: <ident system="http://cce.mitre.org">CCE-4474-3</ident>
16642: </rule-result>
16643: <rule-result idref="rule-3.16.3.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16644: <result>notselected</result>
16645: <ident system="http://cce.mitre.org">CCE-3756-4</ident>
16646: </rule-result>
16647: <rule-result idref="rule-3.16.5.1.a" time="2011-06-28T00:42:58" weight="10.000000">
16648: <result>notselected</result>
16649: <ident system="http://cce.mitre.org">CCE-4509-6</ident>
16650: </rule-result>
16651: <rule-result idref="rule-3.16.5.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16652: <result>notselected</result>
16653: <ident system="http://cce.mitre.org">CCE-4386-9</ident>
16654: </rule-result>
16655: <rule-result idref="rule-3.16.5.1.c" time="2011-06-28T00:42:58" weight="10.000000">
16656: <result>notselected</result>
16657: <ident system="http://cce.mitre.org">CCE-4029-5</ident>
16658: </rule-result>
16659: <rule-result idref="rule-3.16.5.1.d" time="2011-06-28T00:42:58" weight="10.000000">
16660: <result>notselected</result>
16661: <ident system="http://cce.mitre.org">CCE-3581-6</ident>
16662: </rule-result>
16663: <rule-result idref="rule-3.16.5.1.e" time="2011-06-28T00:42:58" weight="10.000000">
16664: <result>notselected</result>
16665: <ident system="http://cce.mitre.org">CCE-4574-0</ident>
16666: </rule-result>
16667: <rule-result idref="rule-3.17.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16668: <result>notselected</result>
16669: <ident system="http://cce.mitre.org">CCE-3847-1</ident>
16670: </rule-result>
16671: <rule-result idref="rule-3.17.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16672: <result>notselected</result>
16673: <ident system="http://cce.mitre.org">CCE-4239-0</ident>
16674: </rule-result>
16675: <rule-result idref="rule-3.17.2.1.a" time="2011-06-28T00:42:58" weight="10.000000">
16676: <result>notselected</result>
16677: <ident system="http://cce.mitre.org">CCE-4384-4</ident>
16678: </rule-result>
16679: <rule-result idref="rule-3.17.2.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16680: <result>notselected</result>
16681: <ident system="http://cce.mitre.org">CCE-3887-7</ident>
16682: </rule-result>
16683: <rule-result idref="rule-3.17.2.1.c" time="2011-06-28T00:42:58" weight="10.000000">
16684: <result>notselected</result>
16685: <ident system="http://cce.mitre.org">CCE-4530-2</ident>
16686: </rule-result>
16687: <rule-result idref="rule-3.17.2.1.d" time="2011-06-28T00:42:58" weight="10.000000">
16688: <result>notselected</result>
16689: <ident system="http://cce.mitre.org">CCE-4547-6</ident>
16690: </rule-result>
16691: <rule-result idref="rule-3.17.2.2.4.a" time="2011-06-28T00:42:58" weight="10.000000">
16692: <result>notselected</result>
16693: <ident system="http://cce.mitre.org">CCE-4552-6</ident>
16694: </rule-result>
16695: <rule-result idref="rule-3.17.2.3.a" time="2011-06-28T00:42:58" weight="10.000000">
16696: <result>notselected</result>
16697: <ident system="http://cce.mitre.org">CCE-4371-1</ident>
16698: </rule-result>
16699: <rule-result idref="rule-3.17.2.3.b" time="2011-06-28T00:42:58" weight="10.000000">
16700: <result>notselected</result>
16701: <ident system="http://cce.mitre.org">CCE-4410-7</ident>
16702: </rule-result>
16703: <rule-result idref="rule-3.18.1.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16704: <result>notselected</result>
16705: <ident system="http://cce.mitre.org">CCE-4551-8</ident>
16706: </rule-result>
16707: <rule-result idref="rule-3.18.2.3.a" time="2011-06-28T00:42:58" weight="10.000000">
16708: <result>notselected</result>
16709: </rule-result>
16710: <rule-result idref="rule-3.18.2.10.a" time="2011-06-28T00:42:58" weight="10.000000">
16711: <result>notselected</result>
16712: <ident system="http://cce.mitre.org">CCE-4556-7</ident>
16713: </rule-result>
16714: <rule-result idref="rule-3.18.2.11.a" time="2011-06-28T00:42:58" weight="10.000000">
16715: <result>notselected</result>
16716: <ident system="http://cce.mitre.org">CCE-4556-7</ident>
16717: </rule-result>
16718: <rule-result idref="rule-3.19.1.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16719: <result>notselected</result>
16720: <ident system="http://cce.mitre.org">CCE-4556-7</ident>
16721: </rule-result>
16722: <rule-result idref="rule-3.19.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16723: <result>notselected</result>
16724: <ident system="http://cce.mitre.org">CCE-4076-6</ident>
16725: </rule-result>
16726: <rule-result idref="rule-3.19.2.2.a" time="2011-06-28T00:42:58" weight="10.000000">
16727: <result>notselected</result>
16728: <ident system="http://cce.mitre.org">CCE-4454-5</ident>
16729: </rule-result>
16730: <rule-result idref="rule-3.19.2.2.b" time="2011-06-28T00:42:58" weight="10.000000">
16731: <result>notselected</result>
16732: <ident system="http://cce.mitre.org">CCE-4459-4</ident>
16733: </rule-result>
16734: <rule-result idref="rule-3.19.2.2.c" time="2011-06-28T00:42:58" weight="10.000000">
16735: <result>notselected</result>
16736: <ident system="http://cce.mitre.org">CCE-4503-9</ident>
16737: </rule-result>
16738: <rule-result idref="rule-3.19.2.2.d" time="2011-06-28T00:42:58" weight="10.000000">
16739: <result>notselected</result>
16740: <ident system="http://cce.mitre.org">CCE-4353-9</ident>
16741: </rule-result>
16742: <rule-result idref="rule-3.19.2.2.e" time="2011-06-28T00:42:58" weight="10.000000">
16743: <result>notselected</result>
16744: <ident system="http://cce.mitre.org">CCE-4419-8</ident>
16745: </rule-result>
16746: <rule-result idref="rule-3.19.2.2.f" time="2011-06-28T00:42:58" weight="10.000000">
16747: <result>notselected</result>
16748: <ident system="http://cce.mitre.org">CCE-3692-1</ident>
16749: </rule-result>
16750: <rule-result idref="rule-3.19.2.2.g" time="2011-06-28T00:42:58" weight="10.000000">
16751: <result>notselected</result>
16752: <ident system="http://cce.mitre.org">CCE-4476-8</ident>
16753: </rule-result>
16754: <rule-result idref="rule-3.19.2.2.h" time="2011-06-28T00:42:58" weight="10.000000">
16755: <result>notselected</result>
16756: <ident system="http://cce.mitre.org">CCE-3585-7</ident>
16757: </rule-result>
16758: <rule-result idref="rule-3.19.2.3.a" time="2011-06-28T00:42:58" weight="10.000000">
16759: <result>notselected</result>
16760: <ident system="http://cce.mitre.org">CCE-4344-8</ident>
16761: </rule-result>
16762: <rule-result idref="rule-3.19.2.3.b" time="2011-06-28T00:42:58" weight="10.000000">
16763: <result>notselected</result>
16764: <ident system="http://cce.mitre.org">CCE-4494-1</ident>
16765: </rule-result>
16766: <rule-result idref="rule-3.19.2.3.c" time="2011-06-28T00:42:58" weight="10.000000">
16767: <result>notselected</result>
16768: <ident system="http://cce.mitre.org">CCE-4181-4</ident>
16769: </rule-result>
16770: <rule-result idref="rule-3.19.2.3.d" time="2011-06-28T00:42:58" weight="10.000000">
16771: <result>notselected</result>
16772: <ident system="http://cce.mitre.org">CCE-4577-3</ident>
16773: </rule-result>
16774: <rule-result idref="rule-3.19.2.5.a" time="2011-06-28T00:42:58" weight="10.000000">
16775: <result>notselected</result>
16776: <ident system="http://cce.mitre.org">CCE-4511-2</ident>
16777: </rule-result>
16778: <rule-result idref="rule-3.19.2.5.b" time="2011-06-28T00:42:58" weight="10.000000">
16779: <result>notselected</result>
16780: <ident system="http://cce.mitre.org">CCE-4529-4</ident>
16781: </rule-result>
16782: <rule-result idref="rule-3.19.2.5.c" time="2011-06-28T00:42:58" weight="10.000000">
16783: <result>notselected</result>
16784: <ident system="http://cce.mitre.org">CCE-3610-3</ident>
16785: </rule-result>
16786: <rule-result idref="rule-3.19.2.5.d" time="2011-06-28T00:42:58" weight="10.000000">
16787: <result>notselected</result>
16788: <ident system="http://cce.mitre.org">CCE-4466-9</ident>
16789: </rule-result>
16790: <rule-result idref="rule-3.19.2.5.e" time="2011-06-28T00:42:58" weight="10.000000">
16791: <result>notselected</result>
16792: <ident system="http://cce.mitre.org">CCE-4607-8</ident>
16793: </rule-result>
16794: <rule-result idref="rule-3.19.2.5.f" time="2011-06-28T00:42:58" weight="10.000000">
16795: <result>notselected</result>
16796: <ident system="http://cce.mitre.org">CCE-4255-6</ident>
16797: </rule-result>
16798: <rule-result idref="rule-3.19.2.5.g" time="2011-06-28T00:42:58" weight="10.000000">
16799: <result>notselected</result>
16800: <ident system="http://cce.mitre.org">CCE-4127-7</ident>
16801: </rule-result>
16802: <rule-result idref="rule-3.19.2.5.h" time="2011-06-28T00:42:58" weight="10.000000">
16803: <result>notselected</result>
16804: <ident system="http://cce.mitre.org">CCE-4519-5</ident>
16805: </rule-result>
16806: <rule-result idref="rule-3.19.2.5.i" time="2011-06-28T00:42:58" weight="10.000000">
16807: <result>notselected</result>
16808: <ident system="http://cce.mitre.org">CCE-4413-1</ident>
16809: </rule-result>
16810: <rule-result idref="rule-3.19.2.5.j" time="2011-06-28T00:42:58" weight="10.000000">
16811: <result>notselected</result>
16812: <ident system="http://cce.mitre.org">CCE-4373-7</ident>
16813: </rule-result>
16814: <rule-result idref="rule-3.20.1.a" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16815: <result>notselected</result>
16816: <ident system="http://cce.mitre.org">CCE-3765-5</ident>
16817: </rule-result>
16818: <rule-result idref="rule-3.20.1.b" time="2011-06-28T00:42:58" weight="10.000000">
16819: <result>notselected</result>
16820: <ident system="http://cce.mitre.org">CCE-4404-0</ident>
16821: </rule-result>
16822: <rule-result idref="rule-2.3.3.2.c" time="2011-06-28T00:42:58" severity="medium" weight="10.000000">
16823: <result>notselected</result>
16824: </rule-result>
16825: <rule-result idref="rule-2.4.3.1.a" time="2011-06-28T00:42:58" weight="10.000000">
16826: <result>notselected</result>
16827: <ident system="http://cce.mitre.org">CCE-4148-3</ident>
16828: </rule-result>
16829: <rule-result idref="rule-2.4.3.1.b" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16830: <result>notselected</result>
16831: <ident system="http://cce.mitre.org">CCE-4254-9</ident>
16832: </rule-result>
16833: <rule-result idref="rule-3.11.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16834: <result>notselected</result>
16835: <ident system="http://cce.mitre.org">CCE-4416-4</ident>
16836: </rule-result>
16837: <rule-result idref="rule-3.12.3.7.a" time="2011-06-28T00:42:58" weight="10.000000">
16838: <result>notselected</result>
16839: <ident system="http://cce.mitre.org">CCE-4484-2</ident>
16840: </rule-result>
16841: <rule-result idref="rule-3.12.3.7.b" time="2011-06-28T00:42:58" weight="10.000000">
16842: <result>notselected</result>
16843: <ident system="http://cce.mitre.org">CCE-4502-1</ident>
16844: </rule-result>
16845: <rule-result idref="rule-3.13.1.3.a" time="2011-06-28T00:42:58" severity="low" weight="10.000000">
16846: <result>notselected</result>
16847: <ident system="http://cce.mitre.org">CCE-4550-0</ident>
16848: </rule-result>
16849: <score system="urn:xccdf:scoring:default" maximum="100.000000">7.925666</score>
16850: <score system="urn:xccdf:scoring:flat" maximum="760.000000">680.000000</score>
16851: </TestResult>
16852: </Benchmark>